[panda-users] about asidstory plugin

Hodosh, Joshua - 0559 - MITLL josh.hodosh at ll.mit.edu
Thu Apr 23 14:33:54 EDT 2015 

The Android kernel from the SDK is picky about loading modules, so you'll need to compile a kernel of your own to run, and include the referenced code in some init function to print out offsets.  It's a bit tricky to build an SDK kernel version that will boot a given SDK image, and the offsets may not match those in the kernel that is distributed with the SDK image.

It would be much simpler if the kernel was included with the Android source, or at least versioned along with the SDK.

There are offsets in the DECAF_linux_vmi.c file that worked for me for Android 2.3 and 4.2. The offsets from 4.2 have a decent chance of working for 4.1, since it seems like the SDK kernel is only updated when they need to modify a driver or add or remove functionality (eg. the transition from YAFFS-only to support for both YAFFS and ext4 and then the transition to ext4-only).

Josh

-----Original Message-----
From: panda-users-bounces at mit.edu [mailto:panda-users-bounces at mit.edu] On Behalf Of Manolis Stamatogiannakis
Sent: Thursday, April 23, 2015 1:36 PM
To: Brendan Dolan-Gavitt
Cc: panda-users at mit.edu
Subject: Re: [panda-users] about asidstory plugin

I'm not familiar with using PANDA for Android analysis, but I remember that the older linux_vmi plugin suggested to piggyback the offset extraction code in the init function of one of the modules of the goldfish kernel which are loaded by default.

An example from their old code is commented at the end of DECAF_linux_vmi.c:

https://github.com/moyix/panda/blob/master/qemu/panda_plugins/linux_vmi/DECAF_linux_vmi.c#L806


M.



2015-04-23 8:32 GMT-07:00 Brendan Dolan-Gavitt <brendandg at gatech.edu>:


	Asidstory requires the OSI plugin to get information about the guest OS. Since you're running this on Android, which is Linux-based, you would want to use a command line like:

	-panda 'osi_linux;osi;asidstory'

	The osi_linux plugin needs a configuration file that specifies the offsets of various kernel data structure members. You can see an example here:

	https://github.com/moyix/panda/blob/master/qemu/panda_plugins/osi_linux/kernelinfo.conf

	Unfortunately getting this information for Android is tricky – the usual way is to load a kernel module that prints out the offsets for you. It is possible you can use some of the steps from Volatility's Android code to help out here, but there will be some extra work involved in getting the information in a form usable by osi_linux.

	https://github.com/volatilityfoundation/volatility/wiki/Android#build-a-volatility-profile
	

	Hope this helps,
	Brendan

	On Thu, Apr 23, 2015 at 3:33 AM, xiaojuan Li <xiaotan6666 at gmail.com> wrote:
	

		Thanks.
		
		i noticed the note in asidstory.cpp:"collect the set of asids (cr3 on x86)..."
		
		but now that PANDA uses qemu and do something to extend,  it seems can translate micro ops to llvm, why replay android failed?
		

		2015-04-23 3:24 GMT-04:00 Aleksandar Nikolich <anikolich at sourcefire.com>:


			Ah, I missed that you were trying to replay android . AFAIK asidstory requires a suitable os introspection plugin.


			On Thursday, April 23, 2015, Aleksandar Nikolich <anikolich at sourcefire.com> wrote:
			

				Ah, I missed that you were trying to replay absurd. AFAIK asidstory requires a suitable os introspection plugin.
				
				On Thursday, April 23, 2015, xiaojuan Li <xiaotan6666 at gmail.com> wrote:
				

					Thanks first!
					
					the thing is i use the qemu-system-arm to replay,and i add the "win7x86intro" plugin, it does not work.(still segfault)
					

					2015-04-23 3:12 GMT-04:00 Aleksandar Nikolich <anikolich at sourcefire.com>:
					

						You need to add "win7x86intro" plug-in too and it should work.


						On Thursday, April 23, 2015, xiaojuan Li <xiaotan6666 at gmail.com> wrote:
						


							Hi,
							
							I tried the asidstory plugin: -replay ******* -panda 'asidstory'
							
							and then segfault:
							************************************************************************************
							adding /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_asidstory.so to panda_plugin_files 0
							emulator: registered 'boot-properties' qemud service
							emulator: Adding boot property: 'dalvik.vm.heapsize' = '48m'
							emulator: Adding boot property: 'qemu.sf.fake_camera' = 'both'
							emulator: Adding boot property: 'qemu.hw.mainkeys' = '0'
							loading /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_asidstory.so
							Initializing plugin asidstory
							panda_require: osi
							loading /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_osi.so
							Success
							Success
							goldfish_add_device: goldfish_device_bus, base ff001000 1000, irq 1 1
							goldfish_device_bus: ff001000     30
							goldfish_add_device: goldfish_int, base ff000000 1000, irq 0 0
							goldfish_int: ff000000     38
							goldfish_add_device: goldfish_timer, base ff003000 1000, irq 3 1
							goldfish_timer: ff003000     40
							goldfish_add_device: goldfish_rtc, base ff010000 1000, irq 10 1
							goldfish_rtc: ff010000     48
							goldfish_add_device: goldfish_tty, base ff002000 1000, irq 4 1
							goldfish_tty: ff002000     50
							android_arm_init serial 1 0
							android_arm_init serial 2 0
							android_arm_init serial 3 0
							goldfish_add_device: smc91x, base ff011000 1000, irq 11 1
							goldfish_add_device: goldfish_fb, base ff012000 1000, irq 12 1
							goldfish_fb: ff012000     68
							Using tmpfile for SD card: /tmp/android-shentanli/emulator-pQEpMo
							goldfish_add_device: goldfish_mmc, base ff005000 1000, irq 13 1
							goldfish_mmc: ff005000     70
							goldfish_add_device: goldfish_memlog, base ff006000 1000, irq 0 0
							goldfish_memlog: ff006000     78
							goldfish_add_device: goldfish-battery, base ff013000 1000, irq 14 1
							goldfish-battery: ff013000     80
							goldfish_add_device: goldfish_events, base ff014000 1000, irq 15 1
							goldfish_events: ff014000     88
							Using event IRQ
							Invalid system partition size for non-QCOW image: 0emulator: geometry says there are 0 blocks
							
							emulator: Dev size of /tmp/android-shentanli/emulator-U4lzIR is 0
							
							Invalid data partition size for non-QCOW image: 0emulator: Dev size 0x0 came from argument
							
							emulator: geometry says there are 0 blocks
							
							emulator: Dev size of /tmp/android-shentanli/emulator-DAYKEk is 0
							
							emulator: Dev size 0x0 came from argument
							
							emulator: geometry says there are 0 blocks
							
							emulator: Dev size of /tmp/android-shentanli/emulator-KUsYAN is 0
							
							goldfish_add_device: goldfish_nand, base ff015000 1000, irq 16 1
							goldfish_nand: ff015000     90
							goldfish_add_device: qemu_pipe, base ff016000 2000, irq 17 1
							qemu_pipe: ff016000     98
							emulator: control console listening on port 5554, ADB on port 5555
							emulator: can't connect to ADB server: Connection refused
							emulator: Realistic sensor emulation is not available, since the remote controller is not accessible:
							 Connection refused
							loading snapshot
							emulator: Adding boot property: 'dalvik.vm.heapsize' = '48m'
							emulator: Adding boot property: 'qemu.sf.fake_camera' = 'both'
							emulator: Adding boot property: 'qemu.hw.mainkeys' = '0'
							... done.
							
							Logging all cpu states
							CPU #0:
							R00=0000002f R01=a7d24020 R02=b6ee030c R03=b5312114
							R04=a7bd4908 R05=a7d240a0 R06=a7bd4800 R07=000000c5
							R08=b6f13d94 R09=a7d240dc R10=00000000 R11=aefc7980
							R12=a7bd4818 R13=c1ba5ff8 R14=b6ee0318 R15=ffff0008
							PSR=40000093 -Z-- A svc32
							opening nondet log for read :    ./read-256-smaller-rr-nondet.log
							Segmentation fault (core dumped)
							*************************************************************************************
							
							
							and then gdb find this:
							---------------------------------------------------------------------------------------------------------
							Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
							Core was generated by `./qemu-system-arm -m 256 -replay read-256-smaller -M android_arm -kernel /dev/n'.
							Program terminated with signal 11, Segmentation fault.
							#0  asidstory_before_block_exec (env=<optimized out>, tb=<optimized out>)
							    at asidstory.cpp:207
							207        if (pid_ok(p->pid)) {
							(gdb) print p->pid
							$1 = 0
							----------------------------------------------------------------------------------------------------------
							
							the func pid_ok just allows pid>=4 but why?
							
							内嵌图片 1
							

							could you spare some time to check this plugin?
							
							Thanks!
							

							-- 
							
							wait and hope~~




					-- 
					
					wait and hope~~

		
		
		
		-- 
		
		wait and hope~~

		_______________________________________________
		panda-users mailing list
		panda-users at mit.edu
		http://mailman.mit.edu/mailman/listinfo/panda-users
		
		



	_______________________________________________
	panda-users mailing list
	panda-users at mit.edu
	http://mailman.mit.edu/mailman/listinfo/panda-users

More information about the panda-users mailing list