[panda-users] Dereferencing using panda_virtual_memory_rw()
Simone Mazzoni
simone.mazzoni13 at gmail.com
Tue Mar 24 12:26:19 EDT 2015
Good!
I will take a look at those plugins. I tried to implement a similar
mechanism but maybe I made something wrong.
Thanks for the hints.
- Simone
Il giorno mar 24 mar 2015 17:17 Brendan Dolan-Gavitt <brendandg at gatech.edu>
ha scritto:
> To add to what Ryan said, you should also look at the win7proc plugin,
> which even has code for reading _OBJECT_ATTRIBUTES and mapping HANDLEs
> to _FILE_OBJECTs.
>
> -Brendan
>
> On Tue, Mar 24, 2015 at 12:14 PM, Whelan, Ryan - 0559 - MITLL
> <rwhelan at ll.mit.edu> wrote:
> > Simone,
> >
> > In general, it is possible to read memory and follow pointers in the
> guest
> > as long as you know the structure of objects in memory. As an example,
> take
> > a look at get_current_proc() in the win7x86intro plugin. There are other
> > examples in that plugin too.
> >
> > -Ryan
> >
> > From: Simone Mazzoni <simone.mazzoni13 at gmail.com>
> > Date: Tuesday, March 24, 2015 at 12:00 PM
> > To: "panda-users at mit.edu" <panda-users at mit.edu>
> > Subject: [panda-users] Dereferencing using panda_virtual_memory_rw()
> >
> > Hi all,
> >
> > I'm trying to perform arguments dereferencing using panda.
> >
> > I developed a plugin that, for every systemcall, extract the addresses of
> > all the arguments. I'm now interested in dereferencing those addresses to
> > extract human readable data.
> >
> > I will make an example.
> >
> > I intercept the NtCreateFile the has this structure according to the MSDN
> > official site (ZwCreateFile is the same)
> >
> > NTSTATUS ZwCreateFile(
> > _Out_ PHANDLE FileHandle,
> > _In_ ACCESS_MASK DesiredAccess,
> > _In_ POBJECT_ATTRIBUTES ObjectAttributes,
> > _Out_ PIO_STATUS_BLOCK IoStatusBlock,
> > _In_opt_ PLARGE_INTEGER AllocationSize,
> > _In_ ULONG FileAttributes,
> > _In_ ULONG ShareAccess,
> > _In_ ULONG CreateDisposition,
> > _In_ ULONG CreateOptions,
> > _In_opt_ PVOID EaBuffer,
> > _In_ ULONG EaLength
> > );
> >
> > So for example with my plugin now I can extract the 11 addresses of the
> > arguments of this system call.
> > Assuming this, I am now interested in dereferencing the third argument
> > POBJECT_ATTRIBUTES that, according to the MSDN site, is a structure:
> >
> > typedef struct _OBJECT_ATTRIBUTES {
> > ULONG Length;
> > HANDLE RootDirectory;
> > PUNICODE_STRING ObjectName;
> > ULONG Attributes;
> > PVOID SecurityDescriptor;
> > PVOID SecurityQualityOfService;
> > } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
> >
> > That contain a PUNICODDE_STRING which is a pointer to another structure:
> >
> > typedef struct _UNICODE_STRING {
> > USHORT Length;
> > USHORT MaximumLength;
> > PWSTR Buffer;
> > } UNICODE_STRING, *PUNICODE_STRING;
> >
> > This structure contain the PWSTR parameter that contain (I guess) exactly
> > the string of the name of the file passed to the high level API
> > CreateFile().
> >
> > So, first question: is this right?
> > Second question: is it possible to dereference this structures using the
> > panda_virtual_memory_rw() function reading the correct number of bytes?
> >
> > Hope to be clear enough.
> >
> > Thanks for the help.
> >
> > - Simone
> >
> > _______________________________________________
> > panda-users mailing list
> > panda-users at mit.edu
> > http://mailman.mit.edu/mailman/listinfo/panda-users
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/mailman/private/panda-users/attachments/20150324/a567fe05/attachment-0001.htm
More information about the panda-users
mailing list