[panda-users] Panda Plugin development

Tue Feb 3 06:47:43 EST 2015

Summary:

I solved using Brandan's pdbparse tool to create a pdb file from the
"ntoskrnl.exe" and parsing it to extract the KiArgumentTable value that
contains, among other informations, the number of arguments for each
systemcall.
Then I printed all the values to a .txt file in order to use it in my
plugin.
Il giorno Wed Jan 28 2015 at 4:13:24 PM Brendan Dolan-Gavitt <
brendandg at gatech.edu> ha scritto:

> I've been helping off-list; I should probably forward a summary here.
> The basic answer is to make use of the KiArgumentTable symbol in the
> Windows kernel, which has the number of bytes each argument takes up.
>
> -Brendan
>
> On Wed, Jan 28, 2015 at 9:52 AM, Kenneth Adam Miller
> <kennethadammiller at gmail.com> wrote:
> > Did you ever get help on this?
> >
> > On Mon, Jan 12, 2015 at 5:45 PM, Simone Mazzoni <
> simone.mazzoni13 at gmail.com>
> > wrote:
> >>
> >> Hello,
> >>
> >> I am developing a Panda plugin for doing VM introspection of a Windows
> VM
> >> (windows 7 for the moment). My goal is to track the flow of system
> calls of
> >> a given process, including their return values and their arguments.
> >> The final goal is to "automatically" retrieve the arguments of each
> system
> >> call, and see which arguments are passed from a system call to another,
> or
> >> if the return values of some system calls are used as input for other
> system
> >> calls.
> >>
> >> I have currently coded a plugin that uses the "osi" plugin and the
> >> "win7x86intro" plugin, but I'm not sure of the results that produces.
> >>
> >> I put the source code as attachment.
> >>
> >> Regarding the code of the file mysyscalls.c of the attachment, can
> someone
> >> give me an opinion about the correctness of what I write? My intention
> is to
> >> track only the system calls of a certain process with input arguments,
> and
> >> output values.
> >> My plugin currently tries to retrieve all the arguments of a syscall,
> and
> >> print them in order in a txt file. The output seems to have sense, but
> I am
> >> not completely sure that it retrieves the correct number of arguments.
> >>
> >> In the file mysyscalls.txt there is an example of the output and as you
> >> can see, for example for the system call 0xb3 (NtOpenFile) at line
> 1035, I
> >> found 8 arguments. Is it correct?The windows 7 system call NtOpenFile
> has 8
> >> input argumets?
> >>
> >> I know I wrote a lot of stuff, but I tried to be more clear that I can.
> >>
> >> Thanks in advance for the answers, and if someone has any advice, is
> truly
> >> appreciated.
> >>
> >> -Simone
> >>
> >> _______________________________________________
> >> panda-users mailing list
> >> panda-users at mit.edu
> >> http://mailman.mit.edu/mailman/listinfo/panda-users
> >>
> >
> >
> > _______________________________________________
> > panda-users mailing list
> > panda-users at mit.edu
> > http://mailman.mit.edu/mailman/listinfo/panda-users
> >
> _______________________________________________
> panda-users mailing list
> panda-users at mit.edu
> http://mailman.mit.edu/mailman/listinfo/panda-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/mailman/private/panda-users/attachments/20150203/3f8d7f73/attachment.htm