[panda-users] file recovery plugin

Leek, Timothy - 0559 - MITLL tleek at ll.mit.edu
Fri Jul 22 14:19:44 EDT 2016 

Yes grab_files does that.  Be careful with it though!  I¹ve used it on some
of your (Brendan¹s) malware recordings and all the AV software running on
the host goes berserk.

Tim Leek
Technical Staff
Cyber System Assessments
MIT Lincoln Laboratory

From:  <panda-users-bounces at mit.edu> on behalf of Manolis Stamatogiannakis
<mstamat at gmail.com>
Date:  Friday, July 22, 2016 at 12:41 PM
To:  Brendan Dolan-Gavitt <brendandg at nyu.edu>
Cc:  "panda-users at mit.edu" <panda-users at mit.edu>
Subject:  Re: [panda-users] file recovery plugin

ok. Hopefully I'll find some slot to write it in the next 20 or so days.

2016-07-22 18:22 GMT+02:00 Brendan Dolan-Gavitt <brendandg at nyu.edu>:
> Nice idea. I think win7proc currently does this for Windows
> (https://github.com/moyix/panda/blob/master/qemu/panda_plugins/win7proc/win7pr
> oc.cpp#L1652),
> but a Linux version of it would be great!
> 
> -Brendan
> 
> On Fri, Jul 22, 2016 at 12:15 PM, Manolis Stamatogiannakis
> <mstamat at gmail.com> wrote:
>> > Just wondering,
>> >
>> > Is there a (best effort) file recovery plugin for PANDA?
>> >
>> > This could work by "replaying" each write syscall that occurs in the trace
>> > for a specific guest-fd to a file on the host.
>> >
>> > OSI for Linux resolves both the filename and the file position of each fd,
>> > so even random access writes should be recoverable.
>> >
>> > Thanks,
>> > M.
>> >
>> > _______________________________________________
>> > panda-users mailing list
>> > panda-users at mit.edu
>> > http://mailman.mit.edu/mailman/listinfo/panda-users
>> >
> 
> 
> 
> --
> Brendan Dolan-Gavitt
> Assistant Professor, Department of Computer Science and Engineering
> NYU Tandon School of Engineering



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/panda-users/attachments/20160722/b114ca8b/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3076 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20160722/b114ca8b/attachment-0001.bin

More information about the panda-users mailing list