[panda-users] Problem syscall plugin usage
Brendan Dolan-Gavitt
brendandg at gatech.edu
Mon Dec 15 12:55:06 EST 2014
Hi Simone,
I actually recently set up something similar, in order to run malware.
You can see the script I ended up with here:
http://amnesia.gtisc.gatech.edu/~moyix/runmal.py
Basically it uses the QEMU monitor to insert a CD containing the
executable, and then sends keystrokes to the guest VM to copy it to
the desktop and execute it.
On the other hand sending keystrokes is a bit unreliable, so I am
planning on switching over to a batch file on the CD that gets autorun
in order to start up the malware.
Hope this helps,
Brendan
On Mon, Dec 15, 2014 at 12:49 PM, Simone Mazzoni
<simone.mazzoni13 at gmail.com> wrote:
> Thanks all for the answers,
> using the "osi;win7x86intro;my_plugin” configuration works for me, and now I
> am able to track the syscalls of a specific process specifying its name or
> PID.
>
> Now I’m trying to figure out if I can run an executable file from the
> extern.
> To be more clear, I wish to launch the win7 VM specifying an exe file (
> let’s say foo.exe ) to execute once the system is booted, and the executable
> should be passed as an argument or something similar to the host VM. Is it
> possible to do something similar with qemu?
>
> My purpose is to analyze the syscalls traffic of a given executable file,
> passed from the user.
>
> -Simone
> -----------------------------------------------------
> Simone Mazzoni
> Cell: 340 5210441
> E-Mail: simone.mazzoni13 at gmail.com
> skype: mazzoni.s
>
> Il giorno 11/dic/2014, alle ore 01:23, Brendan Dolan-Gavitt
> <brendandg at gatech.edu> ha scritto:
>
> Are you trying to run these plugins on a live system? You would
> probably be better off making a recording and then doing your analysis
> on a replay.
>
> In any case, yes – the plugins have to be loaded in the right order:
> first osi, then win7x86intro, then testintro.
>
> -Brendan
>
> On Wed, Dec 10, 2014 at 4:51 PM, Simone Mazzoni
> <simone.mazzoni13 at gmail.com> wrote:
>
> Hello Brendan,
> I tried to use the testintro plugin today, but when I load it, it close qemu
> with a core dump error.
> And the error seems to be caused by the printf at line 34, because the
> get_current_process(env); function returns a null pointer instead of the
> current process.
>
> Should I have to load the testintro plugin and the win7x86into plugin
> togegher?
>
> Thanks
>
> -Simone
> -----------------------------------------------------
> Simone Mazzoni
> Cell: 340 5210441
> E-Mail: simone.mazzoni13 at gmail.com
> skype: mazzoni.s
>
> Il giorno 10/dic/2014, alle ore 17:09, Brendan Dolan-Gavitt
> <brendandg at gatech.edu> ha scritto:
>
> I agree with Patrick that CR3 is probably the right choice in most
> cases. But if you really want PID and you happen to be on Windows 7
> 32-bit, you can use the OS introspection support we've added for that
> OS. Look at
>
> https://github.com/moyix/panda/blob/master/qemu/panda_plugins/testintro/testintro.c
>
> for an example of how you'd add that to your plugin. When running it,
> you'd use the argument "-panda osi; win7x86intro;your_plugin" to load
> the Win7 introspection and the introspection abstraction layer
> plugins.
>
> -Brendan
>
> On Wed, Dec 10, 2014 at 9:39 AM, Hulin, Patrick - 0559 - MITLL
> <Patrick.Hulin at ll.mit.edu> wrote:
>
> Hi Simone,
>
> I’d recommend just using the CR3 register to track processes (we have a
> function, panda_get_current_asid, that generalizes it to different
> architectures). It won’t change for kernel mode, so you’ll have to manually
> check whether or not you’re in kernel mode (ring 0). Finding PIDs is highly
> OS-specific; you can use panda_memsavep and volatility to look at them for a
> given memory snapshot, but we don’t have a generic way to look at them.
>
> From: Simone Mazzoni <simone.mazzoni13 at gmail.com>
> Date: Wednesday, December 10, 2014 at 5:08 AM
> To: - yrp <yrp604 at yahoo.com>
> Cc: "panda-users at mit.edu" <panda-users at mit.edu>
> Subject: Re: [panda-users] Problem syscall plugin usage
>
> Hello,
> I have another question.
>
> There is a way to obtain the PID of the process caller of a system call in
> order to filter the system calls analisys only for specified Processes?
> My purpose is to track system calls only for a specified program in
> execution on the system (i.e tracking only the system calls of the execution
> of notepad.exe program on windows)
>
> Is it possible to do such a thing by editing the PANDA syscalls plugin?
>
> Simone
>
> 2014-12-08 20:14 GMT+01:00 - yrp <yrp604 at yahoo.com>:
>
>
> Yes, 'env->regs[R_EDX]' should give you what you want. This of course
> presumes the CPUState ptr is named env...
>
> For an example, see here:
>
> https://github.com/moyix/panda/blob/master/qemu/panda_plugins/syscalls/syscalls.cpp#L332
>
>
>
>
> On Monday, December 8, 2014 6:12 AM, Simone Mazzoni
> <simone.mazzoni13 at gmail.com> wrote:
>
>
> Hello yrp,
>
> I solved my problem by disabling kvm. This allows me to read the content
> of EAX register in order to read the data every time a system call is
> invoked.
>
> Now I’m trying to find a way to get information about the arguments of
> every system call. If I’m not wrong, the address of the first
> parameter/argument of a system call is pushed in the EDX register. Is this
> right? There is a way to retrive information about the parameters of each
> system call invoked by the system?
>
> Tnaks,
> Simone
> -----------------------------------------------------
> Simone Mazzoni
> Cell: 340 5210441
> E-Mail: simone.mazzoni13 at gmail.com
> skype: mazzoni.s
>
> Il giorno 03/dic/2014, alle ore 21:28, - yrp <yrp604 at yahoo.com> ha
> scritto:
>
> Hi Simone,
>
> I believe the syscalls plugin used to create the list of syscalls when it
> was still coupled with the fdtracker plugin. Currently I think it only
> provides an API for you to add your own hook before/after syscall execution
> and in the Linux case, the ability to set a hook on any particular syscall.
>
> There are two proper ways to accomplish what you're looking for. First,
> you could write a small plugin that uses the API defined in syscalls_int.h.
> Alternatively, you could look at the format of the gen_syscalls_* files and
> port them from linux to windows which should be relatively straight forward
> as it's all just syscall prototypes. Finally, for a third option you could
> modify the syscalls plugin around line 330. The last option is probably the
> least "clean" but fastest.
>
> Hope this helps,
> yrp
>
>
> On Wednesday, December 3, 2014 9:50 AM, Simone Mazzoni
> <simone.mazzoni13 at gmail.com> wrote:
>
>
> Hello,
>
> I have a problem in using the “syscall” plugin provided in PANDA.
>
> I succesfully compiled PANDA following the compile.txt instruction.
>
> I want now to use PANDA to scan all the system calls on a Windows 7 VM.
>
> I run the Windows 7 VM with this command: “./qemu-system-x86_64 -hda
> ../../../qemuwin7.img -enable-kvm -m 1024 -monitor stdio -loadvm booted
> -panda syscalls” and the system replies with this message
>
> adding
> /home/parallels/Desktop/Tesi/panda-master/qemu/x86_64-softmmu/panda_plugins/panda_syscalls.so
> to panda_plugin_files 0
> loading
> /home/parallels/Desktop/Tesi/panda-master/qemu/x86_64-softmmu/panda_plugins/panda_syscalls.so
> warning: Plugin 'syscalls' uses argument: -panda-arg syscalls:file=<file>
> using default log file syscalls.txt
> Success
> QEMU 1.0,1 monitor - type 'help' for more information
> (qemu) SaveVM v3 format forces exact matches between devices on load and
> save, including on replay.
>
> So it seems that the plugin is succesfully loaded.
> The message says also that the default log file “syscalls.txt” will be
> used, so I expect to see some line in this file after running some programs
> in the Windows 7 VM, but the file remains blank, so it seems that the plugin
> is not working.
>
> Where are my errors? How can I effectively trace all the system calls
> invocations of the guest Windows 7 system?
>
> Thanks
>
> Simone
>
>
>
>
> _______________________________________________
> panda-users mailing list
> panda-users at mit.edu
> http://mailman.mit.edu/mailman/listinfo/panda-users
>
>
>
>
>
>
>
> _______________________________________________
> panda-users mailing list
> panda-users at mit.edu
> http://mailman.mit.edu/mailman/listinfo/panda-users
>
>
>
More information about the panda-users
mailing list