[panda-users] Replay of legacy records

aicardi@eurecom.fr aicardi at eurecom.fr
Thu Aug 31 11:56:19 EDT 2017 

Ok I got it, thanks for the explanation.

I have another problem actually, I tried to replay several records  
(from http://panda.gtisc.gatech.edu/malrec/) with the  
qemu-system-x86_64 compiled from the branch called 'panda1' that I  
found here: https://github.com/panda-re/panda/tree/panda1
I always get the following error:
$> ~/panda1/qemu/x86_64-softmmu/qemu-system-x86_64 -replay  
logs/rr/7d114620-3e3c-4193-96ce-4689fd9efde3

(process:1475): GLib-WARNING **:  
/build/glib2.0-prJhLS/glib2.0-2.48.2/./glib/gmem.c:483: custom memory  
allocation vtable not supported
loading snapshot
Block expected 134217728, found 1073741824, total 1082589184, system  
total 143065088
qemu: warning: error while loading state for instance 0x0 of device 'ram'
qemu-system-x86_64: Error -22 while loading VM state
... done.
opening nondet log for read  
:	logs/rr/7d114620-3e3c-4193-96ce-4689fd9efde3-rr-nondet.log
Infinite loop detected during replay, aborting.
{guest_instr_count=0 pc=0x0000fff0, secondary=0x00000000}
7d114620-3e3c-4193-96ce-4689fd9efde3:           0 (  0.00%) instrs.     
1.00 sec.  0.03 GB ram.
total_instr in replay: 15418486377
ERROR: replay failed!
Time taken was: 0 seconds.
max_queue_len = 1
0 items on recycle list, 0 bytes total
ERROR: replay failed!
Aborted (core dumped)

Do you possibly know why every record seems to generate an infinite loop?

Thanks in advance,
samaicardi


Quoting Brendan Dolan-Gavitt <brendandg at nyu.edu>:

> Unfortunately the new version is unlikely to ever be able to replay old
> recordings; too much in QEMU has changed, most notably the underlying
> default machine model (and hence the set of devices included in the
> snapshot). We also took the opportunity to change some of the record/replay
> log entry types to better match QEMU's new memory API.
>
> It is frustrating, since we have 91,000 malware recordings now and it would
> be cool to use them in panda2, but for now malware-related work has to use
> panda1. I will be switching malrec over to panda2 as soon as I have some
> free time, though.
>
> -Brendan
>
> On Thu, Aug 31, 2017 at 4:50 AM, <aicardi at eurecom.fr> wrote:
>
>> Hello everyone,
>>
>> I am writing a plugin for the new version of panda
>> (https://github.com/panda-re/panda) and I would like to test it with
>> several malware records that can be found here:
>> http://panda.gtisc.gatech.edu/malrec/
>>
>> I followed the guidelines explained here:
>> https://irfanulhaq.info/2015/12/09/replay-panda-malware-recordings/
>> but I'm having troubles in starting the replays.
>>
>> When I try to execute one of those records I get the following error
>> message:
>> $> ~/panda2/x86_64-softmmu/qemu-system-x86_64 -replay
>> ~/replays/malrec/logs/rr/bb67fd7e-7baa-437d-9333-9999b15f5fde
>> > loading snapshot
>> > qemu-system-x86_64: Unsupported migration stream version
>> > Failed to load vmstate
>> > Failed to start replay
>>
>> If I understood it properly, the 'problem' of those records is that
>> they have been recorded starting from one of the snapshots that can be
>> found here: http://panda.gtisc.gatech.edu/malrec/rr/references/
>>
>> These snapshots were taken using the old version of panda
>> (https://github.com/moyix/panda).
>>
>> By analyzing the code of the new panda (include/migration/migration.h)
>> I saw that there's the following line:
>> #define QEMU_VM_FILE_VERSION         0x00000003
>> which is different from what was declared in the old panda (qemu/savevm.c):
>> #define QEMU_VM_SECTION_FULL         0x04
>>
>> That difference is causing the error I am getting and I may infer
>> there are other differences between the two versions (for what
>> concerns the procedure of saving a snapshot).
>>
>> My question is, since the two versions of panda take snapshots in
>> different ways (they write different metadata I guess), is there a way
>> to replay records (from http://panda.gtisc.gatech.edu/malrec/) with
>> the new version of panda?
>>
>> Or, is it possible to 'patch' the vm snapshots (from
>> http://panda.gtisc.gatech.edu/malrec/rr/references/) to make them work
>> with the new version of panda?
>>
>> Thank you in advance for any suggestions you may have!
>> samaicardi
>>
>> ------------------------------------------------------------
>> -------------------
>> This message was sent using EURECOM Webmail: http://webmail.eurecom.fr
>>
>>
>> _______________________________________________
>> panda-users mailing list
>> panda-users at mit.edu
>> http://mailman.mit.edu/mailman/listinfo/panda-users
>>
>
>
>
> --
> Brendan Dolan-Gavitt
> Assistant Professor, Department of Computer Science and Engineering
> NYU Tandon School of Engineering
>



-------------------------------------------------------------------------------
This message was sent using EURECOM Webmail: http://webmail.eurecom.fr

More information about the panda-users mailing list