[panda-users] Problem syscall plugin usage

Simone Mazzoni simone.mazzoni13 at gmail.com
Mon Dec 8 14:22:16 EST 2014 

Good,
tomorrow I will try to recover and print also the arguments of all the syscalls in this way, that is what I need. 

Thanks for the hints, I’ll write again here if I’ll have further questions.

Simone

-----------------------------------------------------
Simone Mazzoni
Cell: 340 5210441
E-Mail: simone.mazzoni13 at gmail.com
skype: mazzoni.s

> Il giorno 08/dic/2014, alle ore 20:14, - yrp <yrp604 at yahoo.com> ha scritto:
> 
> Yes, 'env->regs[R_EDX]' should give you what you want. This of course presumes the CPUState ptr is named env...
> 
> For an example, see here:
> https://github.com/moyix/panda/blob/master/qemu/panda_plugins/syscalls/syscalls.cpp#L332 <https://github.com/moyix/panda/blob/master/qemu/panda_plugins/syscalls/syscalls.cpp#L332>
> 
>  <https://github.com/moyix/panda/blob/master/qemu/panda_plugins/syscalls/syscalls.cpp#L332>
> 
> 
> On Monday, December 8, 2014 6:12 AM, Simone Mazzoni <simone.mazzoni13 at gmail.com> wrote:
> 
> 
> Hello yrp,
> 
> I solved my problem by disabling kvm. This allows me to read the content of EAX register in order to read the data every time a system call is invoked.
> 
> Now I’m trying to find a way to get information about the arguments of every system call. If I’m not wrong, the address of the first parameter/argument of a system call is pushed in the EDX register. Is this right? There is a way to retrive information about the parameters of each system call invoked by the system?
> 
> Tnaks,
> Simone
> -----------------------------------------------------
> Simone Mazzoni
> Cell: 340 5210441
> E-Mail: simone.mazzoni13 at gmail.com <mailto:simone.mazzoni13 at gmail.com>
> skype: mazzoni.s
> 
>> Il giorno 03/dic/2014, alle ore 21:28, - yrp <yrp604 at yahoo.com <mailto:yrp604 at yahoo.com>> ha scritto:
>> 
>> Hi Simone,
>> 
>> I believe the syscalls plugin used to create the list of syscalls when it was still coupled with the fdtracker plugin. Currently I think it only provides an API for you to add your own hook before/after syscall execution and in the Linux case, the ability to set a hook on any particular syscall.
>> 
>> There are two proper ways to accomplish what you're looking for. First, you could write a small plugin that uses the API defined in syscalls_int.h. Alternatively, you could look at the format of the gen_syscalls_* files and port them from linux to windows which should be relatively straight forward as it's all just syscall prototypes. Finally, for a third option you could modify the syscalls plugin around line 330. The last option is probably the least "clean" but fastest.
>> 
>> Hope this helps,
>> yrp
>> 
>> 
>> On Wednesday, December 3, 2014 9:50 AM, Simone Mazzoni <simone.mazzoni13 at gmail.com <mailto:simone.mazzoni13 at gmail.com>> wrote:
>> 
>> 
>> Hello, 
>> 
>> I have a problem in using the “syscall” plugin provided in PANDA.
>> 
>> I succesfully compiled PANDA following the compile.txt instruction.
>> 
>> I want now to use PANDA to scan all the system calls on a Windows 7 VM.
>> 
>> I run the Windows 7 VM with this command: “./qemu-system-x86_64 -hda ../../../qemuwin7.img -enable-kvm -m 1024 -monitor stdio -loadvm booted -panda syscalls” and the system replies with this message
>> 
>> adding /home/parallels/Desktop/Tesi/panda-master/qemu/x86_64-softmmu/panda_plugins/panda_syscalls.so to panda_plugin_files 0
>> loading /home/parallels/Desktop/Tesi/panda-master/qemu/x86_64-softmmu/panda_plugins/panda_syscalls.so
>> warning: Plugin 'syscalls' uses argument: -panda-arg syscalls:file=<file>
>> using default log file syscalls.txt
>> Success
>> QEMU 1.0,1 monitor - type 'help' for more information
>> (qemu) SaveVM v3 format forces exact matches between devices on load and save, including on replay.
>> 
>> So it seems that the plugin is succesfully loaded.
>> The message says also that the default log file “syscalls.txt” will be used, so I expect to see some line in this file after running some programs in the Windows 7 VM, but the file remains blank, so it seems that the plugin is not working.
>> 
>> Where are my errors? How can I effectively trace all the system calls invocations of the guest Windows 7 system?
>> 
>> Thanks
>> 
>> Simone
>> 
>> 
>> 
>> 
>> _______________________________________________
>> panda-users mailing list
>> panda-users at mit.edu <mailto:panda-users at mit.edu>
>> http://mailman.mit.edu/mailman/listinfo/panda-users <http://mailman.mit.edu/mailman/listinfo/panda-users>
>> 
>> 
> 
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/mailman/private/panda-users/attachments/20141208/17a1b0e1/attachment-0001.htm

More information about the panda-users mailing list