[panda-users] Dereferencing using panda_virtual_memory_rw()

Brendan Dolan-Gavitt brendandg at gatech.edu
Tue Mar 24 12:17:21 EDT 2015 

To add to what Ryan said, you should also look at the win7proc plugin,
which even has code for reading _OBJECT_ATTRIBUTES and mapping HANDLEs
to _FILE_OBJECTs.

-Brendan

On Tue, Mar 24, 2015 at 12:14 PM, Whelan, Ryan - 0559 - MITLL
<rwhelan at ll.mit.edu> wrote:
> Simone,
>
> In general, it is possible to read memory and follow pointers in the guest
> as long as you know the structure of objects in memory.  As an example, take
> a look at get_current_proc() in the win7x86intro plugin.  There are other
> examples in that plugin too.
>
> -Ryan
>
> From: Simone Mazzoni <simone.mazzoni13 at gmail.com>
> Date: Tuesday, March 24, 2015 at 12:00 PM
> To: "panda-users at mit.edu" <panda-users at mit.edu>
> Subject: [panda-users] Dereferencing using panda_virtual_memory_rw()
>
> Hi all,
>
> I'm trying to perform arguments dereferencing using panda.
>
> I developed a plugin that, for every systemcall, extract the addresses of
> all the arguments. I'm now interested in dereferencing those addresses to
> extract human readable data.
>
> I will make an example.
>
> I intercept the NtCreateFile the has this structure according to the MSDN
> official site (ZwCreateFile is the same)
>
> NTSTATUS ZwCreateFile(
>   _Out_     PHANDLE            FileHandle,
>   _In_      ACCESS_MASK        DesiredAccess,
>   _In_      POBJECT_ATTRIBUTES ObjectAttributes,
>   _Out_     PIO_STATUS_BLOCK   IoStatusBlock,
>   _In_opt_  PLARGE_INTEGER     AllocationSize,
>   _In_      ULONG              FileAttributes,
>   _In_      ULONG              ShareAccess,
>   _In_      ULONG              CreateDisposition,
>   _In_      ULONG              CreateOptions,
>   _In_opt_  PVOID              EaBuffer,
>   _In_      ULONG              EaLength
> );
>
> So for example with my plugin now I can extract the 11 addresses of the
> arguments of this system call.
> Assuming this, I am now interested in dereferencing the third argument
> POBJECT_ATTRIBUTES that, according to the MSDN site, is a structure:
>
> typedef struct _OBJECT_ATTRIBUTES {
>   ULONG           Length;
>   HANDLE          RootDirectory;
>   PUNICODE_STRING ObjectName;
>   ULONG           Attributes;
>   PVOID           SecurityDescriptor;
>   PVOID           SecurityQualityOfService;
> }  OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
>
> That contain a PUNICODDE_STRING which is a pointer to another structure:
>
> typedef struct _UNICODE_STRING {
>   USHORT Length;
>   USHORT MaximumLength;
>   PWSTR  Buffer;
> } UNICODE_STRING, *PUNICODE_STRING;
>
> This structure contain the PWSTR parameter that contain (I guess) exactly
> the string of the name of the file passed to the high level API
> CreateFile().
>
> So, first question: is this right?
> Second question: is it possible to dereference this structures using the
> panda_virtual_memory_rw() function reading the correct number of bytes?
>
> Hope to be clear enough.
>
> Thanks for the help.
>
> - Simone
>
> _______________________________________________
> panda-users mailing list
> panda-users at mit.edu
> http://mailman.mit.edu/mailman/listinfo/panda-users
>

More information about the panda-users mailing list