[panda-users] Get PANDA to monitor a particular memory range?
Brendan Dolan-Gavitt
brendandg at nyu.edu
Sat May 21 11:20:35 EDT 2016
Sure, have a look at bufmon:
https://github.com/moyix/panda/blob/master/qemu/panda_plugins/bufmon/USAGE.md
You will need to know how to get the address space identifier (i.e.
CR3) of the process you're interested in, though. Something like
asidstory can help with that.
-Brendan
On Sat, May 21, 2016 at 5:09 PM, Bridgey theGeek
<bridgeythegeek at gmail.com> wrote:
> Hi PANDAs,
>
> I'm trying to come up with a process where I can observe the changes to a
> specific virtual address range of a specific process's memory.
>
> For example: In Win7SP1x86, I have process app.exe with a pid of 1200, and I
> want to see what changes in the 512 byte range from 0x005e0000 to 0x005e01ff
> of that process's virtual memory during the recording I made.
>
> I've read around tapindex/memdump, but that doesn't seem to quite do what I
> want.
> memsavep and memsnap aren't quite right either.
>
> Is there a way of doing this with PANDA? Might I be into the realm of
> writing my own plugin?
>
> Thanks!
> Adam
>
> _______________________________________________
> panda-users mailing list
> panda-users at mit.edu
> http://mailman.mit.edu/mailman/listinfo/panda-users
>
--
Brendan Dolan-Gavitt
Assistant Professor, Department of Computer Science and Engineering
NYU Tandon School of Engineering
More information about the panda-users
mailing list