[panda-users] Get PANDA to monitor a particular memory range?

Bridgey theGeek bridgeythegeek at gmail.com
Sat May 21 11:56:04 EDT 2016 

Awesome! Thanks Brendan =)

To avoid a denvercoder9* situation, here's how I did it:

$ ~/panda/qemu/x86_64-softmmu/qemu-system-x86_64 -replay notepad -panda osi
-panda win7x86intro -panda asidstory -m 2048 >/dev/null
(The output to /dev/null is just to speed it up a little; I'm going to
review the output later anyway.)

In a different terminal, I watched the progress of this operation with:
$ watch tail asidstory

Once it'd finished:
$ grep Count asidstory && grep notepad asidstory
     Count   Pid        Name              Asid       First            Last
      1136  2392     notepad          7f8f72c0   373716596  ->  1741620197
   notepad : [                  ########  #    #   #   ##  # #  #  #    ###
##### # ####  ###### ##]

So my Asid is: 7f8f72c0

I'm monitoring at offset 0x30e108, for 576 (0x240) bytes in the Asid found
above:
$ echo 30e108 240 7f8f72c0 >search_buffers.txt

Then run bufmon:
$ ~/panda/qemu/x86_64-softmmu/qemu-system-x86_64 -replay notepad -panda
callstack_instr -panda bufmon -m 2048

And finally,
$ head -1 buffer_taps.txt
WRITE 416590000 0000000077845d5a 0000000077846600 000000007f8f72c0
000000000030e107 0000000000000001 00

Thanks,
Adam

* https://xkcd.com/979/

On 21 May 2016 at 16:20, Brendan Dolan-Gavitt <brendandg at nyu.edu> wrote:

> Sure, have a look at bufmon:
>
>
> https://github.com/moyix/panda/blob/master/qemu/panda_plugins/bufmon/USAGE.md
>
> You will need to know how to get the address space identifier (i.e.
> CR3) of the process you're interested in, though. Something like
> asidstory can help with that.
>
> -Brendan
>
> On Sat, May 21, 2016 at 5:09 PM, Bridgey theGeek
> <bridgeythegeek at gmail.com> wrote:
> > Hi PANDAs,
> >
> > I'm trying to come up with a process where I can observe the changes to a
> > specific virtual address range of a specific process's memory.
> >
> > For example: In Win7SP1x86, I have process app.exe with a pid of 1200,
> and I
> > want to see what changes in the 512 byte range from 0x005e0000 to
> 0x005e01ff
> > of that process's virtual memory during the recording I made.
> >
> > I've read around tapindex/memdump, but that doesn't seem to quite do
> what I
> > want.
> > memsavep and memsnap aren't quite right either.
> >
> > Is there a way of doing this with PANDA? Might I be into the realm of
> > writing my own plugin?
> >
> > Thanks!
> > Adam
> >
> > _______________________________________________
> > panda-users mailing list
> > panda-users at mit.edu
> > http://mailman.mit.edu/mailman/listinfo/panda-users
> >
>
>
>
> --
> Brendan Dolan-Gavitt
> Assistant Professor, Department of Computer Science and Engineering
> NYU Tandon School of Engineering
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/panda-users/attachments/20160521/6b1b6380/attachment.html

More information about the panda-users mailing list