[panda-users] file_taint question

Manolis Stamatogiannakis mstamat at gmail.com
Sun Jul 17 14:45:33 EDT 2016 

Ah, yes. This sounds right.

I had also observed the delayed update of kernel data structures. This
happens when a new process starts. Most of the OsiProc fields were correct
at the callback time, but the process name was still that of the parent
process.

For my plugin, I opted to mark the new process as "fresh" and update the
name next time I see the process.

Thanks!

M.



2016-07-17 19:34 GMT+02:00 Brendan Dolan-Gavitt <brendandg at nyu.edu>:

> I *think* the reasoning was that right when PGD_CHANGED happens the
> data structures that track the current process may be in transition,
> and so it might not be reliable to get the current process. But I
> don't know if this was actually tested. According to git-blame, Tim is
> the one to ask, so hopefully he'll weigh in.
>
> It should also be easy enough to test this hypothesis by switching it
> to PGD_CHANGED on a few test cases an seeing if the results match up.
> If we can get away with only invoking on PGD change that would
> definitely be an improvement.
>
> -Brendan
>
> On Sun, Jul 17, 2016 at 1:20 PM, Manolis Stamatogiannakis
> <mstamat at gmail.com> wrote:
> > Hello,
> >
> > I was going through the file_taint plugin code and was wondering about
> the
> > osi_foo() callback.
> >
> https://github.com/moyix/panda/blob/master/qemu/panda_plugins/file_taint/file_taint.cpp#L386
> >
> > Is there any reason that the function is hooked as a
> > PANDA_CB_BEFORE_BLOCK_EXEC callback rather than PANDA_CB_VMI_PGD_CHANGED
> > callback?
> >
> > For linux it seems to me that PANDA_CB_VMI_PGD_CHANGED would yield
> > equivalent results at only a tiny fraction of the invocations.
> >
> > Same should be true for windows as far as I can tell.
> >
> > Thanks,
> > M.
> >
> > _______________________________________________
> > panda-users mailing list
> > panda-users at mit.edu
> > http://mailman.mit.edu/mailman/listinfo/panda-users
> >
>
>
>
> --
> Brendan Dolan-Gavitt
> Assistant Professor, Department of Computer Science and Engineering
> NYU Tandon School of Engineering
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/panda-users/attachments/20160717/7e0cb9ec/attachment.html

More information about the panda-users mailing list