[panda-users] Logging a new message in win7proc

Bridgey theGeek bridgeythegeek at gmail.com
Sun Apr 24 15:18:18 EDT 2016 

Thanks Brendan - that's a great help!

I have some progress. I've added the following to win7proc.proto:
message UserCreateWindowEx {
required Process proc = 1;
required uint32 id = 2;
}
optional UserCreateWindowEx nt_user_create_window_ex = 63;

And build.sh seems happy with that.

I've added the following to win7proc.cpp:
Panda__UserCreateWindowEx *cw = (Panda__UserCreateWindowEx *)
malloc(sizeof(Panda__UserCreateWindowEx));
// Do I need to initialise cw some how???
cw->proc = create_panda_process(cur_pid, cur_procname);
cw->id = 6969;
Panda__LogEntry ple = PANDA__LOG_ENTRY__INIT;
ple.has_nt_user_create_window_ex = 1; // Line 1652
ple.nt_user_create_window_ex = cw;
pandalog_write_entry(&ple);

But when I try and build, I get:
win7proc.cpp:1652:9: error: ‘Panda__LogEntry’ has no member named
‘has_nt_user_create_window_ex’

I thought given nt_user_create_window_ex is optional, the has_ member
would, well, magically exist??

I have tried Google-ing but "has no has" is quite tricky to Google for :(

Thanks again!

On 24 April 2016 at 16:39, Brendan Dolan-Gavitt <brendandg at nyu.edu> wrote:

> Sure! I think what you want is to add a new log entry type. The logs
> use protocol buffers to define the structure of each entry type in a
> .proto file. So you could edit win7proc.proto and add your new message
> type. Then you'd re-run build.sh (which generates C data structures
> for the protocol buffers definitions) and you could use your new log
> entry type.
>
> There are some details on how this stuff works in the manual (though I
> just noticed the table of contents doesn't list the top-level section
> for some reason):
>
> https://github.com/moyix/panda/blob/master/docs/manual.md#pandalog
>
> -Brendan
>
> On Sun, Apr 24, 2016 at 11:18 AM, Bridgey theGeek
> <bridgeythegeek at gmail.com> wrote:
> > Hi PANDAs,
> >
> > I've added the functionality to Syscalls2 so that it now understands
> > NtUserCreateWindowEx.
> > I'm now trying to add to win7proc so that it's also reported in the log
> file
> > this plugin produces.
> >
> > In win7proc.cpp I've added:
> > void w7p_NtUserCreateWindowEx_enter(CPUState* env,
> >                     target_ulong pc,
> >                     uint32_t dwExStyle,
> >                     uint32_t lpClassName,
> >                     uint32_t lpWindowName,
> >                     uint32_t dwStyle,
> >                     int32_t x,
> >                     int32_t y,
> >                     int32_t nWidth,
> >                     int32_t nHeight,
> >                     uint32_t hWndParent,
> >                     uint32_t hInstance,
> >                     target_ulong lpParam) {
> >     Panda__LogEntry ple = PANDA__LOG_ENTRY__INIT;
> >     ple.has_nt_any_syscall = 1;
> >     ple.nt_any_syscall = 6969;
> >     pandalog_write_entry(&ple);
> >
> > And this works. If I replay with the win7proc plugin, when a window is
> > created I see:
> > instr=419644049 pc=0x778370b2 : nt_any_syscall (num=6969)
> >
> > Of course what I'd like to be able to report is some helpful metadata
> like
> > the process name, the fact that it's NtUserCreateWindowEx and ideally the
> > value of lpClassName and lpWindowName.
> >
> > But I just can't quite follow the logic to see how Panda__LogEntry works.
> >
> > Can somebody give me a quick explanation..?
> >
> > Thank you!
> > Bridgey
> >
> > _______________________________________________
> > panda-users mailing list
> > panda-users at mit.edu
> > http://mailman.mit.edu/mailman/listinfo/panda-users
> >
>
>
>
> --
> Brendan Dolan-Gavitt
> Assistant Professor, Department of Computer Science and Engineering
> NYU Tandon School of Engineering
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/panda-users/attachments/20160424/58fb438c/attachment.html

More information about the panda-users mailing list