[panda-users] How can I get the original assembly code(opcode)?
Manolis Stamatogiannakis
mstamat at gmail.com
Mon Aug 17 09:20:26 EDT 2015
s/different arguments/different values/
2015-08-17 15:08 GMT+02:00 Manolis Stamatogiannakis <mstamat at gmail.com>:
> Igor, are you sure that the "pc" argument and "env->eip" will contain
> different arguments? I'd guess that "pc" is provided as convenience so that
> you can avoid architecture-specific #ifdef macros in your plugin code
> ("env->eip" is x86 specific).
>
> InGap, could you elaborate on what you attempt to achieve?
>
> Reconstructing mybin.exe from an execution trace is a non-trivial task.
> Even in the (unlikely) case you have full coverage of mybin.exe in the
> execution trace (i.e. every instruction in mybin.exe was executed at least
> once), the order of the instructions as executed still may be different
> than the order they appear in the binary. Moreover, executables are not
> plain instruction dumps. They contain a lot of structured information (see
> https://en.wikipedia.org/wiki/Portable_Executable) that you will not be
> able to recapture just by observing the execution.
>
> M.
>
>
>
> 2015-08-17 8:33 GMT+02:00 Igor R <boost.lists at gmail.com>:
>
>> > I trying to get the "mybin.exe'' 's original assembly code(opcode) in
>> the PANDA plugin.
>> > (for tracing binary's opcode, registers, memory ..)
>> >
>> > Host OS : ubuntu x64
>> > Guest OS : windows xp x86
>> > Test binary : mybin.exe
>> >
>> > I got the opcode using panda_virtual_memory_rw function at
>> PANDA_CB_INSN_TRANSLATE.
>> > ex) panda_virtual_memory_rw(env, env->eip, buf, 20, 0);
>> >
>> > but, It is not same as original assembly code('mybin.exe').
>> > It seems to be translated by the PANDA.
>>
>>
>>
>> Quoting from the documentation:
>> <<
>> insn_translate: called before the translation of each instruction
>>
>> Callback ID: PANDA_CB_INSN_TRANSLATE
>>
>> Arguments:
>>
>> CPUState *env: the current CPU state
>> target_ulong pc: the guest PC we are about to translate
>> >>
>>
>> So, if you need the opcode of the instruction being translated, you
>> should read the memory from "pc" address (rather than env->ip).
>> _______________________________________________
>> panda-users mailing list
>> panda-users at mit.edu
>> http://mailman.mit.edu/mailman/listinfo/panda-users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/panda-users/attachments/20150817/ac97f877/attachment.html
More information about the panda-users
mailing list