[panda-users] Replay of legacy records

Thu Aug 31 10:35:32 EDT 2017

Unfortunately the new version is unlikely to ever be able to replay old
recordings; too much in QEMU has changed, most notably the underlying
default machine model (and hence the set of devices included in the
snapshot). We also took the opportunity to change some of the record/replay
log entry types to better match QEMU's new memory API.

It is frustrating, since we have 91,000 malware recordings now and it would
be cool to use them in panda2, but for now malware-related work has to use
panda1. I will be switching malrec over to panda2 as soon as I have some
free time, though.

-Brendan

On Thu, Aug 31, 2017 at 4:50 AM, <aicardi at eurecom.fr> wrote:

> Hello everyone,
>
> I am writing a plugin for the new version of panda
> (https://github.com/panda-re/panda) and I would like to test it with
> several malware records that can be found here:
> http://panda.gtisc.gatech.edu/malrec/
>
> I followed the guidelines explained here:
> https://irfanulhaq.info/2015/12/09/replay-panda-malware-recordings/
> but I'm having troubles in starting the replays.
>
> When I try to execute one of those records I get the following error
> message:
> $> ~/panda2/x86_64-softmmu/qemu-system-x86_64 -replay
> ~/replays/malrec/logs/rr/bb67fd7e-7baa-437d-9333-9999b15f5fde
> > loading snapshot
> > qemu-system-x86_64: Unsupported migration stream version
> > Failed to load vmstate
> > Failed to start replay
>
> If I understood it properly, the 'problem' of those records is that
> they have been recorded starting from one of the snapshots that can be
> found here: http://panda.gtisc.gatech.edu/malrec/rr/references/
>
> These snapshots were taken using the old version of panda
> (https://github.com/moyix/panda).
>
> By analyzing the code of the new panda (include/migration/migration.h)
> I saw that there's the following line:
> #define QEMU_VM_FILE_VERSION         0x00000003
> which is different from what was declared in the old panda (qemu/savevm.c):
> #define QEMU_VM_SECTION_FULL         0x04
>
> That difference is causing the error I am getting and I may infer
> there are other differences between the two versions (for what
> concerns the procedure of saving a snapshot).
>
> My question is, since the two versions of panda take snapshots in
> different ways (they write different metadata I guess), is there a way
> to replay records (from http://panda.gtisc.gatech.edu/malrec/) with
> the new version of panda?
>
> Or, is it possible to 'patch' the vm snapshots (from
> http://panda.gtisc.gatech.edu/malrec/rr/references/) to make them work
> with the new version of panda?
>
> Thank you in advance for any suggestions you may have!
> samaicardi
>
> ------------------------------------------------------------
> -------------------
> This message was sent using EURECOM Webmail: http://webmail.eurecom.fr
>
>
> _______________________________________________
> panda-users mailing list
> panda-users at mit.edu
> http://mailman.mit.edu/mailman/listinfo/panda-users
>

-- 
Brendan Dolan-Gavitt
Assistant Professor, Department of Computer Science and Engineering
NYU Tandon School of Engineering
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/panda-users/attachments/20170831/83482a3d/attachment.html