[panda-users] How to create patches from memory snapshot

Mon Nov 6 09:18:49 EST 2017

Since they're all very similar to one another, you can just pick any
-rr-snp to use as the reference snapshot. The pack_opt.sh script will
detect if there's no sufficiently-similar reference snapshot and copy the
current snapshot into the references directory.

-Brendan

On Mon, Nov 6, 2017 at 9:16 AM, <aicardi at eurecom.fr> wrote:

> Thank you very much, I will try them soon!
> Just another question: how can I create the "reference" snapshot?
> Normally I start recording from a qcow2 image snaphsot that I've
> previously created with qemu monitor's "savevm <snap_name>" command,
> do I need to extract the reference snapshot from the qcow2 image?
>
> Regards,
> Samuele
>
> Quoting Brendan Dolan-Gavitt <brendandg at nyu.edu>:
>
> The basic idea is very simple. The -rr-snp files differ from the
>> "reference" snapshots by only a few bytes, so you can just make a diff. I
>> wrote to small programs to diff and patch the snapshots, bdiff and
>> bpatch.py:
>>
>> http://giantpanda.gtisc.gatech.edu/malrec/rr/tools/
>>
>> There is also a script there that will create the diff and pack up a
>> recording automatically given a snapshot and a list of possible reference
>> snapshots:
>>
>> http://giantpanda.gtisc.gatech.edu/malrec/rr/tools/pack_opt.sh
>>
>> Hope this helps!
>>
>> Best,
>> Brendan
>>
>>
>>
>> On Mon, Nov 6, 2017 at 5:12 AM, <aicardi at eurecom.fr> wrote:
>>
>> Hello Brendan,
>>>
>>> I am writing a script to apply my panda plugin on a large number of
>>> recordings.
>>> To do so I need to take a lot of recordings starting from the same
>>> qemu snapshot.
>>> My problem is that I don't have enough space to save all the *-rr-snp
>>> files on disk. I saw on this article
>>> (https://irfanulhaq.info/2015/12/09/replay-panda-malware-recordings/)
>>> that it's possible to save just a "patch" file containing only the
>>> differences from the original snapshot and then generate the actual
>>> *-rr-snp file only when it's needed.
>>>
>>> How can I produce such "patch" file?
>>>
>>> Thank you in advance,
>>>
>>> Samuele
>>>
>>> ------------------------------------------------------------
>>> -------------------
>>> This message was sent using EURECOM Webmail: http://webmail.eurecom.fr
>>>
>>>
>>>
>>
>> --
>> Brendan Dolan-Gavitt
>> Assistant Professor, Department of Computer Science and Engineering
>> NYU Tandon School of Engineering
>>
>>
> ------------------------------------------------------------
> -------------------
> This message was sent using EURECOM Webmail: http://webmail.eurecom.fr
>
>

-- 
Brendan Dolan-Gavitt
Assistant Professor, Department of Computer Science and Engineering
NYU Tandon School of Engineering
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/panda-users/attachments/20171106/eee4ba82/attachment-0001.html