[panda-users] about asidstory plugin
Brendan Dolan-Gavitt
brendandg at gatech.edu
Thu Apr 23 11:32:03 EDT 2015
Asidstory requires the OSI plugin to get information about the guest OS.
Since you're running this on Android, which is Linux-based, you would want
to use a command line like:
-panda 'osi_linux;osi;asidstory'
The osi_linux plugin needs a configuration file that specifies the offsets
of various kernel data structure members. You can see an example here:
https://github.com/moyix/panda/blob/master/qemu/panda_plugins/osi_linux/kernelinfo.conf
Unfortunately getting this information for Android is tricky – the usual
way is to load a kernel module that prints out the offsets for you. It is
possible you can use some of the steps from Volatility's Android code to
help out here, but there will be some extra work involved in getting the
information in a form usable by osi_linux.
https://github.com/volatilityfoundation/volatility/wiki/Android#build-a-volatility-profile
Hope this helps,
Brendan
On Thu, Apr 23, 2015 at 3:33 AM, xiaojuan Li <xiaotan6666 at gmail.com> wrote:
> Thanks.
> i noticed the note in asidstory.cpp:"collect the set of asids (cr3 on
> x86)..."
> but now that PANDA uses qemu and do something to extend, it seems can
> translate micro ops to llvm, why replay android failed?
>
> 2015-04-23 3:24 GMT-04:00 Aleksandar Nikolich <anikolich at sourcefire.com>:
>
> Ah, I missed that you were trying to replay android . AFAIK asidstory
>> requires a suitable os introspection plugin.
>>
>>
>> On Thursday, April 23, 2015, Aleksandar Nikolich <
>> anikolich at sourcefire.com> wrote:
>>
>>> Ah, I missed that you were trying to replay absurd. AFAIK asidstory
>>> requires a suitable os introspection plugin.
>>>
>>> On Thursday, April 23, 2015, xiaojuan Li <xiaotan6666 at gmail.com> wrote:
>>>
>>>> Thanks first!
>>>> the thing is i use the qemu-system-arm to replay,and i add the
>>>> "win7x86intro" plugin, it does not work.(still segfault)
>>>>
>>>> 2015-04-23 3:12 GMT-04:00 Aleksandar Nikolich <anikolich at sourcefire.com
>>>> >:
>>>>
>>>>> You need to add "win7x86intro" plug-in too and it should work.
>>>>>
>>>>>
>>>>> On Thursday, April 23, 2015, xiaojuan Li <xiaotan6666 at gmail.com>
>>>>> wrote:
>>>>>
>>>>>>
>>>>>> Hi,
>>>>>> I tried the asidstory plugin: -replay ******* -panda 'asidstory'
>>>>>> and then segfault:
>>>>>>
>>>>>> ************************************************************************************
>>>>>> adding
>>>>>> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_asidstory.so
>>>>>> to panda_plugin_files 0
>>>>>> emulator: registered 'boot-properties' qemud service
>>>>>> emulator: Adding boot property: 'dalvik.vm.heapsize' = '48m'
>>>>>> emulator: Adding boot property: 'qemu.sf.fake_camera' = 'both'
>>>>>> emulator: Adding boot property: 'qemu.hw.mainkeys' = '0'
>>>>>> loading
>>>>>> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_asidstory.so
>>>>>> Initializing plugin asidstory
>>>>>> panda_require: osi
>>>>>> loading
>>>>>> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_osi.so
>>>>>> Success
>>>>>> Success
>>>>>> goldfish_add_device: goldfish_device_bus, base ff001000 1000, irq 1 1
>>>>>> goldfish_device_bus: ff001000 30
>>>>>> goldfish_add_device: goldfish_int, base ff000000 1000, irq 0 0
>>>>>> goldfish_int: ff000000 38
>>>>>> goldfish_add_device: goldfish_timer, base ff003000 1000, irq 3 1
>>>>>> goldfish_timer: ff003000 40
>>>>>> goldfish_add_device: goldfish_rtc, base ff010000 1000, irq 10 1
>>>>>> goldfish_rtc: ff010000 48
>>>>>> goldfish_add_device: goldfish_tty, base ff002000 1000, irq 4 1
>>>>>> goldfish_tty: ff002000 50
>>>>>> android_arm_init serial 1 0
>>>>>> android_arm_init serial 2 0
>>>>>> android_arm_init serial 3 0
>>>>>> goldfish_add_device: smc91x, base ff011000 1000, irq 11 1
>>>>>> goldfish_add_device: goldfish_fb, base ff012000 1000, irq 12 1
>>>>>> goldfish_fb: ff012000 68
>>>>>> Using tmpfile for SD card: /tmp/android-shentanli/emulator-pQEpMo
>>>>>> goldfish_add_device: goldfish_mmc, base ff005000 1000, irq 13 1
>>>>>> goldfish_mmc: ff005000 70
>>>>>> goldfish_add_device: goldfish_memlog, base ff006000 1000, irq 0 0
>>>>>> goldfish_memlog: ff006000 78
>>>>>> goldfish_add_device: goldfish-battery, base ff013000 1000, irq 14 1
>>>>>> goldfish-battery: ff013000 80
>>>>>> goldfish_add_device: goldfish_events, base ff014000 1000, irq 15 1
>>>>>> goldfish_events: ff014000 88
>>>>>> Using event IRQ
>>>>>> Invalid system partition size for non-QCOW image: 0emulator: geometry
>>>>>> says there are 0 blocks
>>>>>>
>>>>>> emulator: Dev size of /tmp/android-shentanli/emulator-U4lzIR is 0
>>>>>>
>>>>>> Invalid data partition size for non-QCOW image: 0emulator: Dev size
>>>>>> 0x0 came from argument
>>>>>>
>>>>>> emulator: geometry says there are 0 blocks
>>>>>>
>>>>>> emulator: Dev size of /tmp/android-shentanli/emulator-DAYKEk is 0
>>>>>>
>>>>>> emulator: Dev size 0x0 came from argument
>>>>>>
>>>>>> emulator: geometry says there are 0 blocks
>>>>>>
>>>>>> emulator: Dev size of /tmp/android-shentanli/emulator-KUsYAN is 0
>>>>>>
>>>>>> goldfish_add_device: goldfish_nand, base ff015000 1000, irq 16 1
>>>>>> goldfish_nand: ff015000 90
>>>>>> goldfish_add_device: qemu_pipe, base ff016000 2000, irq 17 1
>>>>>> qemu_pipe: ff016000 98
>>>>>> emulator: control console listening on port 5554, ADB on port 5555
>>>>>> emulator: can't connect to ADB server: Connection refused
>>>>>> emulator: Realistic sensor emulation is not available, since the
>>>>>> remote controller is not accessible:
>>>>>> Connection refused
>>>>>> loading snapshot
>>>>>> emulator: Adding boot property: 'dalvik.vm.heapsize' = '48m'
>>>>>> emulator: Adding boot property: 'qemu.sf.fake_camera' = 'both'
>>>>>> emulator: Adding boot property: 'qemu.hw.mainkeys' = '0'
>>>>>> ... done.
>>>>>>
>>>>>> Logging all cpu states
>>>>>> CPU #0:
>>>>>> R00=0000002f R01=a7d24020 R02=b6ee030c R03=b5312114
>>>>>> R04=a7bd4908 R05=a7d240a0 R06=a7bd4800 R07=000000c5
>>>>>> R08=b6f13d94 R09=a7d240dc R10=00000000 R11=aefc7980
>>>>>> R12=a7bd4818 R13=c1ba5ff8 R14=b6ee0318 R15=ffff0008
>>>>>> PSR=40000093 -Z-- A svc32
>>>>>> opening nondet log for read : ./read-256-smaller-rr-nondet.log
>>>>>> Segmentation fault (core dumped)
>>>>>>
>>>>>> *************************************************************************************
>>>>>>
>>>>>> and then gdb find this:
>>>>>>
>>>>>> ---------------------------------------------------------------------------------------------------------
>>>>>> Using host libthread_db library
>>>>>> "/lib/x86_64-linux-gnu/libthread_db.so.1".
>>>>>> Core was generated by `./qemu-system-arm -m 256 -replay
>>>>>> read-256-smaller -M android_arm -kernel /dev/n'.
>>>>>> Program terminated with signal 11, Segmentation fault.
>>>>>> #0 asidstory_before_block_exec (env=<optimized out>, tb=<optimized
>>>>>> out>)
>>>>>> at asidstory.cpp:207
>>>>>> 207 if (pid_ok(p->pid)) {
>>>>>> (gdb) print p->pid
>>>>>> $1 = 0
>>>>>>
>>>>>> ----------------------------------------------------------------------------------------------------------
>>>>>> the func pid_ok just allows pid>=4 but why?
>>>>>> [image: 内嵌图片 1]
>>>>>>
>>>>>> could you spare some time to check this plugin?
>>>>>> Thanks!
>>>>>>
>>>>>> --
>>>>>> wait and hope~~
>>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> wait and hope~~
>>>>
>>>
>
>
> --
> wait and hope~~
>
> _______________________________________________
> panda-users mailing list
> panda-users at mit.edu
> http://mailman.mit.edu/mailman/listinfo/panda-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/panda-users/attachments/20150423/62a4e378/attachment.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: asidtory.png
Type: image/png
Size: 4134 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150423/62a4e378/attachment.png
More information about the panda-users
mailing list