[panda-users] Logging a new message in win7proc

Brendan Dolan-Gavitt brendandg at nyu.edu
Sun Apr 24 11:39:55 EDT 2016 

Sure! I think what you want is to add a new log entry type. The logs
use protocol buffers to define the structure of each entry type in a
.proto file. So you could edit win7proc.proto and add your new message
type. Then you'd re-run build.sh (which generates C data structures
for the protocol buffers definitions) and you could use your new log
entry type.

There are some details on how this stuff works in the manual (though I
just noticed the table of contents doesn't list the top-level section
for some reason):

https://github.com/moyix/panda/blob/master/docs/manual.md#pandalog

-Brendan

On Sun, Apr 24, 2016 at 11:18 AM, Bridgey theGeek
<bridgeythegeek at gmail.com> wrote:
> Hi PANDAs,
>
> I've added the functionality to Syscalls2 so that it now understands
> NtUserCreateWindowEx.
> I'm now trying to add to win7proc so that it's also reported in the log file
> this plugin produces.
>
> In win7proc.cpp I've added:
> void w7p_NtUserCreateWindowEx_enter(CPUState* env,
>                     target_ulong pc,
>                     uint32_t dwExStyle,
>                     uint32_t lpClassName,
>                     uint32_t lpWindowName,
>                     uint32_t dwStyle,
>                     int32_t x,
>                     int32_t y,
>                     int32_t nWidth,
>                     int32_t nHeight,
>                     uint32_t hWndParent,
>                     uint32_t hInstance,
>                     target_ulong lpParam) {
>     Panda__LogEntry ple = PANDA__LOG_ENTRY__INIT;
>     ple.has_nt_any_syscall = 1;
>     ple.nt_any_syscall = 6969;
>     pandalog_write_entry(&ple);
>
> And this works. If I replay with the win7proc plugin, when a window is
> created I see:
> instr=419644049 pc=0x778370b2 : nt_any_syscall (num=6969)
>
> Of course what I'd like to be able to report is some helpful metadata like
> the process name, the fact that it's NtUserCreateWindowEx and ideally the
> value of lpClassName and lpWindowName.
>
> But I just can't quite follow the logic to see how Panda__LogEntry works.
>
> Can somebody give me a quick explanation..?
>
> Thank you!
> Bridgey
>
> _______________________________________________
> panda-users mailing list
> panda-users at mit.edu
> http://mailman.mit.edu/mailman/listinfo/panda-users
>



-- 
Brendan Dolan-Gavitt
Assistant Professor, Department of Computer Science and Engineering
NYU Tandon School of Engineering

More information about the panda-users mailing list