[panda-users] Dereferencing using panda_virtual_memory_rw()

Joshua Hodosh josh.hodosh at ll.mit.edu
Tue Mar 24 13:38:40 EDT 2015 

Simone,

One issue we found when implementing the first Linux syscalls plugin was that some buffer arguments 
weren't mapped into memory yet when our instrumentation ran.  For example, in open(char* file), 
"file" didn't point to an allocated buffer in the address space we looked in until some time after 
the basic block ending with the syscall (and our instrumentation of the syscall) had been executed.
The syscalls::string class in
https://github.com/moyix/panda/blob/master/qemu/panda_plugins/syscalls/syscalls_common.hpp
dealt with that case. It's possible you may see similar behavior in emulating Windows.

We eventually switched to doing most work at the return instead of the call. Pointers
all dereferenced properly by then, so syscalls2 doesn't have the buffer special-case code.

-- 
Josh
On Tuesday, March 24, 2015 04:26:19 PM Simone Mazzoni wrote:
> Good!
> 
> I will take a look at those plugins. I tried to implement a similar
> mechanism but maybe I made something wrong.
> 
> Thanks for the hints.
> 
> - Simone
> 
> Il giorno mar 24 mar 2015 17:17 Brendan Dolan-Gavitt <brendandg at gatech.edu>
> ha scritto:
> 
> > To add to what Ryan said, you should also look at the win7proc plugin,
> > which even has code for reading _OBJECT_ATTRIBUTES and mapping HANDLEs
> > to _FILE_OBJECTs.
> >
> > -Brendan
> >
> > On Tue, Mar 24, 2015 at 12:14 PM, Whelan, Ryan - 0559 - MITLL
> > <rwhelan at ll.mit.edu> wrote:
> > > Simone,
> > >
> > > In general, it is possible to read memory and follow pointers in the
> > guest
> > > as long as you know the structure of objects in memory.  As an example,
> > take
> > > a look at get_current_proc() in the win7x86intro plugin.  There are other
> > > examples in that plugin too.
> > >
> > > -Ryan
> > >
> > > From: Simone Mazzoni <simone.mazzoni13 at gmail.com>
> > > Date: Tuesday, March 24, 2015 at 12:00 PM
> > > To: "panda-users at mit.edu" <panda-users at mit.edu>
> > > Subject: [panda-users] Dereferencing using panda_virtual_memory_rw()
> > >
> > > Hi all,
> > >
> > > I'm trying to perform arguments dereferencing using panda.
> > >
> > > I developed a plugin that, for every systemcall, extract the addresses of
> > > all the arguments. I'm now interested in dereferencing those addresses to
> > > extract human readable data.
> > >
> > > I will make an example.
> > >
> > > I intercept the NtCreateFile the has this structure according to the MSDN
> > > official site (ZwCreateFile is the same)
> > >
> > > NTSTATUS ZwCreateFile(
> > >   _Out_     PHANDLE            FileHandle,
> > >   _In_      ACCESS_MASK        DesiredAccess,
> > >   _In_      POBJECT_ATTRIBUTES ObjectAttributes,
> > >   _Out_     PIO_STATUS_BLOCK   IoStatusBlock,
> > >   _In_opt_  PLARGE_INTEGER     AllocationSize,
> > >   _In_      ULONG              FileAttributes,
> > >   _In_      ULONG              ShareAccess,
> > >   _In_      ULONG              CreateDisposition,
> > >   _In_      ULONG              CreateOptions,
> > >   _In_opt_  PVOID              EaBuffer,
> > >   _In_      ULONG              EaLength
> > > );
> > >
> > > So for example with my plugin now I can extract the 11 addresses of the
> > > arguments of this system call.
> > > Assuming this, I am now interested in dereferencing the third argument
> > > POBJECT_ATTRIBUTES that, according to the MSDN site, is a structure:
> > >
> > > typedef struct _OBJECT_ATTRIBUTES {
> > >   ULONG           Length;
> > >   HANDLE          RootDirectory;
> > >   PUNICODE_STRING ObjectName;
> > >   ULONG           Attributes;
> > >   PVOID           SecurityDescriptor;
> > >   PVOID           SecurityQualityOfService;
> > > }  OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
> > >
> > > That contain a PUNICODDE_STRING which is a pointer to another structure:
> > >
> > > typedef struct _UNICODE_STRING {
> > >   USHORT Length;
> > >   USHORT MaximumLength;
> > >   PWSTR  Buffer;
> > > } UNICODE_STRING, *PUNICODE_STRING;
> > >
> > > This structure contain the PWSTR parameter that contain (I guess) exactly
> > > the string of the name of the file passed to the high level API
> > > CreateFile().
> > >
> > > So, first question: is this right?
> > > Second question: is it possible to dereference this structures using the
> > > panda_virtual_memory_rw() function reading the correct number of bytes?
> > >
> > > Hope to be clear enough.
> > >
> > > Thanks for the help.
> > >
> > > - Simone
> > >
> > > _______________________________________________
> > > panda-users mailing list
> > > panda-users at mit.edu
> > > http://mailman.mit.edu/mailman/listinfo/panda-users
> > >
> >
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3061 bytes
Desc: not available
Url : http://mailman.mit.edu/mailman/private/panda-users/attachments/20150324/2fe7f15c/attachment.bin

More information about the panda-users mailing list