[panda-users] Dereferencing using panda_virtual_memory_rw()

Simone Mazzoni simone.mazzoni13 at gmail.com
Tue Mar 24 12:00:13 EDT 2015 

Hi all,

I'm trying to perform arguments dereferencing using panda.

I developed a plugin that, for every systemcall, extract the addresses of
all the arguments. I'm now interested in dereferencing those addresses to
extract human readable data.

I will make an example.

I intercept the NtCreateFile the has this structure according to the MSDN
official site (ZwCreateFile is the same)

NTSTATUS ZwCreateFile(
  _Out_     PHANDLE            FileHandle,
  _In_      ACCESS_MASK        DesiredAccess,
  _In_      POBJECT_ATTRIBUTES ObjectAttributes,
  _Out_     PIO_STATUS_BLOCK   IoStatusBlock,
  _In_opt_  PLARGE_INTEGER     AllocationSize,
  _In_      ULONG              FileAttributes,
  _In_      ULONG              ShareAccess,
  _In_      ULONG              CreateDisposition,
  _In_      ULONG              CreateOptions,
  _In_opt_  PVOID              EaBuffer,
  _In_      ULONG              EaLength
);

So for example with my plugin now I can extract the 11 addresses of the
arguments of this system call.
Assuming this, I am now interested in dereferencing the third argument
POBJECT_ATTRIBUTES that, according to the MSDN site, is a structure:

typedef struct _OBJECT_ATTRIBUTES {
  ULONG           Length;
  HANDLE          RootDirectory;
  PUNICODE_STRING ObjectName;
  ULONG           Attributes;
  PVOID           SecurityDescriptor;
  PVOID           SecurityQualityOfService;
}  OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;

That contain a PUNICODDE_STRING which is a pointer to another structure:

typedef struct _UNICODE_STRING {
  USHORT Length;
  USHORT MaximumLength;
  PWSTR  Buffer;
} UNICODE_STRING, *PUNICODE_STRING;

This structure contain the PWSTR parameter that contain (I guess) exactly
the string of the name of the file passed to the high level API
CreateFile().

So, first question: is this right?
Second question: is it possible to dereference this structures using the
panda_virtual_memory_rw() function reading the correct number of bytes?

Hope to be clear enough.

Thanks for the help.

- Simone
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/mailman/private/panda-users/attachments/20150324/a69d4c38/attachment-0001.htm

More information about the panda-users mailing list