[panda-users] Problem syscall plugin usage
Brendan Dolan-Gavitt
brendandg at gatech.edu
Wed Dec 17 21:35:37 EST 2014
Right now the syscalls plugin only supports Linux system calls. So the
"callname" you get is essentially whatever Linux system call
corresponds to the syscall number (which is what's in EAX). We are
working on adding support for Windows system calls (including
arguments). If you just want something quick, you could change it to
not print out the system call name and instead just use the number to
look up the correct name in a Windows system call list.
EAX is the ID of the system call, as you guessed. There are system
call lists for Windows available; here's the one that comes with
Volatility for Windows 7 SP1 32-bit:
https://github.com/volatilityfoundation/volatility/blob/master/volatility/plugins/overlays/windows/win7_sp01_x86_syscalls.py
EDX, on Windows, points to the stack at the time the syscall was made.
The arguments to the syscall start at [EDX+8] (for Windows 32-bit).
Here's an example function that gets an argument to a system call in
Win7 32-bit:
static uint32_t get_syscall_arg(CPUState* env, int nr) {
// At sysenter on Win7, args start at EDX+8
uint32_t arg;
panda_virtual_memory_rw(env, env->regs[R_EDX] + 8 + (4*nr),
(uint8_t *) &arg, 4, false);
return arg;
}
Hope this is helpful,
Brendan
On Wed, Dec 17, 2014 at 12:38 PM, Simone Mazzoni
<simone.mazzoni13 at gmail.com> wrote:
> Hello Brendan,
>
> I checked your code and I think that is a good way to pass and execute an
> executable in the guest VM. I will try to implement such a thing as soon as
> I can.
>
> Now I have another issue.
> Premise: I’m doing this work for my master thesis. My purpose is to find a
> way to track windows7 system calls (and their arguments) without doing
> hooking, but by reading the guest VM memory, and storing it in a text file
> or in a database, in order to reconstruct the execution flow of the
> executable and perform some analysis.
>
> Until now, I found a way to use the panda plugins “osi” and “win7x86intro”
> to selectively track only the syscalls of a certain process specifying its
> name.
> To track the syscalls, I’m currently using the “syscalls” panda plugin but I
> don’t understand few things. The part of that plugin that interest me is
> around row 337 —> “syscall_fprintf(env, "CALL=%s, PC=" TARGET_FMT_lx ",
> SYSCALL=" TARGET_FMT_lx ", EDX=" TARGET_FMT_lx "\n", callname, pc,
> env->regs[R_EAX], env->regs[R_EDX]);”
> I edited this line to print out the R_EDX value instead of the CR3 value.
> I need now to understand some things that are not clear to me:
>
> what is contained in the variable “callname”? Sometime it prints out UNKNOWN
> value, and sometimes it prints out linux system calls name (like sys_getuid)
> even if I am running a windows OS —> I thought it would print something like
> “NtCreateFile” that is a windows syscall.
> what is contained in env->[R_EAX]? Is the code/id of the system call? And
> what is TARGET_FMT_lx? Is looks like a placeholder but I don’t understand
> exactly what it represents.
> what is contained in env->[R_EDX]? I believe it contains the pointer to the
> first syscall argument. Is it right?
>
>
> Sorry for the huge amount of questions, but I’m a little stuck and I can’t
> find so much documentation about these topics.
>
> Many thanks
>
> - Simone
> -----------------------------------------------------
> Simone Mazzoni
> Cell: 340 5210441
> E-Mail: simone.mazzoni13 at gmail.com
> skype: mazzoni.s
>
> Il giorno 15/dic/2014, alle ore 18:55, Brendan Dolan-Gavitt
> <brendandg at gatech.edu> ha scritto:
>
> Hi Simone,
>
> I actually recently set up something similar, in order to run malware.
> You can see the script I ended up with here:
>
> http://amnesia.gtisc.gatech.edu/~moyix/runmal.py
>
> Basically it uses the QEMU monitor to insert a CD containing the
> executable, and then sends keystrokes to the guest VM to copy it to
> the desktop and execute it.
>
> On the other hand sending keystrokes is a bit unreliable, so I am
> planning on switching over to a batch file on the CD that gets autorun
> in order to start up the malware.
>
> Hope this helps,
> Brendan
>
> On Mon, Dec 15, 2014 at 12:49 PM, Simone Mazzoni
> <simone.mazzoni13 at gmail.com> wrote:
>
> Thanks all for the answers,
> using the "osi;win7x86intro;my_plugin” configuration works for me, and now I
> am able to track the syscalls of a specific process specifying its name or
> PID.
>
> Now I’m trying to figure out if I can run an executable file from the
> extern.
> To be more clear, I wish to launch the win7 VM specifying an exe file (
> let’s say foo.exe ) to execute once the system is booted, and the executable
> should be passed as an argument or something similar to the host VM. Is it
> possible to do something similar with qemu?
>
> My purpose is to analyze the syscalls traffic of a given executable file,
> passed from the user.
>
> -Simone
> -----------------------------------------------------
> Simone Mazzoni
> Cell: 340 5210441
> E-Mail: simone.mazzoni13 at gmail.com
> skype: mazzoni.s
>
> Il giorno 11/dic/2014, alle ore 01:23, Brendan Dolan-Gavitt
> <brendandg at gatech.edu> ha scritto:
>
> Are you trying to run these plugins on a live system? You would
> probably be better off making a recording and then doing your analysis
> on a replay.
>
> In any case, yes – the plugins have to be loaded in the right order:
> first osi, then win7x86intro, then testintro.
>
> -Brendan
>
> On Wed, Dec 10, 2014 at 4:51 PM, Simone Mazzoni
> <simone.mazzoni13 at gmail.com> wrote:
>
> Hello Brendan,
> I tried to use the testintro plugin today, but when I load it, it close qemu
> with a core dump error.
> And the error seems to be caused by the printf at line 34, because the
> get_current_process(env); function returns a null pointer instead of the
> current process.
>
> Should I have to load the testintro plugin and the win7x86into plugin
> togegher?
>
> Thanks
>
> -Simone
> -----------------------------------------------------
> Simone Mazzoni
> Cell: 340 5210441
> E-Mail: simone.mazzoni13 at gmail.com
> skype: mazzoni.s
>
> Il giorno 10/dic/2014, alle ore 17:09, Brendan Dolan-Gavitt
> <brendandg at gatech.edu> ha scritto:
>
> I agree with Patrick that CR3 is probably the right choice in most
> cases. But if you really want PID and you happen to be on Windows 7
> 32-bit, you can use the OS introspection support we've added for that
> OS. Look at
>
> https://github.com/moyix/panda/blob/master/qemu/panda_plugins/testintro/testintro.c
>
> for an example of how you'd add that to your plugin. When running it,
> you'd use the argument "-panda osi; win7x86intro;your_plugin" to load
> the Win7 introspection and the introspection abstraction layer
> plugins.
>
> -Brendan
>
> On Wed, Dec 10, 2014 at 9:39 AM, Hulin, Patrick - 0559 - MITLL
> <Patrick.Hulin at ll.mit.edu> wrote:
>
> Hi Simone,
>
> I’d recommend just using the CR3 register to track processes (we have a
> function, panda_get_current_asid, that generalizes it to different
> architectures). It won’t change for kernel mode, so you’ll have to manually
> check whether or not you’re in kernel mode (ring 0). Finding PIDs is highly
> OS-specific; you can use panda_memsavep and volatility to look at them for a
> given memory snapshot, but we don’t have a generic way to look at them.
>
> From: Simone Mazzoni <simone.mazzoni13 at gmail.com>
> Date: Wednesday, December 10, 2014 at 5:08 AM
> To: - yrp <yrp604 at yahoo.com>
> Cc: "panda-users at mit.edu" <panda-users at mit.edu>
> Subject: Re: [panda-users] Problem syscall plugin usage
>
> Hello,
> I have another question.
>
> There is a way to obtain the PID of the process caller of a system call in
> order to filter the system calls analisys only for specified Processes?
> My purpose is to track system calls only for a specified program in
> execution on the system (i.e tracking only the system calls of the execution
> of notepad.exe program on windows)
>
> Is it possible to do such a thing by editing the PANDA syscalls plugin?
>
> Simone
>
> 2014-12-08 20:14 GMT+01:00 - yrp <yrp604 at yahoo.com>:
>
>
> Yes, 'env->regs[R_EDX]' should give you what you want. This of course
> presumes the CPUState ptr is named env...
>
> For an example, see here:
>
> https://github.com/moyix/panda/blob/master/qemu/panda_plugins/syscalls/syscalls.cpp#L332
>
>
>
>
> On Monday, December 8, 2014 6:12 AM, Simone Mazzoni
> <simone.mazzoni13 at gmail.com> wrote:
>
>
> Hello yrp,
>
> I solved my problem by disabling kvm. This allows me to read the content
> of EAX register in order to read the data every time a system call is
> invoked.
>
> Now I’m trying to find a way to get information about the arguments of
> every system call. If I’m not wrong, the address of the first
> parameter/argument of a system call is pushed in the EDX register. Is this
> right? There is a way to retrive information about the parameters of each
> system call invoked by the system?
>
> Tnaks,
> Simone
> -----------------------------------------------------
> Simone Mazzoni
> Cell: 340 5210441
> E-Mail: simone.mazzoni13 at gmail.com
> skype: mazzoni.s
>
> Il giorno 03/dic/2014, alle ore 21:28, - yrp <yrp604 at yahoo.com> ha
> scritto:
>
> Hi Simone,
>
> I believe the syscalls plugin used to create the list of syscalls when it
> was still coupled with the fdtracker plugin. Currently I think it only
> provides an API for you to add your own hook before/after syscall execution
> and in the Linux case, the ability to set a hook on any particular syscall.
>
> There are two proper ways to accomplish what you're looking for. First,
> you could write a small plugin that uses the API defined in syscalls_int.h.
> Alternatively, you could look at the format of the gen_syscalls_* files and
> port them from linux to windows which should be relatively straight forward
> as it's all just syscall prototypes. Finally, for a third option you could
> modify the syscalls plugin around line 330. The last option is probably the
> least "clean" but fastest.
>
> Hope this helps,
> yrp
>
>
> On Wednesday, December 3, 2014 9:50 AM, Simone Mazzoni
> <simone.mazzoni13 at gmail.com> wrote:
>
>
> Hello,
>
> I have a problem in using the “syscall” plugin provided in PANDA.
>
> I succesfully compiled PANDA following the compile.txt instruction.
>
> I want now to use PANDA to scan all the system calls on a Windows 7 VM.
>
> I run the Windows 7 VM with this command: “./qemu-system-x86_64 -hda
> ../../../qemuwin7.img -enable-kvm -m 1024 -monitor stdio -loadvm booted
> -panda syscalls” and the system replies with this message
>
> adding
> /home/parallels/Desktop/Tesi/panda-master/qemu/x86_64-softmmu/panda_plugins/panda_syscalls.so
> to panda_plugin_files 0
> loading
> /home/parallels/Desktop/Tesi/panda-master/qemu/x86_64-softmmu/panda_plugins/panda_syscalls.so
> warning: Plugin 'syscalls' uses argument: -panda-arg syscalls:file=<file>
> using default log file syscalls.txt
> Success
> QEMU 1.0,1 monitor - type 'help' for more information
> (qemu) SaveVM v3 format forces exact matches between devices on load and
> save, including on replay.
>
> So it seems that the plugin is succesfully loaded.
> The message says also that the default log file “syscalls.txt” will be
> used, so I expect to see some line in this file after running some programs
> in the Windows 7 VM, but the file remains blank, so it seems that the plugin
> is not working.
>
> Where are my errors? How can I effectively trace all the system calls
> invocations of the guest Windows 7 system?
>
> Thanks
>
> Simone
>
>
>
>
> _______________________________________________
> panda-users mailing list
> panda-users at mit.edu
> http://mailman.mit.edu/mailman/listinfo/panda-users
>
>
>
>
>
>
>
> _______________________________________________
> panda-users mailing list
> panda-users at mit.edu
> http://mailman.mit.edu/mailman/listinfo/panda-users
>
>
>
>
More information about the panda-users
mailing list