[panda-users] Dereferencing using panda_virtual_memory_rw()
Simone Mazzoni
simone.mazzoni13 at gmail.com
Tue Mar 24 14:49:39 EDT 2015
Hello Joshua,
yes, this make perfect sense, and I think the same mechanism works for
widows.
Maybe this happen because each system call allocates the necessary
structure to contain both the input argument and the arguments that will
contain the output.
As an example you can see the structure of the ZwCreateFile in windows that
uses some arguments as inputs, some arguments as output and some arguments
as both input and output.
Anyway the thing that I do in my plugin is to "store" the system call
values at the call moment in a structure before the exec, and then I check
again after the exec if one of the system calls called previously is
returned and if it is, I do my stuff on the data.
Another thing: is it possible to track with panda also high level windows
API? (CreateFile, OpenFile, ecc...)
- Simone
Il giorno mar 24 mar 2015 alle ore 18:38 Joshua Hodosh <
josh.hodosh at ll.mit.edu> ha scritto:
> Simone,
>
> One issue we found when implementing the first Linux syscalls plugin was
> that some buffer arguments
> weren't mapped into memory yet when our instrumentation ran. For example,
> in open(char* file),
> "file" didn't point to an allocated buffer in the address space we looked
> in until some time after
> the basic block ending with the syscall (and our instrumentation of the
> syscall) had been executed.
> The syscalls::string class in
> https://github.com/moyix/panda/blob/master/qemu/panda_
> plugins/syscalls/syscalls_common.hpp
> dealt with that case. It's possible you may see similar behavior in
> emulating Windows.
>
> We eventually switched to doing most work at the return instead of the
> call. Pointers
> all dereferenced properly by then, so syscalls2 doesn't have the buffer
> special-case code.
>
> --
> Josh
> On Tuesday, March 24, 2015 04:26:19 PM Simone Mazzoni wrote:
> > Good!
> >
> > I will take a look at those plugins. I tried to implement a similar
> > mechanism but maybe I made something wrong.
> >
> > Thanks for the hints.
> >
> > - Simone
> >
> > Il giorno mar 24 mar 2015 17:17 Brendan Dolan-Gavitt <
> brendandg at gatech.edu>
> > ha scritto:
> >
> > > To add to what Ryan said, you should also look at the win7proc plugin,
> > > which even has code for reading _OBJECT_ATTRIBUTES and mapping HANDLEs
> > > to _FILE_OBJECTs.
> > >
> > > -Brendan
> > >
> > > On Tue, Mar 24, 2015 at 12:14 PM, Whelan, Ryan - 0559 - MITLL
> > > <rwhelan at ll.mit.edu> wrote:
> > > > Simone,
> > > >
> > > > In general, it is possible to read memory and follow pointers in the
> > > guest
> > > > as long as you know the structure of objects in memory. As an
> example,
> > > take
> > > > a look at get_current_proc() in the win7x86intro plugin. There are
> other
> > > > examples in that plugin too.
> > > >
> > > > -Ryan
> > > >
> > > > From: Simone Mazzoni <simone.mazzoni13 at gmail.com>
> > > > Date: Tuesday, March 24, 2015 at 12:00 PM
> > > > To: "panda-users at mit.edu" <panda-users at mit.edu>
> > > > Subject: [panda-users] Dereferencing using panda_virtual_memory_rw()
> > > >
> > > > Hi all,
> > > >
> > > > I'm trying to perform arguments dereferencing using panda.
> > > >
> > > > I developed a plugin that, for every systemcall, extract the
> addresses of
> > > > all the arguments. I'm now interested in dereferencing those
> addresses to
> > > > extract human readable data.
> > > >
> > > > I will make an example.
> > > >
> > > > I intercept the NtCreateFile the has this structure according to the
> MSDN
> > > > official site (ZwCreateFile is the same)
> > > >
> > > > NTSTATUS ZwCreateFile(
> > > > _Out_ PHANDLE FileHandle,
> > > > _In_ ACCESS_MASK DesiredAccess,
> > > > _In_ POBJECT_ATTRIBUTES ObjectAttributes,
> > > > _Out_ PIO_STATUS_BLOCK IoStatusBlock,
> > > > _In_opt_ PLARGE_INTEGER AllocationSize,
> > > > _In_ ULONG FileAttributes,
> > > > _In_ ULONG ShareAccess,
> > > > _In_ ULONG CreateDisposition,
> > > > _In_ ULONG CreateOptions,
> > > > _In_opt_ PVOID EaBuffer,
> > > > _In_ ULONG EaLength
> > > > );
> > > >
> > > > So for example with my plugin now I can extract the 11 addresses of
> the
> > > > arguments of this system call.
> > > > Assuming this, I am now interested in dereferencing the third
> argument
> > > > POBJECT_ATTRIBUTES that, according to the MSDN site, is a structure:
> > > >
> > > > typedef struct _OBJECT_ATTRIBUTES {
> > > > ULONG Length;
> > > > HANDLE RootDirectory;
> > > > PUNICODE_STRING ObjectName;
> > > > ULONG Attributes;
> > > > PVOID SecurityDescriptor;
> > > > PVOID SecurityQualityOfService;
> > > > } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
> > > >
> > > > That contain a PUNICODDE_STRING which is a pointer to another
> structure:
> > > >
> > > > typedef struct _UNICODE_STRING {
> > > > USHORT Length;
> > > > USHORT MaximumLength;
> > > > PWSTR Buffer;
> > > > } UNICODE_STRING, *PUNICODE_STRING;
> > > >
> > > > This structure contain the PWSTR parameter that contain (I guess)
> exactly
> > > > the string of the name of the file passed to the high level API
> > > > CreateFile().
> > > >
> > > > So, first question: is this right?
> > > > Second question: is it possible to dereference this structures using
> the
> > > > panda_virtual_memory_rw() function reading the correct number of
> bytes?
> > > >
> > > > Hope to be clear enough.
> > > >
> > > > Thanks for the help.
> > > >
> > > > - Simone
> > > >
> > > > _______________________________________________
> > > > panda-users mailing list
> > > > panda-users at mit.edu
> > > > http://mailman.mit.edu/mailman/listinfo/panda-users
> > > >
> > >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/mailman/private/panda-users/attachments/20150324/46c3e237/attachment-0001.htm
More information about the panda-users
mailing list