[panda-users] How to create patches from memory snapshot

aicardi@eurecom.fr aicardi at eurecom.fr
Mon Nov 6 09:16:29 EST 2017 

Thank you very much, I will try them soon!
Just another question: how can I create the "reference" snapshot?
Normally I start recording from a qcow2 image snaphsot that I've
previously created with qemu monitor's "savevm <snap_name>" command,
do I need to extract the reference snapshot from the qcow2 image?

Regards,
Samuele

Quoting Brendan Dolan-Gavitt <brendandg at nyu.edu>:

> The basic idea is very simple. The -rr-snp files differ from the
> "reference" snapshots by only a few bytes, so you can just make a diff. I
> wrote to small programs to diff and patch the snapshots, bdiff and
> bpatch.py:
>
> http://giantpanda.gtisc.gatech.edu/malrec/rr/tools/
>
> There is also a script there that will create the diff and pack up a
> recording automatically given a snapshot and a list of possible reference
> snapshots:
>
> http://giantpanda.gtisc.gatech.edu/malrec/rr/tools/pack_opt.sh
>
> Hope this helps!
>
> Best,
> Brendan
>
>
>
> On Mon, Nov 6, 2017 at 5:12 AM, <aicardi at eurecom.fr> wrote:
>
>> Hello Brendan,
>>
>> I am writing a script to apply my panda plugin on a large number of
>> recordings.
>> To do so I need to take a lot of recordings starting from the same
>> qemu snapshot.
>> My problem is that I don't have enough space to save all the *-rr-snp
>> files on disk. I saw on this article
>> (https://irfanulhaq.info/2015/12/09/replay-panda-malware-recordings/)
>> that it's possible to save just a "patch" file containing only the
>> differences from the original snapshot and then generate the actual
>> *-rr-snp file only when it's needed.
>>
>> How can I produce such "patch" file?
>>
>> Thank you in advance,
>>
>> Samuele
>>
>> ------------------------------------------------------------
>> -------------------
>> This message was sent using EURECOM Webmail: http://webmail.eurecom.fr
>>
>>
>
>
> --
> Brendan Dolan-Gavitt
> Assistant Professor, Department of Computer Science and Engineering
> NYU Tandon School of Engineering
>

-------------------------------------------------------------------------------
This message was sent using EURECOM Webmail: http://webmail.eurecom.fr

More information about the panda-users mailing list