[panda-users] OSI plugin issues

Manolis Stamatogiannakis mstamat at gmail.com
Sat Mar 21 16:28:22 EDT 2015 

2015-03-21 20:12 GMT+01:00 Igor R <boost.lists at gmail.com>:

> Hi Manolis,
>
>
> I was trying to load just osi, didn't realize I had to load osi_linux as
> well.
> But anyway, I need this info in the user mode. As for the fix proposed
> by Brendan (using IA32_sysenter_esp) - further in this discussion it
> looks like you tried it and it didn't work, did it?
>

Correct. Feel free to give this approach another shot - in case I missed
anything.

A (slow) workaround that could be implemented relatively easily would be:

In on_get_current_process(), check if guest is in kernel mode.

   - If it is, use the existing code (faster).
   - If not, then start traversing the task list, starting from the init
   task (its address is extracted by the kernelinfo module). In each iteration:
      - Get the asid of the task using get_pgd(env, current_task_addr).
      - This asid will be a virtual address. Translate it to physical using
      panda_virt_to_phys(env, asid).
      - If the physical address equals the current PGD, then break - you
      found the running task. You can fill the process details in the
struct and
      return.

Of course if you have time to investigate a proper fix (i.e. avoid list
traversal), that would be great.

Best regards,
Manolis


>
> Thanks!
>
>
>
>
> 2015-03-19 20:42 GMT+02:00 Manolis Stamatogiannakis <mstamat at gmail.com>:
> > Hi Igor,
> >
> > Which chain of plugins are you using?
> >
> > linux_vmi doesn't work. If I understand correctly it is kept around
> because
> > it still is useful for Android analysis.
> >
> > debianwheezyx86intro will only work for 32bit debian wheezy. It needs to
> be
> > loaded after the osi plugin.
> >
> > osi_linux must also be loaded after the osi plugin. It should work with
> any
> > linux variant. However you need to extract some kernel struct offsets
> from
> > the guest using the supplied kernel module. (These offsets are hardcoded
> in
> > debianwheezyx86intro.)
> > Its shortcoming is that getting the current process currently only works
> > when the process is in kernel mode.
> > Brendan has proposed a fix for this, which shouldn't be hard to
> implement.
> > See discussion on
> >
> https://github.com/moyix/panda/commit/c5c024c82dfcb730756f3584a06cb8b8c0373714#commitcomment-10143831
> >
> > Cheers,
> > Manolis
> >
> > 2015-03-19 13:26 GMT+01:00 Igor R <boost.lists at gmail.com>:
> >>
> >> Hi,
> >>
> >> I try to run testdebintro plugin to test osi. However,
> get_current_process
> >> and get_processes always return null (I encounter the same behavior
> when try
> >> to use it in my own plugin).
> >> My host OS is debian x86_64 bit, guest PANDA/QEMU debian x86.
> >> Is there a way to get osi work?
> >> Thanks.
> >>
> >>
> >> _______________________________________________
> >> panda-users mailing list
> >> panda-users at mit.edu
> >> http://mailman.mit.edu/mailman/listinfo/panda-users
> >>
> >
> _______________________________________________
> panda-users mailing list
> panda-users at mit.edu
> http://mailman.mit.edu/mailman/listinfo/panda-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/mailman/private/panda-users/attachments/20150321/cc820998/attachment.htm

More information about the panda-users mailing list