[panda-users] Porting plugin from panda2 to panda1

aicardi@eurecom.fr aicardi at eurecom.fr
Mon Dec 4 03:24:36 EST 2017 

Hello Brendan,

I would like to ask you a general question on panda1. How stable is it  
with respect to panda2?
I'm asking because I wanted to port the analysis I've done in panda2  
(where it worked) to panda1, to take advantage of the huge number of  
recordings that you are hosting on  
http://panda.gtisc.gatech.edu/malrec/.
In porting the plugin there were of course several things I needed to  
modify to make it work in panda1, but I think I've done this part  
without errors.
Up to now I noticed that the plugin sometimes stops, segfaults or it  
does not produce the correct results. Some of the  
errors/inconsistencies I encountered were:
- get_current_process(..) sometimes segfaults
- get_current_process(..) sometimes returns a struct OsiProc whose  
ASID is different from the one returned by panda_current_asid(..)
- if I register a callback on PANDA_CB_VMI_PGD_CHANGED I notice again  
some inconsistencies between the 'new_asid' and the ASID in the struct  
OsiProc returned when I call get_current_process(..)
-cpu->exception_index (which in panda2 was -1 most of the times) here  
seems to be 0 most of the times

All those little things stop me from understanding which is the  
current process and thus I cannot go on with the analysis because I  
need to consider only the basic blocks that belong to a certain process.

Could you please suggest me what can I do to solve these problems or  
to properly track the current process?

NOTE: since I needed to track a certain process from its creation I  
enabled the two callbacks on_new_process and on_finished_process in  
the 'osi' plugin. I know that you told me that this is not stable  
enough to be used, but I don't know what to do otherwise. It seems  
quite stable though, unless you think that the above problems can be  
related.

Thank you in advance for you time!

Best regards,
Samuele




-------------------------------------------------------------------------------
This message was sent using EURECOM Webmail: http://webmail.eurecom.fr

More information about the panda-users mailing list