[panda-users] Problem syscall plugin usage

Simone Mazzoni simone.mazzoni13 at gmail.com
Wed Dec 17 12:38:22 EST 2014 

Hello Brendan,

I checked your code and I think that is a good way to pass and execute an executable in the guest VM. I will try to implement such a thing as soon as I can.

Now I have another issue.
Premise: I’m doing this work for my master thesis. My purpose is to find a way to track windows7 system calls (and their arguments) without doing hooking, but by reading the guest VM memory, and storing it in a text file or in a database, in order to reconstruct the execution flow of the executable and perform some analysis.

Until now, I found a way to use the panda plugins “osi” and “win7x86intro” to selectively track only the syscalls of a certain process specifying its name.
To track the syscalls, I’m currently using the “syscalls” panda plugin but I don’t understand few things. The part of that plugin that interest me is around row 337 —> “syscall_fprintf(env, "CALL=%s, PC=" TARGET_FMT_lx ", SYSCALL=" TARGET_FMT_lx ", EDX=" TARGET_FMT_lx "\n", callname, pc, env->regs[R_EAX], env->regs[R_EDX]);”
I edited this line to print out the R_EDX value instead of the CR3 value.
I need now to understand some things that are not clear to me:
what is contained in the variable “callname”? Sometime it prints out UNKNOWN value, and sometimes it prints out linux system calls name (like sys_getuid) even if I am running a windows OS —> I thought it would print something like “NtCreateFile” that is a windows syscall.
what is contained in env->[R_EAX]? Is the code/id of the system call? And what is TARGET_FMT_lx? Is looks like a placeholder but I don’t understand exactly what it represents.
what is contained in env->[R_EDX]? I believe it contains the pointer to the first syscall argument. Is it right? 

Sorry for the huge amount of questions, but I’m a little stuck and I can’t find so much documentation about these topics.

Many thanks

- Simone
-----------------------------------------------------
Simone Mazzoni
Cell: 340 5210441
E-Mail: simone.mazzoni13 at gmail.com
skype: mazzoni.s

> Il giorno 15/dic/2014, alle ore 18:55, Brendan Dolan-Gavitt <brendandg at gatech.edu> ha scritto:
> 
> Hi Simone,
> 
> I actually recently set up something similar, in order to run malware.
> You can see the script I ended up with here:
> 
> http://amnesia.gtisc.gatech.edu/~moyix/runmal.py
> 
> Basically it uses the QEMU monitor to insert a CD containing the
> executable, and then sends keystrokes to the guest VM to copy it to
> the desktop and execute it.
> 
> On the other hand sending keystrokes is a bit unreliable, so I am
> planning on switching over to a batch file on the CD that gets autorun
> in order to start up the malware.
> 
> Hope this helps,
> Brendan
> 
> On Mon, Dec 15, 2014 at 12:49 PM, Simone Mazzoni
> <simone.mazzoni13 at gmail.com> wrote:
>> Thanks all for the answers,
>> using the "osi;win7x86intro;my_plugin” configuration works for me, and now I
>> am able to track the syscalls of a specific process specifying its name or
>> PID.
>> 
>> Now I’m trying to figure out if I can run an executable file from the
>> extern.
>> To be more clear, I wish to launch the win7 VM specifying an exe file (
>> let’s say foo.exe ) to execute once the system is booted, and the executable
>> should be passed as an argument or something similar to the host VM. Is it
>> possible to do something similar with qemu?
>> 
>> My purpose is to analyze the syscalls traffic of a given executable file,
>> passed from the user.
>> 
>> -Simone
>> -----------------------------------------------------
>> Simone Mazzoni
>> Cell: 340 5210441
>> E-Mail: simone.mazzoni13 at gmail.com
>> skype: mazzoni.s
>> 
>> Il giorno 11/dic/2014, alle ore 01:23, Brendan Dolan-Gavitt
>> <brendandg at gatech.edu> ha scritto:
>> 
>> Are you trying to run these plugins on a live system? You would
>> probably be better off making a recording and then doing your analysis
>> on a replay.
>> 
>> In any case, yes – the plugins have to be loaded in the right order:
>> first osi, then win7x86intro, then testintro.
>> 
>> -Brendan
>> 
>> On Wed, Dec 10, 2014 at 4:51 PM, Simone Mazzoni
>> <simone.mazzoni13 at gmail.com> wrote:
>> 
>> Hello Brendan,
>> I tried to use the testintro plugin today, but when I load it, it close qemu
>> with a core dump error.
>> And the error seems to be caused by the printf at line 34, because the
>> get_current_process(env); function returns a null pointer instead of the
>> current process.
>> 
>> Should I have to load the testintro plugin and the win7x86into plugin
>> togegher?
>> 
>> Thanks
>> 
>> -Simone
>> -----------------------------------------------------
>> Simone Mazzoni
>> Cell: 340 5210441
>> E-Mail: simone.mazzoni13 at gmail.com
>> skype: mazzoni.s
>> 
>> Il giorno 10/dic/2014, alle ore 17:09, Brendan Dolan-Gavitt
>> <brendandg at gatech.edu> ha scritto:
>> 
>> I agree with Patrick that CR3 is probably the right choice in most
>> cases. But if you really want PID and you happen to be on Windows 7
>> 32-bit, you can use the OS introspection support we've added for that
>> OS. Look at
>> 
>> https://github.com/moyix/panda/blob/master/qemu/panda_plugins/testintro/testintro.c
>> 
>> for an example of how you'd add that to your plugin. When running it,
>> you'd use the argument "-panda osi; win7x86intro;your_plugin" to load
>> the Win7 introspection and the introspection abstraction layer
>> plugins.
>> 
>> -Brendan
>> 
>> On Wed, Dec 10, 2014 at 9:39 AM, Hulin, Patrick - 0559 - MITLL
>> <Patrick.Hulin at ll.mit.edu> wrote:
>> 
>> Hi Simone,
>> 
>> I’d recommend just using the CR3 register to track processes (we have a
>> function, panda_get_current_asid, that generalizes it to different
>> architectures). It won’t change for kernel mode, so you’ll have to manually
>> check whether or not you’re in kernel mode (ring 0). Finding PIDs is highly
>> OS-specific; you can use panda_memsavep and volatility to look at them for a
>> given memory snapshot, but we don’t have a generic way to look at them.
>> 
>> From: Simone Mazzoni <simone.mazzoni13 at gmail.com>
>> Date: Wednesday, December 10, 2014 at 5:08 AM
>> To: - yrp <yrp604 at yahoo.com>
>> Cc: "panda-users at mit.edu" <panda-users at mit.edu>
>> Subject: Re: [panda-users] Problem syscall plugin usage
>> 
>> Hello,
>> I have another question.
>> 
>> There is a way to obtain the PID of the process caller of a system call in
>> order to filter the system calls analisys only for specified Processes?
>> My purpose is to track system calls only for a specified program in
>> execution on the system (i.e tracking only the system calls of the execution
>> of notepad.exe program on windows)
>> 
>> Is it possible to do such a thing by editing the PANDA syscalls plugin?
>> 
>> Simone
>> 
>> 2014-12-08 20:14 GMT+01:00 - yrp <yrp604 at yahoo.com>:
>> 
>> 
>> Yes, 'env->regs[R_EDX]' should give you what you want. This of course
>> presumes the CPUState ptr is named env...
>> 
>> For an example, see here:
>> 
>> https://github.com/moyix/panda/blob/master/qemu/panda_plugins/syscalls/syscalls.cpp#L332
>> 
>> 
>> 
>> 
>> On Monday, December 8, 2014 6:12 AM, Simone Mazzoni
>> <simone.mazzoni13 at gmail.com> wrote:
>> 
>> 
>> Hello yrp,
>> 
>> I solved my problem by disabling kvm. This allows me to read the content
>> of EAX register in order to read the data every time a system call is
>> invoked.
>> 
>> Now I’m trying to find a way to get information about the arguments of
>> every system call. If I’m not wrong, the address of the first
>> parameter/argument of a system call is pushed in the EDX register. Is this
>> right? There is a way to retrive information about the parameters of each
>> system call invoked by the system?
>> 
>> Tnaks,
>> Simone
>> -----------------------------------------------------
>> Simone Mazzoni
>> Cell: 340 5210441
>> E-Mail: simone.mazzoni13 at gmail.com
>> skype: mazzoni.s
>> 
>> Il giorno 03/dic/2014, alle ore 21:28, - yrp <yrp604 at yahoo.com> ha
>> scritto:
>> 
>> Hi Simone,
>> 
>> I believe the syscalls plugin used to create the list of syscalls when it
>> was still coupled with the fdtracker plugin. Currently I think it only
>> provides an API for you to add your own hook before/after syscall execution
>> and in the Linux case, the ability to set a hook on any particular syscall.
>> 
>> There are two proper ways to accomplish what you're looking for. First,
>> you could write a small plugin that uses the API defined in syscalls_int.h.
>> Alternatively, you could look at the format of the gen_syscalls_* files and
>> port them from linux to windows which should be relatively straight forward
>> as it's all just syscall prototypes. Finally, for a third option you could
>> modify the syscalls plugin around line 330. The last option is probably the
>> least "clean" but fastest.
>> 
>> Hope this helps,
>> yrp
>> 
>> 
>> On Wednesday, December 3, 2014 9:50 AM, Simone Mazzoni
>> <simone.mazzoni13 at gmail.com> wrote:
>> 
>> 
>> Hello,
>> 
>> I have a problem in using the “syscall” plugin provided in PANDA.
>> 
>> I succesfully compiled PANDA following the compile.txt instruction.
>> 
>> I want now to use PANDA to scan all the system calls on a Windows 7 VM.
>> 
>> I run the Windows 7 VM with this command: “./qemu-system-x86_64 -hda
>> ../../../qemuwin7.img -enable-kvm -m 1024 -monitor stdio -loadvm booted
>> -panda syscalls” and the system replies with this message
>> 
>> adding
>> /home/parallels/Desktop/Tesi/panda-master/qemu/x86_64-softmmu/panda_plugins/panda_syscalls.so
>> to panda_plugin_files 0
>> loading
>> /home/parallels/Desktop/Tesi/panda-master/qemu/x86_64-softmmu/panda_plugins/panda_syscalls.so
>> warning: Plugin 'syscalls' uses argument: -panda-arg syscalls:file=<file>
>> using default log file syscalls.txt
>> Success
>> QEMU 1.0,1 monitor - type 'help' for more information
>> (qemu) SaveVM v3 format forces exact matches between devices on load and
>> save, including on replay.
>> 
>> So it seems that the plugin is succesfully loaded.
>> The message says also that the default log file “syscalls.txt” will be
>> used, so I expect to see some line in this file after running some programs
>> in the Windows 7 VM, but the file remains blank, so it seems that the plugin
>> is not working.
>> 
>> Where are my errors? How can I effectively trace all the system calls
>> invocations of the guest Windows 7 system?
>> 
>> Thanks
>> 
>> Simone
>> 
>> 
>> 
>> 
>> _______________________________________________
>> panda-users mailing list
>> panda-users at mit.edu
>> http://mailman.mit.edu/mailman/listinfo/panda-users
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> _______________________________________________
>> panda-users mailing list
>> panda-users at mit.edu
>> http://mailman.mit.edu/mailman/listinfo/panda-users
>> 
>> 
>> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/mailman/private/panda-users/attachments/20141217/d2204e98/attachment-0001.htm

More information about the panda-users mailing list