[panda-users] Problem syscall plugin usage
Simone Mazzoni
simone.mazzoni13 at gmail.com
Mon Dec 15 12:49:08 EST 2014
Thanks all for the answers,
using the "osi;win7x86intro;my_plugin” configuration works for me, and now I am able to track the syscalls of a specific process specifying its name or PID.
Now I’m trying to figure out if I can run an executable file from the extern.
To be more clear, I wish to launch the win7 VM specifying an exe file ( let’s say foo.exe ) to execute once the system is booted, and the executable should be passed as an argument or something similar to the host VM. Is it possible to do something similar with qemu?
My purpose is to analyze the syscalls traffic of a given executable file, passed from the user.
-Simone
-----------------------------------------------------
Simone Mazzoni
Cell: 340 5210441
E-Mail: simone.mazzoni13 at gmail.com
skype: mazzoni.s
> Il giorno 11/dic/2014, alle ore 01:23, Brendan Dolan-Gavitt <brendandg at gatech.edu> ha scritto:
>
> Are you trying to run these plugins on a live system? You would
> probably be better off making a recording and then doing your analysis
> on a replay.
>
> In any case, yes – the plugins have to be loaded in the right order:
> first osi, then win7x86intro, then testintro.
>
> -Brendan
>
> On Wed, Dec 10, 2014 at 4:51 PM, Simone Mazzoni
> <simone.mazzoni13 at gmail.com> wrote:
>> Hello Brendan,
>> I tried to use the testintro plugin today, but when I load it, it close qemu
>> with a core dump error.
>> And the error seems to be caused by the printf at line 34, because the
>> get_current_process(env); function returns a null pointer instead of the
>> current process.
>>
>> Should I have to load the testintro plugin and the win7x86into plugin
>> togegher?
>>
>> Thanks
>>
>> -Simone
>> -----------------------------------------------------
>> Simone Mazzoni
>> Cell: 340 5210441
>> E-Mail: simone.mazzoni13 at gmail.com
>> skype: mazzoni.s
>>
>> Il giorno 10/dic/2014, alle ore 17:09, Brendan Dolan-Gavitt
>> <brendandg at gatech.edu> ha scritto:
>>
>> I agree with Patrick that CR3 is probably the right choice in most
>> cases. But if you really want PID and you happen to be on Windows 7
>> 32-bit, you can use the OS introspection support we've added for that
>> OS. Look at
>>
>> https://github.com/moyix/panda/blob/master/qemu/panda_plugins/testintro/testintro.c
>>
>> for an example of how you'd add that to your plugin. When running it,
>> you'd use the argument "-panda osi; win7x86intro;your_plugin" to load
>> the Win7 introspection and the introspection abstraction layer
>> plugins.
>>
>> -Brendan
>>
>> On Wed, Dec 10, 2014 at 9:39 AM, Hulin, Patrick - 0559 - MITLL
>> <Patrick.Hulin at ll.mit.edu> wrote:
>>
>> Hi Simone,
>>
>> I’d recommend just using the CR3 register to track processes (we have a
>> function, panda_get_current_asid, that generalizes it to different
>> architectures). It won’t change for kernel mode, so you’ll have to manually
>> check whether or not you’re in kernel mode (ring 0). Finding PIDs is highly
>> OS-specific; you can use panda_memsavep and volatility to look at them for a
>> given memory snapshot, but we don’t have a generic way to look at them.
>>
>> From: Simone Mazzoni <simone.mazzoni13 at gmail.com>
>> Date: Wednesday, December 10, 2014 at 5:08 AM
>> To: - yrp <yrp604 at yahoo.com>
>> Cc: "panda-users at mit.edu" <panda-users at mit.edu>
>> Subject: Re: [panda-users] Problem syscall plugin usage
>>
>> Hello,
>> I have another question.
>>
>> There is a way to obtain the PID of the process caller of a system call in
>> order to filter the system calls analisys only for specified Processes?
>> My purpose is to track system calls only for a specified program in
>> execution on the system (i.e tracking only the system calls of the execution
>> of notepad.exe program on windows)
>>
>> Is it possible to do such a thing by editing the PANDA syscalls plugin?
>>
>> Simone
>>
>> 2014-12-08 20:14 GMT+01:00 - yrp <yrp604 at yahoo.com>:
>>
>>
>> Yes, 'env->regs[R_EDX]' should give you what you want. This of course
>> presumes the CPUState ptr is named env...
>>
>> For an example, see here:
>>
>> https://github.com/moyix/panda/blob/master/qemu/panda_plugins/syscalls/syscalls.cpp#L332
>>
>>
>>
>>
>> On Monday, December 8, 2014 6:12 AM, Simone Mazzoni
>> <simone.mazzoni13 at gmail.com> wrote:
>>
>>
>> Hello yrp,
>>
>> I solved my problem by disabling kvm. This allows me to read the content
>> of EAX register in order to read the data every time a system call is
>> invoked.
>>
>> Now I’m trying to find a way to get information about the arguments of
>> every system call. If I’m not wrong, the address of the first
>> parameter/argument of a system call is pushed in the EDX register. Is this
>> right? There is a way to retrive information about the parameters of each
>> system call invoked by the system?
>>
>> Tnaks,
>> Simone
>> -----------------------------------------------------
>> Simone Mazzoni
>> Cell: 340 5210441
>> E-Mail: simone.mazzoni13 at gmail.com
>> skype: mazzoni.s
>>
>> Il giorno 03/dic/2014, alle ore 21:28, - yrp <yrp604 at yahoo.com> ha
>> scritto:
>>
>> Hi Simone,
>>
>> I believe the syscalls plugin used to create the list of syscalls when it
>> was still coupled with the fdtracker plugin. Currently I think it only
>> provides an API for you to add your own hook before/after syscall execution
>> and in the Linux case, the ability to set a hook on any particular syscall.
>>
>> There are two proper ways to accomplish what you're looking for. First,
>> you could write a small plugin that uses the API defined in syscalls_int.h.
>> Alternatively, you could look at the format of the gen_syscalls_* files and
>> port them from linux to windows which should be relatively straight forward
>> as it's all just syscall prototypes. Finally, for a third option you could
>> modify the syscalls plugin around line 330. The last option is probably the
>> least "clean" but fastest.
>>
>> Hope this helps,
>> yrp
>>
>>
>> On Wednesday, December 3, 2014 9:50 AM, Simone Mazzoni
>> <simone.mazzoni13 at gmail.com> wrote:
>>
>>
>> Hello,
>>
>> I have a problem in using the “syscall” plugin provided in PANDA.
>>
>> I succesfully compiled PANDA following the compile.txt instruction.
>>
>> I want now to use PANDA to scan all the system calls on a Windows 7 VM.
>>
>> I run the Windows 7 VM with this command: “./qemu-system-x86_64 -hda
>> ../../../qemuwin7.img -enable-kvm -m 1024 -monitor stdio -loadvm booted
>> -panda syscalls” and the system replies with this message
>>
>> adding
>> /home/parallels/Desktop/Tesi/panda-master/qemu/x86_64-softmmu/panda_plugins/panda_syscalls.so
>> to panda_plugin_files 0
>> loading
>> /home/parallels/Desktop/Tesi/panda-master/qemu/x86_64-softmmu/panda_plugins/panda_syscalls.so
>> warning: Plugin 'syscalls' uses argument: -panda-arg syscalls:file=<file>
>> using default log file syscalls.txt
>> Success
>> QEMU 1.0,1 monitor - type 'help' for more information
>> (qemu) SaveVM v3 format forces exact matches between devices on load and
>> save, including on replay.
>>
>> So it seems that the plugin is succesfully loaded.
>> The message says also that the default log file “syscalls.txt” will be
>> used, so I expect to see some line in this file after running some programs
>> in the Windows 7 VM, but the file remains blank, so it seems that the plugin
>> is not working.
>>
>> Where are my errors? How can I effectively trace all the system calls
>> invocations of the guest Windows 7 system?
>>
>> Thanks
>>
>> Simone
>>
>>
>>
>>
>> _______________________________________________
>> panda-users mailing list
>> panda-users at mit.edu
>> http://mailman.mit.edu/mailman/listinfo/panda-users
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> panda-users mailing list
>> panda-users at mit.edu
>> http://mailman.mit.edu/mailman/listinfo/panda-users
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/mailman/private/panda-users/attachments/20141215/34c68cb8/attachment.htm
More information about the panda-users
mailing list