[panda-users] Get PANDA to monitor a particular memory range?

Brendan Dolan-Gavitt brendandg at nyu.edu
Sat May 21 17:45:27 EDT 2016 

Great, thanks for the writeup! One note is that we recently introduced
a -os command line option that lets you avoid some of the verbosity of
the OSI stuff. So I think you should be able to write your asidstory
command line as:

~/panda/qemu/x86_64-softmmu/qemu-system-x86_64 -replay notepad -os
windows-32-7 -panda asidstory -m 2048 >/dev/null

Glad you got it working!

-Brendan

On Sat, May 21, 2016 at 5:56 PM, Bridgey theGeek
<bridgeythegeek at gmail.com> wrote:
> Awesome! Thanks Brendan =)
>
> To avoid a denvercoder9* situation, here's how I did it:
>
> $ ~/panda/qemu/x86_64-softmmu/qemu-system-x86_64 -replay notepad -panda osi
> -panda win7x86intro -panda asidstory -m 2048 >/dev/null
> (The output to /dev/null is just to speed it up a little; I'm going to
> review the output later anyway.)
>
> In a different terminal, I watched the progress of this operation with:
> $ watch tail asidstory
>
> Once it'd finished:
> $ grep Count asidstory && grep notepad asidstory
>      Count   Pid        Name              Asid       First            Last
>       1136  2392     notepad          7f8f72c0   373716596  ->  1741620197
>    notepad : [                  ########  #    #   #   ##  # #  #  #    ###
> ##### # ####  ###### ##]
>
> So my Asid is: 7f8f72c0
>
> I'm monitoring at offset 0x30e108, for 576 (0x240) bytes in the Asid found
> above:
> $ echo 30e108 240 7f8f72c0 >search_buffers.txt
>
> Then run bufmon:
> $ ~/panda/qemu/x86_64-softmmu/qemu-system-x86_64 -replay notepad -panda
> callstack_instr -panda bufmon -m 2048
>
> And finally,
> $ head -1 buffer_taps.txt
> WRITE 416590000 0000000077845d5a 0000000077846600 000000007f8f72c0
> 000000000030e107 0000000000000001 00
>
> Thanks,
> Adam
>
> * https://xkcd.com/979/
>
> On 21 May 2016 at 16:20, Brendan Dolan-Gavitt <brendandg at nyu.edu> wrote:
>>
>> Sure, have a look at bufmon:
>>
>>
>> https://github.com/moyix/panda/blob/master/qemu/panda_plugins/bufmon/USAGE.md
>>
>> You will need to know how to get the address space identifier (i.e.
>> CR3) of the process you're interested in, though. Something like
>> asidstory can help with that.
>>
>> -Brendan
>>
>> On Sat, May 21, 2016 at 5:09 PM, Bridgey theGeek
>> <bridgeythegeek at gmail.com> wrote:
>> > Hi PANDAs,
>> >
>> > I'm trying to come up with a process where I can observe the changes to
>> > a
>> > specific virtual address range of a specific process's memory.
>> >
>> > For example: In Win7SP1x86, I have process app.exe with a pid of 1200,
>> > and I
>> > want to see what changes in the 512 byte range from 0x005e0000 to
>> > 0x005e01ff
>> > of that process's virtual memory during the recording I made.
>> >
>> > I've read around tapindex/memdump, but that doesn't seem to quite do
>> > what I
>> > want.
>> > memsavep and memsnap aren't quite right either.
>> >
>> > Is there a way of doing this with PANDA? Might I be into the realm of
>> > writing my own plugin?
>> >
>> > Thanks!
>> > Adam
>> >
>> > _______________________________________________
>> > panda-users mailing list
>> > panda-users at mit.edu
>> > http://mailman.mit.edu/mailman/listinfo/panda-users
>> >
>>
>>
>>
>> --
>> Brendan Dolan-Gavitt
>> Assistant Professor, Department of Computer Science and Engineering
>> NYU Tandon School of Engineering
>
>
>
> _______________________________________________
> panda-users mailing list
> panda-users at mit.edu
> http://mailman.mit.edu/mailman/listinfo/panda-users
>



-- 
Brendan Dolan-Gavitt
Assistant Professor, Department of Computer Science and Engineering
NYU Tandon School of Engineering

More information about the panda-users mailing list