[panda-users] Logging a new message in win7proc

Leek, Timothy - 0559 - MITLL tleek at ll.mit.edu
Sun Apr 24 16:54:10 EDT 2016 

Jumping in.  nt_user_create_window_ex is a pointer.  So it doesn¹t need (or
get) a has_.  Its NULL if it is absent and a valid pointer otherwise.

From:  <panda-users-bounces at mit.edu> on behalf of Bridgey theGeek
<bridgeythegeek at gmail.com>
Date:  Sunday, April 24, 2016 at 3:18 PM
To:  Brendan Dolan-Gavitt <brendandg at nyu.edu>
Cc:  "panda-users at mit.edu" <panda-users at mit.edu>
Subject:  Re: [panda-users] Logging a new message in win7proc

Thanks Brendan - that's a great help!

I have some progress. I've added the following to win7proc.proto:
message UserCreateWindowEx {
required Process proc = 1;
required uint32 id = 2;
}
optional UserCreateWindowEx nt_user_create_window_ex = 63;

And build.sh seems happy with that.

I've added the following to win7proc.cpp:
Panda__UserCreateWindowEx *cw = (Panda__UserCreateWindowEx *)
malloc(sizeof(Panda__UserCreateWindowEx));
// Do I need to initialise cw some how???
cw->proc = create_panda_process(cur_pid, cur_procname);
cw->id = 6969;
Panda__LogEntry ple = PANDA__LOG_ENTRY__INIT;
ple.has_nt_user_create_window_ex = 1; // Line 1652
ple.nt_user_create_window_ex = cw;
pandalog_write_entry(&ple);

But when I try and build, I get:
win7proc.cpp:1652:9: error: ŒPanda__LogEntry¹ has no member named
Œhas_nt_user_create_window_ex¹

I thought given nt_user_create_window_ex is optional, the has_ member would,
well, magically exist??

I have tried Google-ing but "has no has" is quite tricky to Google for :(

Thanks again!

On 24 April 2016 at 16:39, Brendan Dolan-Gavitt <brendandg at nyu.edu> wrote:
> Sure! I think what you want is to add a new log entry type. The logs
> use protocol buffers to define the structure of each entry type in a
> .proto file. So you could edit win7proc.proto and add your new message
> type. Then you'd re-run build.sh (which generates C data structures
> for the protocol buffers definitions) and you could use your new log
> entry type.
> 
> There are some details on how this stuff works in the manual (though I
> just noticed the table of contents doesn't list the top-level section
> for some reason):
> 
> https://github.com/moyix/panda/blob/master/docs/manual.md#pandalog
> 
> -Brendan
> 
> On Sun, Apr 24, 2016 at 11:18 AM, Bridgey theGeek
> <bridgeythegeek at gmail.com> wrote:
>> > Hi PANDAs,
>> >
>> > I've added the functionality to Syscalls2 so that it now understands
>> > NtUserCreateWindowEx.
>> > I'm now trying to add to win7proc so that it's also reported in the log
>> file
>> > this plugin produces.
>> >
>> > In win7proc.cpp I've added:
>> > void w7p_NtUserCreateWindowEx_enter(CPUState* env,
>> >                     target_ulong pc,
>> >                     uint32_t dwExStyle,
>> >                     uint32_t lpClassName,
>> >                     uint32_t lpWindowName,
>> >                     uint32_t dwStyle,
>> >                     int32_t x,
>> >                     int32_t y,
>> >                     int32_t nWidth,
>> >                     int32_t nHeight,
>> >                     uint32_t hWndParent,
>> >                     uint32_t hInstance,
>> >                     target_ulong lpParam) {
>> >     Panda__LogEntry ple = PANDA__LOG_ENTRY__INIT;
>> >     ple.has_nt_any_syscall = 1;
>> >     ple.nt_any_syscall = 6969;
>> >     pandalog_write_entry(&ple);
>> >
>> > And this works. If I replay with the win7proc plugin, when a window is
>> > created I see:
>> > instr=419644049 pc=0x778370b2 : nt_any_syscall (num=6969)
>> >
>> > Of course what I'd like to be able to report is some helpful metadata like
>> > the process name, the fact that it's NtUserCreateWindowEx and ideally the
>> > value of lpClassName and lpWindowName.
>> >
>> > But I just can't quite follow the logic to see how Panda__LogEntry works.
>> >
>> > Can somebody give me a quick explanation..?
>> >
>> > Thank you!
>> > Bridgey
>> >
>> > _______________________________________________
>> > panda-users mailing list
>> > panda-users at mit.edu
>> > http://mailman.mit.edu/mailman/listinfo/panda-users
>> >
> 
> 
> 
> --
> Brendan Dolan-Gavitt
> Assistant Professor, Department of Computer Science and Engineering
> NYU Tandon School of Engineering



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/panda-users/attachments/20160424/d47f0a30/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3076 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20160424/d47f0a30/attachment-0001.bin

More information about the panda-users mailing list