[panda-users] How to create patches from memory snapshot
Brendan Dolan-Gavitt
brendandg at nyu.edu
Mon Nov 6 09:26:15 EST 2017
I should add that it *is* possible to extract the snapshot from a QCOW if
that's what you really want. Just start up QEMU with:
-loadvm snap -S
Then at the monitor, do:
migrate "exec:cat > reference-rr-snp"
Best,
Brendan
On Mon, Nov 6, 2017 at 9:18 AM, Brendan Dolan-Gavitt <brendandg at nyu.edu>
wrote:
> Since they're all very similar to one another, you can just pick any
> -rr-snp to use as the reference snapshot. The pack_opt.sh script will
> detect if there's no sufficiently-similar reference snapshot and copy the
> current snapshot into the references directory.
>
> -Brendan
>
> On Mon, Nov 6, 2017 at 9:16 AM, <aicardi at eurecom.fr> wrote:
>
>> Thank you very much, I will try them soon!
>> Just another question: how can I create the "reference" snapshot?
>> Normally I start recording from a qcow2 image snaphsot that I've
>> previously created with qemu monitor's "savevm <snap_name>" command,
>> do I need to extract the reference snapshot from the qcow2 image?
>>
>> Regards,
>> Samuele
>>
>> Quoting Brendan Dolan-Gavitt <brendandg at nyu.edu>:
>>
>> The basic idea is very simple. The -rr-snp files differ from the
>>> "reference" snapshots by only a few bytes, so you can just make a diff. I
>>> wrote to small programs to diff and patch the snapshots, bdiff and
>>> bpatch.py:
>>>
>>> http://giantpanda.gtisc.gatech.edu/malrec/rr/tools/
>>>
>>> There is also a script there that will create the diff and pack up a
>>> recording automatically given a snapshot and a list of possible reference
>>> snapshots:
>>>
>>> http://giantpanda.gtisc.gatech.edu/malrec/rr/tools/pack_opt.sh
>>>
>>> Hope this helps!
>>>
>>> Best,
>>> Brendan
>>>
>>>
>>>
>>> On Mon, Nov 6, 2017 at 5:12 AM, <aicardi at eurecom.fr> wrote:
>>>
>>> Hello Brendan,
>>>>
>>>> I am writing a script to apply my panda plugin on a large number of
>>>> recordings.
>>>> To do so I need to take a lot of recordings starting from the same
>>>> qemu snapshot.
>>>> My problem is that I don't have enough space to save all the *-rr-snp
>>>> files on disk. I saw on this article
>>>> (https://irfanulhaq.info/2015/12/09/replay-panda-malware-recordings/)
>>>> that it's possible to save just a "patch" file containing only the
>>>> differences from the original snapshot and then generate the actual
>>>> *-rr-snp file only when it's needed.
>>>>
>>>> How can I produce such "patch" file?
>>>>
>>>> Thank you in advance,
>>>>
>>>> Samuele
>>>>
>>>> ------------------------------------------------------------
>>>> -------------------
>>>> This message was sent using EURECOM Webmail: http://webmail.eurecom.fr
>>>>
>>>>
>>>>
>>>
>>> --
>>> Brendan Dolan-Gavitt
>>> Assistant Professor, Department of Computer Science and Engineering
>>> NYU Tandon School of Engineering
>>>
>>>
>> ------------------------------------------------------------
>> -------------------
>> This message was sent using EURECOM Webmail: http://webmail.eurecom.fr
>>
>>
>
>
> --
> Brendan Dolan-Gavitt
> Assistant Professor, Department of Computer Science and Engineering
> NYU Tandon School of Engineering
>
--
Brendan Dolan-Gavitt
Assistant Professor, Department of Computer Science and Engineering
NYU Tandon School of Engineering
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/panda-users/attachments/20171106/05dca1a7/attachment.html
More information about the panda-users
mailing list