[panda-users] Problem syscall plugin usage

Manolis Stamatogiannakis mstamat at gmail.com
Sun Jan 4 18:57:14 EST 2015 

Hi Simone,

Do you need all of the plugins which are enabled by default? Maybe you
should try disabling one/both of the taint plugins and see if it works out
for you (until the problem is properly fixed).

Also, doing "LC_ALL=C ./build.sh" should produce messages in English which
will be easier to understand for us.

Cheers,
Manolis


2015-01-04 15:07 GMT+01:00 Simone Mazzoni <simone.mazzoni13 at gmail.com>:

> Hello,
>
> I have some problems with the new version of panda.
> I cloned the new version from the branch "master", I followed the new
> compiling instructions, but when I run the "build.sh" script I get this
> error:
>
> The language of my Ubuntu 14.10 is Italian, so tell me if you don't
> understand some debug messages. I don't understand why it gives that
> "subdir-x86_64-softmmu" error.
>
> Any idea?
>
> Thanks a lot.
>
> Simone
>
> Il giorno Thu Dec 18 2014 at 03:35:57 Brendan Dolan-Gavitt <
> brendandg at gatech.edu> ha scritto:
>
> Right now the syscalls plugin only supports Linux system calls. So the
>> "callname" you get is essentially whatever Linux system call
>> corresponds to the syscall number (which is what's in EAX). We are
>> working on adding support for Windows system calls (including
>> arguments). If you just want something quick, you could change it to
>> not print out the system call name and instead just use the number to
>> look up the correct name in a Windows system call list.
>>
>> EAX is the ID of the system call, as you guessed. There are system
>> call lists for Windows available; here's the one that comes with
>> Volatility for Windows 7 SP1 32-bit:
>>
>> https://github.com/volatilityfoundation/volatility/blob/master/
>> volatility/plugins/overlays/windows/win7_sp01_x86_syscalls.py
>>
>> EDX, on Windows, points to the stack at the time the syscall was made.
>> The arguments to the syscall start at [EDX+8] (for Windows 32-bit).
>> Here's an example function that gets an argument to a system call in
>> Win7 32-bit:
>>
>> static uint32_t get_syscall_arg(CPUState* env, int nr) {
>>     // At sysenter on Win7, args start at EDX+8
>>     uint32_t arg;
>>     panda_virtual_memory_rw(env, env->regs[R_EDX] + 8 + (4*nr),
>>         (uint8_t *) &arg, 4, false);
>>     return arg;
>> }
>>
>> Hope this is helpful,
>> Brendan
>>
>> On Wed, Dec 17, 2014 at 12:38 PM, Simone Mazzoni
>> <simone.mazzoni13 at gmail.com> wrote:
>> > Hello Brendan,
>> >
>> > I checked your code and I think that is a good way to pass and execute
>> an
>> > executable in the guest VM. I will try to implement such a thing as
>> soon as
>> > I can.
>> >
>> > Now I have another issue.
>> > Premise: I’m doing this work for my master thesis. My purpose is to
>> find a
>> > way to track windows7 system calls (and their arguments) without doing
>> > hooking, but by reading the guest VM memory, and storing it in a text
>> file
>> > or in a database, in order to reconstruct the execution flow of the
>> > executable and perform some analysis.
>> >
>> > Until now, I found a way to use the panda plugins “osi” and
>> “win7x86intro”
>> > to selectively track only the syscalls of a certain process specifying
>> its
>> > name.
>> > To track the syscalls, I’m currently using the “syscalls” panda plugin
>> but I
>> > don’t understand few things. The part of that plugin that interest me is
>> > around row 337 —> “syscall_fprintf(env, "CALL=%s, PC=" TARGET_FMT_lx ",
>> > SYSCALL=" TARGET_FMT_lx ", EDX=" TARGET_FMT_lx "\n", callname, pc,
>> > env->regs[R_EAX], env->regs[R_EDX]);”
>> > I edited this line to print out the R_EDX value instead of the CR3
>> value.
>> > I need now to understand some things that are not clear to me:
>> >
>> > what is contained in the variable “callname”? Sometime it prints out
>> UNKNOWN
>> > value, and sometimes it prints out linux system calls name (like
>> sys_getuid)
>> > even if I am running a windows OS —> I thought it would print something
>> like
>> > “NtCreateFile” that is a windows syscall.
>> > what is contained in env->[R_EAX]? Is the code/id of the system call?
>> And
>> > what is TARGET_FMT_lx? Is looks like a placeholder but I don’t
>> understand
>> > exactly what it represents.
>> > what is contained in env->[R_EDX]? I believe it contains the pointer to
>> the
>> > first syscall argument. Is it right?
>> >
>> >
>> > Sorry for the huge amount of questions, but I’m a little stuck and I
>> can’t
>> > find so much documentation about these topics.
>> >
>> > Many thanks
>> >
>> > - Simone
>> > -----------------------------------------------------
>> > Simone Mazzoni
>> > Cell: 340 5210441
>> > E-Mail: simone.mazzoni13 at gmail.com
>> > skype: mazzoni.s
>> >
>> > Il giorno 15/dic/2014, alle ore 18:55, Brendan Dolan-Gavitt
>> > <brendandg at gatech.edu> ha scritto:
>> >
>> > Hi Simone,
>> >
>> > I actually recently set up something similar, in order to run malware.
>> > You can see the script I ended up with here:
>> >
>> > http://amnesia.gtisc.gatech.edu/~moyix/runmal.py
>> >
>> > Basically it uses the QEMU monitor to insert a CD containing the
>> > executable, and then sends keystrokes to the guest VM to copy it to
>> > the desktop and execute it.
>> >
>> > On the other hand sending keystrokes is a bit unreliable, so I am
>> > planning on switching over to a batch file on the CD that gets autorun
>> > in order to start up the malware.
>> >
>> > Hope this helps,
>> > Brendan
>> >
>> > On Mon, Dec 15, 2014 at 12:49 PM, Simone Mazzoni
>> > <simone.mazzoni13 at gmail.com> wrote:
>> >
>> > Thanks all for the answers,
>> > using the "osi;win7x86intro;my_plugin” configuration works for me, and
>> now I
>> > am able to track the syscalls of a specific process specifying its name
>> or
>> > PID.
>> >
>> > Now I’m trying to figure out if I can run an executable file from the
>> > extern.
>> > To be more clear, I wish to launch the win7 VM specifying an exe file (
>> > let’s say foo.exe ) to execute once the system is booted, and the
>> executable
>> > should be passed as an argument or something similar to the host VM. Is
>> it
>> > possible to do something similar with qemu?
>> >
>> > My purpose is to analyze the syscalls traffic of a given executable
>> file,
>> > passed from the user.
>> >
>> > -Simone
>> > -----------------------------------------------------
>> > Simone Mazzoni
>> > Cell: 340 5210441
>> > E-Mail: simone.mazzoni13 at gmail.com
>> > skype: mazzoni.s
>> >
>> > Il giorno 11/dic/2014, alle ore 01:23, Brendan Dolan-Gavitt
>> > <brendandg at gatech.edu> ha scritto:
>> >
>> > Are you trying to run these plugins on a live system? You would
>> > probably be better off making a recording and then doing your analysis
>> > on a replay.
>> >
>> > In any case, yes – the plugins have to be loaded in the right order:
>> > first osi, then win7x86intro, then testintro.
>> >
>> > -Brendan
>> >
>> > On Wed, Dec 10, 2014 at 4:51 PM, Simone Mazzoni
>> > <simone.mazzoni13 at gmail.com> wrote:
>> >
>> > Hello Brendan,
>> > I tried to use the testintro plugin today, but when I load it, it close
>> qemu
>> > with a core dump error.
>> > And the error seems to be caused by the printf at line 34, because the
>> > get_current_process(env); function returns a null pointer instead of the
>> > current process.
>> >
>> > Should I have to load the testintro plugin and the win7x86into plugin
>> > togegher?
>> >
>> > Thanks
>> >
>> > -Simone
>> > -----------------------------------------------------
>> > Simone Mazzoni
>> > Cell: 340 5210441
>> > E-Mail: simone.mazzoni13 at gmail.com
>> > skype: mazzoni.s
>> >
>> > Il giorno 10/dic/2014, alle ore 17:09, Brendan Dolan-Gavitt
>> > <brendandg at gatech.edu> ha scritto:
>> >
>> > I agree with Patrick that CR3 is probably the right choice in most
>> > cases. But if you really want PID and you happen to be on Windows 7
>> > 32-bit, you can use the OS introspection support we've added for that
>> > OS. Look at
>> >
>> > https://github.com/moyix/panda/blob/master/qemu/panda_
>> plugins/testintro/testintro.c
>> >
>> > for an example of how you'd add that to your plugin. When running it,
>> > you'd use the argument "-panda osi; win7x86intro;your_plugin" to load
>> > the Win7 introspection and the introspection abstraction layer
>> > plugins.
>> >
>> > -Brendan
>> >
>> > On Wed, Dec 10, 2014 at 9:39 AM, Hulin, Patrick - 0559 - MITLL
>> > <Patrick.Hulin at ll.mit.edu> wrote:
>> >
>> > Hi Simone,
>> >
>> > I’d recommend just using the CR3 register to track processes (we have a
>> > function, panda_get_current_asid, that generalizes it to different
>> > architectures). It won’t change for kernel mode, so you’ll have to
>> manually
>> > check whether or not you’re in kernel mode (ring 0). Finding PIDs is
>> highly
>> > OS-specific; you can use panda_memsavep and volatility to look at them
>> for a
>> > given memory snapshot, but we don’t have a generic way to look at them.
>> >
>> > From: Simone Mazzoni <simone.mazzoni13 at gmail.com>
>> > Date: Wednesday, December 10, 2014 at 5:08 AM
>> > To: - yrp <yrp604 at yahoo.com>
>> > Cc: "panda-users at mit.edu" <panda-users at mit.edu>
>> > Subject: Re: [panda-users] Problem syscall plugin usage
>> >
>> > Hello,
>> > I have another question.
>> >
>> > There is a way to obtain the PID of the process caller of a system call
>> in
>> > order to filter the system calls analisys only for specified Processes?
>> > My purpose is to track system calls only for a specified program in
>> > execution on the system (i.e tracking only the system calls of the
>> execution
>> > of notepad.exe program on windows)
>> >
>> > Is it possible to do such a thing by editing the PANDA syscalls plugin?
>> >
>> > Simone
>> >
>> > 2014-12-08 20:14 GMT+01:00 - yrp <yrp604 at yahoo.com>:
>> >
>> >
>> > Yes, 'env->regs[R_EDX]' should give you what you want. This of course
>> > presumes the CPUState ptr is named env...
>> >
>> > For an example, see here:
>> >
>> > https://github.com/moyix/panda/blob/master/qemu/panda_
>> plugins/syscalls/syscalls.cpp#L332
>> >
>> >
>> >
>> >
>> > On Monday, December 8, 2014 6:12 AM, Simone Mazzoni
>> > <simone.mazzoni13 at gmail.com> wrote:
>> >
>> >
>> > Hello yrp,
>> >
>> > I solved my problem by disabling kvm. This allows me to read the content
>> > of EAX register in order to read the data every time a system call is
>> > invoked.
>> >
>> > Now I’m trying to find a way to get information about the arguments of
>> > every system call. If I’m not wrong, the address of the first
>> > parameter/argument of a system call is pushed in the EDX register. Is
>> this
>> > right? There is a way to retrive information about the parameters of
>> each
>> > system call invoked by the system?
>> >
>> > Tnaks,
>> > Simone
>> > -----------------------------------------------------
>> > Simone Mazzoni
>> > Cell: 340 5210441
>> > E-Mail: simone.mazzoni13 at gmail.com
>> > skype: mazzoni.s
>> >
>> > Il giorno 03/dic/2014, alle ore 21:28, - yrp <yrp604 at yahoo.com> ha
>> > scritto:
>> >
>> > Hi Simone,
>> >
>> > I believe the syscalls plugin used to create the list of syscalls when
>> it
>> > was still coupled with the fdtracker plugin. Currently I think it only
>> > provides an API for you to add your own hook before/after syscall
>> execution
>> > and in the Linux case, the ability to set a hook on any particular
>> syscall.
>> >
>> > There are two proper ways to accomplish what you're looking for. First,
>> > you could write a small plugin that uses the API defined in
>> syscalls_int.h.
>> > Alternatively, you could look at the format of the gen_syscalls_* files
>> and
>> > port them from linux to windows which should be relatively straight
>> forward
>> > as it's all just syscall prototypes. Finally, for a third option you
>> could
>> > modify the syscalls plugin around line 330. The last option is probably
>> the
>> > least "clean" but fastest.
>> >
>> > Hope this helps,
>> > yrp
>> >
>> >
>> > On Wednesday, December 3, 2014 9:50 AM, Simone Mazzoni
>> > <simone.mazzoni13 at gmail.com> wrote:
>> >
>> >
>> > Hello,
>> >
>> > I have a problem in using the “syscall” plugin provided in PANDA.
>> >
>> > I succesfully compiled PANDA following the compile.txt instruction.
>> >
>> > I want now to use PANDA to scan all the system calls on a Windows 7 VM.
>> >
>> > I run the Windows 7 VM with this command: “./qemu-system-x86_64 -hda
>> > ../../../qemuwin7.img -enable-kvm -m 1024 -monitor stdio -loadvm booted
>> > -panda syscalls” and the system replies with this message
>> >
>> > adding
>> > /home/parallels/Desktop/Tesi/panda-master/qemu/x86_64-
>> softmmu/panda_plugins/panda_syscalls.so
>> > to panda_plugin_files 0
>> > loading
>> > /home/parallels/Desktop/Tesi/panda-master/qemu/x86_64-
>> softmmu/panda_plugins/panda_syscalls.so
>> > warning: Plugin 'syscalls' uses argument: -panda-arg
>> syscalls:file=<file>
>> > using default log file syscalls.txt
>> > Success
>> > QEMU 1.0,1 monitor - type 'help' for more information
>> > (qemu) SaveVM v3 format forces exact matches between devices on load and
>> > save, including on replay.
>> >
>> > So it seems that the plugin is succesfully loaded.
>> > The message says also that the default log file “syscalls.txt” will be
>> > used, so I expect to see some line in this file after running some
>> programs
>> > in the Windows 7 VM, but the file remains blank, so it seems that the
>> plugin
>> > is not working.
>> >
>> > Where are my errors? How can I effectively trace all the system calls
>> > invocations of the guest Windows 7 system?
>> >
>> > Thanks
>> >
>> > Simone
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > panda-users mailing list
>> > panda-users at mit.edu
>> > http://mailman.mit.edu/mailman/listinfo/panda-users
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > panda-users mailing list
>> > panda-users at mit.edu
>> > http://mailman.mit.edu/mailman/listinfo/panda-users
>> >
>> >
>> >
>> >
>>
>
> _______________________________________________
> panda-users mailing list
> panda-users at mit.edu
> http://mailman.mit.edu/mailman/listinfo/panda-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/mailman/private/panda-users/attachments/20150105/bb129fec/attachment-0001.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Schermata del 2015-01-04 15:02:47.png
Type: image/png
Size: 201060 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150105/bb129fec/attachment-0001.png

More information about the panda-users mailing list