[panda-users] How to resolve the function name of an address?
Brendan Dolan-Gavitt
brendandg at nyu.edu
Fri May 20 05:34:31 EDT 2016
To get function names, you will need debug symbols of some sort (DWARF in
Linux, PDB in Windows). This is a little awkward in PANDA right now because
PANDA doesn't support parsing any debug symbol formats, but that's changing
very soon – Ricky Ulrich has been doing some fantastic work on adding DWARF
support to PANDA, which you can see in the stpi & dwarfp plugins:
https://github.com/moyix/panda/blob/master/qemu/panda_plugins/stpi/USAGE.md
In the meantime, you can always use gdb, readelf, nm, and objdump to look
up symbols a binary. Keep in mind it may have been relocated at runtime due
to ASLR. You can use the osi_linux plugin to get information about where
your program and libraries are loaded in memory, or you can take a memory
dump and get the same information from Volatility.
Hope this helps,
Brendan
On Fri, May 20, 2016 at 1:36 AM, Hij Krix <hijkrix at gmail.com> wrote:
> There is a table in paper 'Tappan Zee (North) Bridge: Mining Memory
> Accesses for Introspection' :
>
> How to get the function name such as 'tls1_generate_master_secret+0x9c'
> in PANDA?
>
>
> _______________________________________________
> panda-users mailing list
> panda-users at mit.edu
> http://mailman.mit.edu/mailman/listinfo/panda-users
>
>
--
Brendan Dolan-Gavitt
Assistant Professor, Department of Computer Science and Engineering
NYU Tandon School of Engineering
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/panda-users/attachments/20160520/28363d50/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 1.png
Type: image/png
Size: 85737 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20160520/28363d50/attachment-0001.png
More information about the panda-users
mailing list