[panda-users] memory activity/traces isolation
Brendan Dolan-Gavitt
brendandg at gatech.edu
Mon Nov 30 17:02:16 EST 2015
Hi,
Sorry to take a while replying; most of us were out for the
Thanksgiving holiday.
Filtering things out by process isn't supported out of the box by the
memdump and tapindex plugins, but you can modify them to do so. The
OSI plugin can retrieve the name and PID of the current process; since
you're trying to look at a Linux system you can use the osi_linux
plugin specifically:
https://github.com/moyix/panda/tree/master/qemu/panda_plugins/osi_linux
Note that since different kernel versions have different layouts for
their data structures, you'll want to compile the kernelinfo module
inside the guest and create a kernelinfo.conf for use with osi_linux;
there's a bit of documentation on this here:
https://github.com/moyix/panda/tree/master/qemu/panda_plugins/osi_linux/utils/kernelinfo
Hope this helps,
Brendan
On Tue, Nov 24, 2015 at 12:53 PM, gilles B <gillusg75 at gmail.com> wrote:
> Hello,
>
> I'm Software Security Engineer working in Mobile Security among other stuff.
> I've just discovered this nice and wild animal that is Panda, I'm not yet
> doing Kung Fu with it but I'm more in the learning steps to make it walk :)
>
> I've successfully read and replayed some records of my target program that I
> execute on a Debian 6 (x86).
> Basically I want to get some memory traces of the execution of my entire
> program (all the memory reads/writes + addresses), so I have used the
> plugins 'memdump' and 'tapindex' to create those traces and it looks
> correct.
> I have now 4 logs: tap_writes.idx, tap_reads.idx, tap_writes.bin and
> tap_reads.bin.
> By having a look into the code of the plugins I've been able to understand
> their content, basically the .bin files contain the memory content that is
> read/written, and the .idx files contain the associated addresses,PC and
> other infos on those read/writes.
> I have manually inspected those logs and it seems to work fine as the memory
> accesses match the behavior of my program.
>
> However if I understand correctly, the logs contain all the memory accesses
> recorded, including some noise from the OS.
> In fact I would like to log only the memory activity of my program, not the
> memory activity of the OS that executes in parallel.
> Basically I execute my program in command line on Linux environment:
> ./myProgram.sh
>
> Can someone help me to achieve this?
>
> Best Regards,
>
> Gilles
>
> _______________________________________________
> panda-users mailing list
> panda-users at mit.edu
> http://mailman.mit.edu/mailman/listinfo/panda-users
>
More information about the panda-users
mailing list