[panda-users] Dereferencing using panda_virtual_memory_rw()

Whelan, Ryan - 0559 - MITLL rwhelan at ll.mit.edu
Tue Mar 24 12:14:28 EDT 2015 

Simone,

In general, it is possible to read memory and follow pointers in the guest
as long as you know the structure of objects in memory.  As an example, take
a look at get_current_proc() in the win7x86intro plugin.  There are other
examples in that plugin too.

-Ryan

From:  Simone Mazzoni <simone.mazzoni13 at gmail.com>
Date:  Tuesday, March 24, 2015 at 12:00 PM
To:  "panda-users at mit.edu" <panda-users at mit.edu>
Subject:  [panda-users] Dereferencing using panda_virtual_memory_rw()

Hi all, 

I'm trying to perform arguments dereferencing using panda.

I developed a plugin that, for every systemcall, extract the addresses of
all the arguments. I'm now interested in dereferencing those addresses to
extract human readable data.

I will make an example.

I intercept the NtCreateFile the has this structure according to the MSDN
official site (ZwCreateFile is the same)

NTSTATUS ZwCreateFile(
  _Out_     PHANDLE            FileHandle,
  _In_      ACCESS_MASK        DesiredAccess,
  _In_      POBJECT_ATTRIBUTES ObjectAttributes,
  _Out_     PIO_STATUS_BLOCK   IoStatusBlock,
  _In_opt_  PLARGE_INTEGER     AllocationSize,
  _In_      ULONG              FileAttributes,
  _In_      ULONG              ShareAccess,
  _In_      ULONG              CreateDisposition,
  _In_      ULONG              CreateOptions,
  _In_opt_  PVOID              EaBuffer,
  _In_      ULONG              EaLength
);

So for example with my plugin now I can extract the 11 addresses of the
arguments of this system call.
Assuming this, I am now interested in dereferencing the third argument
POBJECT_ATTRIBUTES that, according to the MSDN site, is a structure:

typedef struct _OBJECT_ATTRIBUTES {
  ULONG           Length;
  HANDLE          RootDirectory;
  PUNICODE_STRING ObjectName;
  ULONG           Attributes;
  PVOID           SecurityDescriptor;
  PVOID           SecurityQualityOfService;
}  OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;

That contain a PUNICODDE_STRING which is a pointer to another structure:

typedef struct _UNICODE_STRING {
  USHORT Length;
  USHORT MaximumLength;
  PWSTR  Buffer;
} UNICODE_STRING, *PUNICODE_STRING;

This structure contain the PWSTR parameter that contain (I guess) exactly
the string of the name of the file passed to the high level API
CreateFile().

So, first question: is this right?
Second question: is it possible to dereference this structures using the
panda_virtual_memory_rw() function reading the correct number of bytes?

Hope to be clear enough.

Thanks for the help.

- Simone


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/mailman/private/panda-users/attachments/20150324/61f54c0e/attachment.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5213 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150324/61f54c0e/attachment.bin

More information about the panda-users mailing list