[panda-users] Problem syscall plugin usage

Simone Mazzoni simone.mazzoni13 at gmail.com
Wed Dec 10 17:51:23 EST 2014 

Hello Brendan,
I tried to use the testintro plugin today, but when I load it, it close qemu with a core dump error.
And the error seems to be caused by the printf at line 34, because the get_current_process(env); function returns a null pointer instead of the current process.

Should I have to load the testintro plugin and the win7x86into plugin togegher?

Thanks

-Simone
-----------------------------------------------------
Simone Mazzoni
Cell: 340 5210441
E-Mail: simone.mazzoni13 at gmail.com
skype: mazzoni.s

> Il giorno 10/dic/2014, alle ore 17:09, Brendan Dolan-Gavitt <brendandg at gatech.edu> ha scritto:
> 
> I agree with Patrick that CR3 is probably the right choice in most
> cases. But if you really want PID and you happen to be on Windows 7
> 32-bit, you can use the OS introspection support we've added for that
> OS. Look at
> 
> https://github.com/moyix/panda/blob/master/qemu/panda_plugins/testintro/testintro.c
> 
> for an example of how you'd add that to your plugin. When running it,
> you'd use the argument "-panda osi; win7x86intro;your_plugin" to load
> the Win7 introspection and the introspection abstraction layer
> plugins.
> 
> -Brendan
> 
> On Wed, Dec 10, 2014 at 9:39 AM, Hulin, Patrick - 0559 - MITLL
> <Patrick.Hulin at ll.mit.edu> wrote:
>> Hi Simone,
>> 
>> I’d recommend just using the CR3 register to track processes (we have a
>> function, panda_get_current_asid, that generalizes it to different
>> architectures). It won’t change for kernel mode, so you’ll have to manually
>> check whether or not you’re in kernel mode (ring 0). Finding PIDs is highly
>> OS-specific; you can use panda_memsavep and volatility to look at them for a
>> given memory snapshot, but we don’t have a generic way to look at them.
>> 
>> From: Simone Mazzoni <simone.mazzoni13 at gmail.com>
>> Date: Wednesday, December 10, 2014 at 5:08 AM
>> To: - yrp <yrp604 at yahoo.com>
>> Cc: "panda-users at mit.edu" <panda-users at mit.edu>
>> Subject: Re: [panda-users] Problem syscall plugin usage
>> 
>> Hello,
>> I have another question.
>> 
>> There is a way to obtain the PID of the process caller of a system call in
>> order to filter the system calls analisys only for specified Processes?
>> My purpose is to track system calls only for a specified program in
>> execution on the system (i.e tracking only the system calls of the execution
>> of notepad.exe program on windows)
>> 
>> Is it possible to do such a thing by editing the PANDA syscalls plugin?
>> 
>> Simone
>> 
>> 2014-12-08 20:14 GMT+01:00 - yrp <yrp604 at yahoo.com>:
>>> 
>>> Yes, 'env->regs[R_EDX]' should give you what you want. This of course
>>> presumes the CPUState ptr is named env...
>>> 
>>> For an example, see here:
>>> 
>>> https://github.com/moyix/panda/blob/master/qemu/panda_plugins/syscalls/syscalls.cpp#L332
>>> 
>>> 
>>> 
>>> 
>>> On Monday, December 8, 2014 6:12 AM, Simone Mazzoni
>>> <simone.mazzoni13 at gmail.com> wrote:
>>> 
>>> 
>>> Hello yrp,
>>> 
>>> I solved my problem by disabling kvm. This allows me to read the content
>>> of EAX register in order to read the data every time a system call is
>>> invoked.
>>> 
>>> Now I’m trying to find a way to get information about the arguments of
>>> every system call. If I’m not wrong, the address of the first
>>> parameter/argument of a system call is pushed in the EDX register. Is this
>>> right? There is a way to retrive information about the parameters of each
>>> system call invoked by the system?
>>> 
>>> Tnaks,
>>> Simone
>>> -----------------------------------------------------
>>> Simone Mazzoni
>>> Cell: 340 5210441
>>> E-Mail: simone.mazzoni13 at gmail.com
>>> skype: mazzoni.s
>>> 
>>> Il giorno 03/dic/2014, alle ore 21:28, - yrp <yrp604 at yahoo.com> ha
>>> scritto:
>>> 
>>> Hi Simone,
>>> 
>>> I believe the syscalls plugin used to create the list of syscalls when it
>>> was still coupled with the fdtracker plugin. Currently I think it only
>>> provides an API for you to add your own hook before/after syscall execution
>>> and in the Linux case, the ability to set a hook on any particular syscall.
>>> 
>>> There are two proper ways to accomplish what you're looking for. First,
>>> you could write a small plugin that uses the API defined in syscalls_int.h.
>>> Alternatively, you could look at the format of the gen_syscalls_* files and
>>> port them from linux to windows which should be relatively straight forward
>>> as it's all just syscall prototypes. Finally, for a third option you could
>>> modify the syscalls plugin around line 330. The last option is probably the
>>> least "clean" but fastest.
>>> 
>>> Hope this helps,
>>> yrp
>>> 
>>> 
>>> On Wednesday, December 3, 2014 9:50 AM, Simone Mazzoni
>>> <simone.mazzoni13 at gmail.com> wrote:
>>> 
>>> 
>>> Hello,
>>> 
>>> I have a problem in using the “syscall” plugin provided in PANDA.
>>> 
>>> I succesfully compiled PANDA following the compile.txt instruction.
>>> 
>>> I want now to use PANDA to scan all the system calls on a Windows 7 VM.
>>> 
>>> I run the Windows 7 VM with this command: “./qemu-system-x86_64 -hda
>>> ../../../qemuwin7.img -enable-kvm -m 1024 -monitor stdio -loadvm booted
>>> -panda syscalls” and the system replies with this message
>>> 
>>> adding
>>> /home/parallels/Desktop/Tesi/panda-master/qemu/x86_64-softmmu/panda_plugins/panda_syscalls.so
>>> to panda_plugin_files 0
>>> loading
>>> /home/parallels/Desktop/Tesi/panda-master/qemu/x86_64-softmmu/panda_plugins/panda_syscalls.so
>>> warning: Plugin 'syscalls' uses argument: -panda-arg syscalls:file=<file>
>>> using default log file syscalls.txt
>>> Success
>>> QEMU 1.0,1 monitor - type 'help' for more information
>>> (qemu) SaveVM v3 format forces exact matches between devices on load and
>>> save, including on replay.
>>> 
>>> So it seems that the plugin is succesfully loaded.
>>> The message says also that the default log file “syscalls.txt” will be
>>> used, so I expect to see some line in this file after running some programs
>>> in the Windows 7 VM, but the file remains blank, so it seems that the plugin
>>> is not working.
>>> 
>>> Where are my errors? How can I effectively trace all the system calls
>>> invocations of the guest Windows 7 system?
>>> 
>>> Thanks
>>> 
>>> Simone
>>> 
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> panda-users mailing list
>>> panda-users at mit.edu
>>> http://mailman.mit.edu/mailman/listinfo/panda-users
>>> 
>>> 
>>> 
>>> 
>>> 
>> 
>> 
>> _______________________________________________
>> panda-users mailing list
>> panda-users at mit.edu
>> http://mailman.mit.edu/mailman/listinfo/panda-users
>> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/mailman/private/panda-users/attachments/20141210/c4bd3141/attachment.htm

More information about the panda-users mailing list