[panda-users] Problem syscall plugin usage
Hulin, Patrick - 0559 - MITLL
Patrick.Hulin at ll.mit.edu
Wed Dec 10 10:39:58 EST 2014
Hi Simone,
I’d recommend just using the CR3 register to track processes (we have a function, panda_get_current_asid, that generalizes it to different architectures). It won’t change for kernel mode, so you’ll have to manually check whether or not you’re in kernel mode (ring 0). Finding PIDs is highly OS-specific; you can use panda_memsavep and volatility to look at them for a given memory snapshot, but we don’t have a generic way to look at them.
From: Simone Mazzoni <simone.mazzoni13 at gmail.com<mailto:simone.mazzoni13 at gmail.com>>
Date: Wednesday, December 10, 2014 at 5:08 AM
To: - yrp <yrp604 at yahoo.com<mailto:yrp604 at yahoo.com>>
Cc: "panda-users at mit.edu<mailto:panda-users at mit.edu>" <panda-users at mit.edu<mailto:panda-users at mit.edu>>
Subject: Re: [panda-users] Problem syscall plugin usage
Hello,
I have another question.
There is a way to obtain the PID of the process caller of a system call in order to filter the system calls analisys only for specified Processes?
My purpose is to track system calls only for a specified program in execution on the system (i.e tracking only the system calls of the execution of notepad.exe program on windows)
Is it possible to do such a thing by editing the PANDA syscalls plugin?
Simone
2014-12-08 20:14 GMT+01:00 - yrp <yrp604 at yahoo.com<mailto:yrp604 at yahoo.com>>:
Yes, 'env->regs[R_EDX]' should give you what you want. This of course presumes the CPUState ptr is named env...
For an example, see here:
https://github.com/moyix/panda/blob/master/qemu/panda_plugins/syscalls/syscalls.cpp#L332
<https://github.com/moyix/panda/blob/master/qemu/panda_plugins/syscalls/syscalls.cpp#L332>
On Monday, December 8, 2014 6:12 AM, Simone Mazzoni <simone.mazzoni13 at gmail.com<mailto:simone.mazzoni13 at gmail.com>> wrote:
Hello yrp,
I solved my problem by disabling kvm. This allows me to read the content of EAX register in order to read the data every time a system call is invoked.
Now I’m trying to find a way to get information about the arguments of every system call. If I’m not wrong, the address of the first parameter/argument of a system call is pushed in the EDX register. Is this right? There is a way to retrive information about the parameters of each system call invoked by the system?
Tnaks,
Simone
-----------------------------------------------------
Simone Mazzoni
Cell: 340 5210441
E-Mail: simone.mazzoni13 at gmail.com<mailto:simone.mazzoni13 at gmail.com>
skype: mazzoni.s
Il giorno 03/dic/2014, alle ore 21:28, - yrp <yrp604 at yahoo.com<mailto:yrp604 at yahoo.com>> ha scritto:
Hi Simone,
I believe the syscalls plugin used to create the list of syscalls when it was still coupled with the fdtracker plugin. Currently I think it only provides an API for you to add your own hook before/after syscall execution and in the Linux case, the ability to set a hook on any particular syscall.
There are two proper ways to accomplish what you're looking for. First, you could write a small plugin that uses the API defined in syscalls_int.h. Alternatively, you could look at the format of the gen_syscalls_* files and port them from linux to windows which should be relatively straight forward as it's all just syscall prototypes. Finally, for a third option you could modify the syscalls plugin around line 330. The last option is probably the least "clean" but fastest.
Hope this helps,
yrp
On Wednesday, December 3, 2014 9:50 AM, Simone Mazzoni <simone.mazzoni13 at gmail.com<mailto:simone.mazzoni13 at gmail.com>> wrote:
Hello,
I have a problem in using the “syscall” plugin provided in PANDA.
I succesfully compiled PANDA following the compile.txt instruction.
I want now to use PANDA to scan all the system calls on a Windows 7 VM.
I run the Windows 7 VM with this command: “./qemu-system-x86_64 -hda ../../../qemuwin7.img -enable-kvm -m 1024 -monitor stdio -loadvm booted -panda syscalls” and the system replies with this message
adding /home/parallels/Desktop/Tesi/panda-master/qemu/x86_64-softmmu/panda_plugins/panda_syscalls.so to panda_plugin_files 0
loading /home/parallels/Desktop/Tesi/panda-master/qemu/x86_64-softmmu/panda_plugins/panda_syscalls.so
warning: Plugin 'syscalls' uses argument: -panda-arg syscalls:file=<file>
using default log file syscalls.txt
Success
QEMU 1.0,1 monitor - type 'help' for more information
(qemu) SaveVM v3 format forces exact matches between devices on load and save, including on replay.
So it seems that the plugin is succesfully loaded.
The message says also that the default log file “syscalls.txt” will be used, so I expect to see some line in this file after running some programs in the Windows 7 VM, but the file remains blank, so it seems that the plugin is not working.
Where are my errors? How can I effectively trace all the system calls invocations of the guest Windows 7 system?
Thanks
Simone
_______________________________________________
panda-users mailing list
panda-users at mit.edu<mailto:panda-users at mit.edu>
http://mailman.mit.edu/mailman/listinfo/panda-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/mailman/private/panda-users/attachments/20141210/23718c05/attachment-0001.htm
More information about the panda-users
mailing list