[panda-users] Replay of legacy records

aicardi@eurecom.fr aicardi at eurecom.fr
Thu Aug 31 04:50:13 EDT 2017 

Hello everyone,

I am writing a plugin for the new version of panda  
(https://github.com/panda-re/panda) and I would like to test it with  
several malware records that can be found here:  
http://panda.gtisc.gatech.edu/malrec/

I followed the guidelines explained here:  
https://irfanulhaq.info/2015/12/09/replay-panda-malware-recordings/
but I'm having troubles in starting the replays.

When I try to execute one of those records I get the following error message:
$> ~/panda2/x86_64-softmmu/qemu-system-x86_64 -replay  
~/replays/malrec/logs/rr/bb67fd7e-7baa-437d-9333-9999b15f5fde
> loading snapshot
> qemu-system-x86_64: Unsupported migration stream version
> Failed to load vmstate
> Failed to start replay

If I understood it properly, the 'problem' of those records is that  
they have been recorded starting from one of the snapshots that can be  
found here: http://panda.gtisc.gatech.edu/malrec/rr/references/

These snapshots were taken using the old version of panda  
(https://github.com/moyix/panda).

By analyzing the code of the new panda (include/migration/migration.h)  
I saw that there's the following line:
#define QEMU_VM_FILE_VERSION         0x00000003
which is different from what was declared in the old panda (qemu/savevm.c):
#define QEMU_VM_SECTION_FULL         0x04

That difference is causing the error I am getting and I may infer  
there are other differences between the two versions (for what  
concerns the procedure of saving a snapshot).

My question is, since the two versions of panda take snapshots in  
different ways (they write different metadata I guess), is there a way  
to replay records (from http://panda.gtisc.gatech.edu/malrec/) with  
the new version of panda?

Or, is it possible to 'patch' the vm snapshots (from  
http://panda.gtisc.gatech.edu/malrec/rr/references/) to make them work  
with the new version of panda?

Thank you in advance for any suggestions you may have!
samaicardi

-------------------------------------------------------------------------------
This message was sent using EURECOM Webmail: http://webmail.eurecom.fr

More information about the panda-users mailing list