[panda-users] Logging a new message in win7proc

Bridgey theGeek bridgeythegeek at gmail.com
Sun Apr 24 17:35:21 EDT 2016 

Ohhh, yeah! Of course! Thank you! :)

On 24 April 2016 at 21:54, Leek, Timothy - 0559 - MITLL <tleek at ll.mit.edu>
wrote:

> Jumping in.  nt_user_create_window_ex is a pointer.  So it doesn’t need
> (or get) a has_.  Its NULL if it is absent and a valid pointer otherwise.
>
> From: <panda-users-bounces at mit.edu> on behalf of Bridgey theGeek <
> bridgeythegeek at gmail.com>
> Date: Sunday, April 24, 2016 at 3:18 PM
> To: Brendan Dolan-Gavitt <brendandg at nyu.edu>
> Cc: "panda-users at mit.edu" <panda-users at mit.edu>
> Subject: Re: [panda-users] Logging a new message in win7proc
>
> Thanks Brendan - that's a great help!
>
> I have some progress. I've added the following to win7proc.proto:
> message UserCreateWindowEx {
> required Process proc = 1;
> required uint32 id = 2;
> }
> optional UserCreateWindowEx nt_user_create_window_ex = 63;
>
> And build.sh seems happy with that.
>
> I've added the following to win7proc.cpp:
> Panda__UserCreateWindowEx *cw = (Panda__UserCreateWindowEx *)
> malloc(sizeof(Panda__UserCreateWindowEx));
> // Do I need to initialise cw some how???
> cw->proc = create_panda_process(cur_pid, cur_procname);
> cw->id = 6969;
> Panda__LogEntry ple = PANDA__LOG_ENTRY__INIT;
> ple.has_nt_user_create_window_ex = 1; // Line 1652
> ple.nt_user_create_window_ex = cw;
> pandalog_write_entry(&ple);
>
> But when I try and build, I get:
> win7proc.cpp:1652:9: error: ‘Panda__LogEntry’ has no member named
> ‘has_nt_user_create_window_ex’
>
> I thought given nt_user_create_window_ex is optional, the has_ member
> would, well, magically exist??
>
> I have tried Google-ing but "has no has" is quite tricky to Google for :(
>
> Thanks again!
>
> On 24 April 2016 at 16:39, Brendan Dolan-Gavitt <brendandg at nyu.edu> wrote:
>
>> Sure! I think what you want is to add a new log entry type. The logs
>> use protocol buffers to define the structure of each entry type in a
>> .proto file. So you could edit win7proc.proto and add your new message
>> type. Then you'd re-run build.sh (which generates C data structures
>> for the protocol buffers definitions) and you could use your new log
>> entry type.
>>
>> There are some details on how this stuff works in the manual (though I
>> just noticed the table of contents doesn't list the top-level section
>> for some reason):
>>
>> https://github.com/moyix/panda/blob/master/docs/manual.md#pandalog
>>
>> -Brendan
>>
>> On Sun, Apr 24, 2016 at 11:18 AM, Bridgey theGeek
>> <bridgeythegeek at gmail.com> wrote:
>> > Hi PANDAs,
>> >
>> > I've added the functionality to Syscalls2 so that it now understands
>> > NtUserCreateWindowEx.
>> > I'm now trying to add to win7proc so that it's also reported in the log
>> file
>> > this plugin produces.
>> >
>> > In win7proc.cpp I've added:
>> > void w7p_NtUserCreateWindowEx_enter(CPUState* env,
>> >                     target_ulong pc,
>> >                     uint32_t dwExStyle,
>> >                     uint32_t lpClassName,
>> >                     uint32_t lpWindowName,
>> >                     uint32_t dwStyle,
>> >                     int32_t x,
>> >                     int32_t y,
>> >                     int32_t nWidth,
>> >                     int32_t nHeight,
>> >                     uint32_t hWndParent,
>> >                     uint32_t hInstance,
>> >                     target_ulong lpParam) {
>> >     Panda__LogEntry ple = PANDA__LOG_ENTRY__INIT;
>> >     ple.has_nt_any_syscall = 1;
>> >     ple.nt_any_syscall = 6969;
>> >     pandalog_write_entry(&ple);
>> >
>> > And this works. If I replay with the win7proc plugin, when a window is
>> > created I see:
>> > instr=419644049 pc=0x778370b2 : nt_any_syscall (num=6969)
>> >
>> > Of course what I'd like to be able to report is some helpful metadata
>> like
>> > the process name, the fact that it's NtUserCreateWindowEx and ideally
>> the
>> > value of lpClassName and lpWindowName.
>> >
>> > But I just can't quite follow the logic to see how Panda__LogEntry
>> works.
>> >
>> > Can somebody give me a quick explanation..?
>> >
>> > Thank you!
>> > Bridgey
>> >
>> > _______________________________________________
>> > panda-users mailing list
>> > panda-users at mit.edu
>> > http://mailman.mit.edu/mailman/listinfo/panda-users
>> >
>>
>>
>>
>> --
>> Brendan Dolan-Gavitt
>> Assistant Professor, Department of Computer Science and Engineering
>> NYU Tandon School of Engineering
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/panda-users/attachments/20160424/a9a34090/attachment.html

More information about the panda-users mailing list