[panda-users] Replay of legacy records

Thu Aug 31 12:37:28 EDT 2017

The malware recordings use 1GB of RAM, so you need to pass "-m 1G" on the
command line when replaying.

Also you may want to instead use the panda1 repository found here:

https://github.com/moyix/panda

As I think I've done a couple bugfixes to the old branch since we migrated
the repository to the new version of QEMU.

-Brendan

On Thu, Aug 31, 2017 at 11:56 AM, <aicardi at eurecom.fr> wrote:

> Ok I got it, thanks for the explanation.
>
> I have another problem actually, I tried to replay several records (from
> http://panda.gtisc.gatech.edu/malrec/) with the qemu-system-x86_64
> compiled from the branch called 'panda1' that I found here:
> https://github.com/panda-re/panda/tree/panda1
> I always get the following error:
> $> ~/panda1/qemu/x86_64-softmmu/qemu-system-x86_64 -replay
> logs/rr/7d114620-3e3c-4193-96ce-4689fd9efde3
>
> (process:1475): GLib-WARNING **: /build/glib2.0-prJhLS/glib2.0-2.48.2/./glib/gmem.c:483:
> custom memory allocation vtable not supported
> loading snapshot
> Block expected 134217728, found 1073741824, total 1082589184, system total
> 143065088
> qemu: warning: error while loading state for instance 0x0 of device 'ram'
> qemu-system-x86_64: Error -22 while loading VM state
> ... done.
> opening nondet log for read :   logs/rr/7d114620-3e3c-4193-96
> ce-4689fd9efde3-rr-nondet.log
> Infinite loop detected during replay, aborting.
> {guest_instr_count=0 pc=0x0000fff0, secondary=0x00000000}
> 7d114620-3e3c-4193-96ce-4689fd9efde3:           0 (  0.00%) instrs.
> 1.00 sec.  0.03 GB ram.
> total_instr in replay: 15418486377
> ERROR: replay failed!
> Time taken was: 0 seconds.
> max_queue_len = 1
> 0 items on recycle list, 0 bytes total
> ERROR: replay failed!
> Aborted (core dumped)
>
> Do you possibly know why every record seems to generate an infinite loop?
>
> Thanks in advance,
> samaicardi
>
>
>
> Quoting Brendan Dolan-Gavitt <brendandg at nyu.edu>:
>
> Unfortunately the new version is unlikely to ever be able to replay old
>> recordings; too much in QEMU has changed, most notably the underlying
>> default machine model (and hence the set of devices included in the
>> snapshot). We also took the opportunity to change some of the
>> record/replay
>> log entry types to better match QEMU's new memory API.
>>
>> It is frustrating, since we have 91,000 malware recordings now and it
>> would
>> be cool to use them in panda2, but for now malware-related work has to use
>> panda1. I will be switching malrec over to panda2 as soon as I have some
>> free time, though.
>>
>> -Brendan
>>
>> On Thu, Aug 31, 2017 at 4:50 AM, <aicardi at eurecom.fr> wrote:
>>
>> Hello everyone,
>>>
>>> I am writing a plugin for the new version of panda
>>> (https://github.com/panda-re/panda) and I would like to test it with
>>> several malware records that can be found here:
>>> http://panda.gtisc.gatech.edu/malrec/
>>>
>>> I followed the guidelines explained here:
>>> https://irfanulhaq.info/2015/12/09/replay-panda-malware-recordings/
>>> but I'm having troubles in starting the replays.
>>>
>>> When I try to execute one of those records I get the following error
>>> message:
>>> $> ~/panda2/x86_64-softmmu/qemu-system-x86_64 -replay
>>> ~/replays/malrec/logs/rr/bb67fd7e-7baa-437d-9333-9999b15f5fde
>>> > loading snapshot
>>> > qemu-system-x86_64: Unsupported migration stream version
>>> > Failed to load vmstate
>>> > Failed to start replay
>>>
>>> If I understood it properly, the 'problem' of those records is that
>>> they have been recorded starting from one of the snapshots that can be
>>> found here: http://panda.gtisc.gatech.edu/malrec/rr/references/
>>>
>>> These snapshots were taken using the old version of panda
>>> (https://github.com/moyix/panda).
>>>
>>> By analyzing the code of the new panda (include/migration/migration.h)
>>> I saw that there's the following line:
>>> #define QEMU_VM_FILE_VERSION         0x00000003
>>> which is different from what was declared in the old panda
>>> (qemu/savevm.c):
>>> #define QEMU_VM_SECTION_FULL         0x04
>>>
>>> That difference is causing the error I am getting and I may infer
>>> there are other differences between the two versions (for what
>>> concerns the procedure of saving a snapshot).
>>>
>>> My question is, since the two versions of panda take snapshots in
>>> different ways (they write different metadata I guess), is there a way
>>> to replay records (from http://panda.gtisc.gatech.edu/malrec/) with
>>> the new version of panda?
>>>
>>> Or, is it possible to 'patch' the vm snapshots (from
>>> http://panda.gtisc.gatech.edu/malrec/rr/references/) to make them work
>>> with the new version of panda?
>>>
>>> Thank you in advance for any suggestions you may have!
>>> samaicardi
>>>
>>> ------------------------------------------------------------
>>> -------------------
>>> This message was sent using EURECOM Webmail: http://webmail.eurecom.fr
>>>
>>>
>>> _______________________________________________
>>> panda-users mailing list
>>> panda-users at mit.edu
>>> http://mailman.mit.edu/mailman/listinfo/panda-users
>>>
>>>
>>
>>
>> --
>> Brendan Dolan-Gavitt
>> Assistant Professor, Department of Computer Science and Engineering
>> NYU Tandon School of Engineering
>>
>>
>
>
> ------------------------------------------------------------
> -------------------
> This message was sent using EURECOM Webmail: http://webmail.eurecom.fr
>
>

-- 
Brendan Dolan-Gavitt
Assistant Professor, Department of Computer Science and Engineering
NYU Tandon School of Engineering
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/panda-users/attachments/20170831/e9e72cb0/attachment.html