[panda-users] Problem syscall plugin usage

Simone Mazzoni simone.mazzoni13 at gmail.com
Wed Dec 10 05:08:47 EST 2014 

Hello,
I have another question.

There is a way to obtain the PID of the process caller of a system call in
order to filter the system calls analisys only for specified Processes?
My purpose is to track system calls only for a specified program in
execution on the system (i.e tracking only the system calls of the
execution of notepad.exe program on windows)

Is it possible to do such a thing by editing the PANDA syscalls plugin?

Simone

2014-12-08 20:14 GMT+01:00 - yrp <yrp604 at yahoo.com>:

> Yes, 'env->regs[R_EDX]' should give you what you want. This of course
> presumes the CPUState ptr is named env...
>
> For an example, see here:
>
> https://github.com/moyix/panda/blob/master/qemu/panda_plugins/syscalls/syscalls.cpp#L332
>
>
> <https://github.com/moyix/panda/blob/master/qemu/panda_plugins/syscalls/syscalls.cpp#L332>
>
>
>   On Monday, December 8, 2014 6:12 AM, Simone Mazzoni <
> simone.mazzoni13 at gmail.com> wrote:
>
>
> Hello yrp,
>
> I solved my problem by disabling kvm. This allows me to read the content
> of EAX register in order to read the data every time a system call is
> invoked.
>
> Now I’m trying to find a way to get information about the arguments of
> every system call. If I’m not wrong, the address of the first
> parameter/argument of a system call is pushed in the EDX register. Is this
> right? There is a way to retrive information about the parameters of each
> system call invoked by the system?
>
> Tnaks,
> Simone
> -----------------------------------------------------
> Simone Mazzoni
> Cell: 340 5210441
> E-Mail: simone.mazzoni13 at gmail.com
> skype: mazzoni.s
>
> Il giorno 03/dic/2014, alle ore 21:28, - yrp <yrp604 at yahoo.com> ha
> scritto:
>
> Hi Simone,
>
> I believe the syscalls plugin used to create the list of syscalls when it
> was still coupled with the fdtracker plugin. Currently I think it only
> provides an API for you to add your own hook before/after syscall execution
> and in the Linux case, the ability to set a hook on any particular syscall.
>
> There are two proper ways to accomplish what you're looking for. First,
> you could write a small plugin that uses the API defined in syscalls_int.h.
> Alternatively, you could look at the format of the gen_syscalls_* files and
> port them from linux to windows which should be relatively straight forward
> as it's all just syscall prototypes. Finally, for a third option you could
> modify the syscalls plugin around line 330. The last option is probably the
> least "clean" but fastest.
>
> Hope this helps,
> yrp
>
>
>   On Wednesday, December 3, 2014 9:50 AM, Simone Mazzoni <
> simone.mazzoni13 at gmail.com> wrote:
>
>
> Hello,
>
> I have a problem in using the “syscall” plugin provided in PANDA.
>
> I succesfully compiled PANDA following the compile.txt instruction.
>
> I want now to use PANDA to scan all the system calls on a Windows 7 VM.
>
> I run the Windows 7 VM with this command: “./qemu-system-x86_64 -hda
> ../../../qemuwin7.img -enable-kvm -m 1024 -monitor stdio -loadvm booted
> -panda syscalls” and the system replies with this message
>
> adding
> /home/parallels/Desktop/Tesi/panda-master/qemu/x86_64-softmmu/panda_plugins/panda_syscalls.so
> to panda_plugin_files 0
> loading
> /home/parallels/Desktop/Tesi/panda-master/qemu/x86_64-softmmu/panda_plugins/panda_syscalls.so
> warning: Plugin 'syscalls' uses argument: -panda-arg syscalls:file=<file>
> using default log file syscalls.txt
> Success
> QEMU 1.0,1 monitor - type 'help' for more information
> (qemu) SaveVM v3 format forces exact matches between devices on load and
> save, including on replay.
>
> So it seems that the plugin is succesfully loaded.
> The message says also that the default log file “syscalls.txt” will be
> used, so I expect to see some line in this file after running some programs
> in the Windows 7 VM, but the file remains blank, so it seems that the
> plugin is not working.
>
> Where are my errors? How can I effectively trace all the system calls
> invocations of the guest Windows 7 system?
>
> Thanks
>
> Simone
>
>
>
>
> _______________________________________________
> panda-users mailing list
> panda-users at mit.edu
> http://mailman.mit.edu/mailman/listinfo/panda-users
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/mailman/private/panda-users/attachments/20141210/e7d6dbec/attachment.htm

More information about the panda-users mailing list