[panda-users] Understanding plugins

Brendan Dolan-Gavitt brendandg at gatech.edu
Sat Mar 7 17:30:43 EST 2015 

On Sat, Mar 7, 2015 at 4:19 PM, Igor R <boost.lists at gmail.com> wrote:
> Hello,
>
> Just a couple a basic question about PANDA plugins:
>
> * When running a plugin with a "live" execution (i.e. not a replay),
> is it legitimate to change CPU registers and memory contents from
> within plugin callbacks?

Yes, you can modify anything you like during a live execution. Of
course, some modifications may crash the guest operating system :)

> * IUUC, a plugin is system-wide, eg. its callbacks are invoked for
> every instruction being executed in the guest, both in kernel and user
> modes, right? Is it possible to distinguish between modes within a
> callback? Is it possible to know in which process' context we are?

Yes; plugins have access to anything executing on the whole system.
You can use panda_in_kernel to tell if you are in userspace or kernel
mode. As for telling what process context you're in, you can get that
information at the hardware level (i.e., what virtual address space
you're in) using panda_current_asid; this corresponds to CR3 on x86
and the CP15 register on ARM.

If you want higher-level information, like the name of the process or
its PID, you can use the OSI module, which currently implements that
information for Windows 7 32-bit and Linux.

> * Is it possible to start (stop) recording from within
> PANDA_CB_INSN_EXEC callback, so that the recording would begin (end)
> at the instruction, which is going to be executed?

I *think* that this should work. There might be some difficulty if the
instruction is not on a basic block boundary, however, since starting
a recording changes how code is translated by QEMU (for example, to
make it track the PC and instruction count precisely). This requires
flushing the translation cache, which might not work if you're in the
middle of executing a basic block.

It should be okay to do so from inside a PANDA_CB_BEFORE_BLOCK_EXEC
callback though.

-Brendan

> Thanks!
> _______________________________________________
> panda-users mailing list
> panda-users at mit.edu
> http://mailman.mit.edu/mailman/listinfo/panda-users

More information about the panda-users mailing list