[panda-users] Panda Plugin development
Brendan Dolan-Gavitt
brendandg at gatech.edu
Wed Jan 28 10:12:29 EST 2015
I've been helping off-list; I should probably forward a summary here.
The basic answer is to make use of the KiArgumentTable symbol in the
Windows kernel, which has the number of bytes each argument takes up.
-Brendan
On Wed, Jan 28, 2015 at 9:52 AM, Kenneth Adam Miller
<kennethadammiller at gmail.com> wrote:
> Did you ever get help on this?
>
> On Mon, Jan 12, 2015 at 5:45 PM, Simone Mazzoni <simone.mazzoni13 at gmail.com>
> wrote:
>>
>> Hello,
>>
>> I am developing a Panda plugin for doing VM introspection of a Windows VM
>> (windows 7 for the moment). My goal is to track the flow of system calls of
>> a given process, including their return values and their arguments.
>> The final goal is to "automatically" retrieve the arguments of each system
>> call, and see which arguments are passed from a system call to another, or
>> if the return values of some system calls are used as input for other system
>> calls.
>>
>> I have currently coded a plugin that uses the "osi" plugin and the
>> "win7x86intro" plugin, but I'm not sure of the results that produces.
>>
>> I put the source code as attachment.
>>
>> Regarding the code of the file mysyscalls.c of the attachment, can someone
>> give me an opinion about the correctness of what I write? My intention is to
>> track only the system calls of a certain process with input arguments, and
>> output values.
>> My plugin currently tries to retrieve all the arguments of a syscall, and
>> print them in order in a txt file. The output seems to have sense, but I am
>> not completely sure that it retrieves the correct number of arguments.
>>
>> In the file mysyscalls.txt there is an example of the output and as you
>> can see, for example for the system call 0xb3 (NtOpenFile) at line 1035, I
>> found 8 arguments. Is it correct?The windows 7 system call NtOpenFile has 8
>> input argumets?
>>
>> I know I wrote a lot of stuff, but I tried to be more clear that I can.
>>
>> Thanks in advance for the answers, and if someone has any advice, is truly
>> appreciated.
>>
>> -Simone
>>
>> _______________________________________________
>> panda-users mailing list
>> panda-users at mit.edu
>> http://mailman.mit.edu/mailman/listinfo/panda-users
>>
>
>
> _______________________________________________
> panda-users mailing list
> panda-users at mit.edu
> http://mailman.mit.edu/mailman/listinfo/panda-users
>
More information about the panda-users
mailing list