[panda-users] Problem syscall plugin usage

Wed Dec 10 11:09:45 EST 2014

I agree with Patrick that CR3 is probably the right choice in most
cases. But if you really want PID and you happen to be on Windows 7
32-bit, you can use the OS introspection support we've added for that
OS. Look at

https://github.com/moyix/panda/blob/master/qemu/panda_plugins/testintro/testintro.c

for an example of how you'd add that to your plugin. When running it,
you'd use the argument "-panda osi; win7x86intro;your_plugin" to load
the Win7 introspection and the introspection abstraction layer
plugins.

-Brendan

On Wed, Dec 10, 2014 at 9:39 AM, Hulin, Patrick - 0559 - MITLL
<Patrick.Hulin at ll.mit.edu> wrote:
> Hi Simone,
>
> I’d recommend just using the CR3 register to track processes (we have a
> function, panda_get_current_asid, that generalizes it to different
> architectures). It won’t change for kernel mode, so you’ll have to manually
> check whether or not you’re in kernel mode (ring 0). Finding PIDs is highly
> OS-specific; you can use panda_memsavep and volatility to look at them for a
> given memory snapshot, but we don’t have a generic way to look at them.
>
> From: Simone Mazzoni <simone.mazzoni13 at gmail.com>
> Date: Wednesday, December 10, 2014 at 5:08 AM
> To: - yrp <yrp604 at yahoo.com>
> Cc: "panda-users at mit.edu" <panda-users at mit.edu>
> Subject: Re: [panda-users] Problem syscall plugin usage
>
> Hello,
> I have another question.
>
> There is a way to obtain the PID of the process caller of a system call in
> order to filter the system calls analisys only for specified Processes?
> My purpose is to track system calls only for a specified program in
> execution on the system (i.e tracking only the system calls of the execution
> of notepad.exe program on windows)
>
> Is it possible to do such a thing by editing the PANDA syscalls plugin?
>
> Simone
>
> 2014-12-08 20:14 GMT+01:00 - yrp <yrp604 at yahoo.com>:
>>
>> Yes, 'env->regs[R_EDX]' should give you what you want. This of course
>> presumes the CPUState ptr is named env...
>>
>> For an example, see here:
>>
>> https://github.com/moyix/panda/blob/master/qemu/panda_plugins/syscalls/syscalls.cpp#L332
>>
>>
>>
>>
>> On Monday, December 8, 2014 6:12 AM, Simone Mazzoni
>> <simone.mazzoni13 at gmail.com> wrote:
>>
>>
>> Hello yrp,
>>
>> I solved my problem by disabling kvm. This allows me to read the content
>> of EAX register in order to read the data every time a system call is
>> invoked.
>>
>> Now I’m trying to find a way to get information about the arguments of
>> every system call. If I’m not wrong, the address of the first
>> parameter/argument of a system call is pushed in the EDX register. Is this
>> right? There is a way to retrive information about the parameters of each
>> system call invoked by the system?
>>
>> Tnaks,
>> Simone
>> -----------------------------------------------------
>> Simone Mazzoni
>> Cell: 340 5210441
>> E-Mail: simone.mazzoni13 at gmail.com
>> skype: mazzoni.s
>>
>> Il giorno 03/dic/2014, alle ore 21:28, - yrp <yrp604 at yahoo.com> ha
>> scritto:
>>
>> Hi Simone,
>>
>> I believe the syscalls plugin used to create the list of syscalls when it
>> was still coupled with the fdtracker plugin. Currently I think it only
>> provides an API for you to add your own hook before/after syscall execution
>> and in the Linux case, the ability to set a hook on any particular syscall.
>>
>> There are two proper ways to accomplish what you're looking for. First,
>> you could write a small plugin that uses the API defined in syscalls_int.h.
>> Alternatively, you could look at the format of the gen_syscalls_* files and
>> port them from linux to windows which should be relatively straight forward
>> as it's all just syscall prototypes. Finally, for a third option you could
>> modify the syscalls plugin around line 330. The last option is probably the
>> least "clean" but fastest.
>>
>> Hope this helps,
>> yrp
>>
>>
>> On Wednesday, December 3, 2014 9:50 AM, Simone Mazzoni
>> <simone.mazzoni13 at gmail.com> wrote:
>>
>>
>> Hello,
>>
>> I have a problem in using the “syscall” plugin provided in PANDA.
>>
>> I succesfully compiled PANDA following the compile.txt instruction.
>>
>> I want now to use PANDA to scan all the system calls on a Windows 7 VM.
>>
>> I run the Windows 7 VM with this command: “./qemu-system-x86_64 -hda
>> ../../../qemuwin7.img -enable-kvm -m 1024 -monitor stdio -loadvm booted
>> -panda syscalls” and the system replies with this message
>>
>> adding
>> /home/parallels/Desktop/Tesi/panda-master/qemu/x86_64-softmmu/panda_plugins/panda_syscalls.so
>> to panda_plugin_files 0
>> loading
>> /home/parallels/Desktop/Tesi/panda-master/qemu/x86_64-softmmu/panda_plugins/panda_syscalls.so
>> warning: Plugin 'syscalls' uses argument: -panda-arg syscalls:file=<file>
>> using default log file syscalls.txt
>> Success
>> QEMU 1.0,1 monitor - type 'help' for more information
>> (qemu) SaveVM v3 format forces exact matches between devices on load and
>> save, including on replay.
>>
>> So it seems that the plugin is succesfully loaded.
>> The message says also that the default log file “syscalls.txt” will be
>> used, so I expect to see some line in this file after running some programs
>> in the Windows 7 VM, but the file remains blank, so it seems that the plugin
>> is not working.
>>
>> Where are my errors? How can I effectively trace all the system calls
>> invocations of the guest Windows 7 system?
>>
>> Thanks
>>
>> Simone
>>
>>
>>
>>
>> _______________________________________________
>> panda-users mailing list
>> panda-users at mit.edu
>> http://mailman.mit.edu/mailman/listinfo/panda-users
>>
>>
>>
>>
>>
>
>
> _______________________________________________
> panda-users mailing list
> panda-users at mit.edu
> http://mailman.mit.edu/mailman/listinfo/panda-users
>