[panda-users] How to create patches from memory snapshot
aicardi@eurecom.fr
aicardi at eurecom.fr
Mon Nov 6 09:52:49 EST 2017
Actually, what if the *-rr-snp files are not of the same size?
Quoting Brendan Dolan-Gavitt <brendandg at nyu.edu>:
> I should add that it *is* possible to extract the snapshot from a QCOW if
> that's what you really want. Just start up QEMU with:
>
> -loadvm snap -S
>
> Then at the monitor, do:
>
> migrate "exec:cat > reference-rr-snp"
>
> Best,
> Brendan
>
> On Mon, Nov 6, 2017 at 9:18 AM, Brendan Dolan-Gavitt <brendandg at nyu.edu>
> wrote:
>
>> Since they're all very similar to one another, you can just pick any
>> -rr-snp to use as the reference snapshot. The pack_opt.sh script will
>> detect if there's no sufficiently-similar reference snapshot and copy the
>> current snapshot into the references directory.
>>
>> -Brendan
>>
>> On Mon, Nov 6, 2017 at 9:16 AM, <aicardi at eurecom.fr> wrote:
>>
>>> Thank you very much, I will try them soon!
>>> Just another question: how can I create the "reference" snapshot?
>>> Normally I start recording from a qcow2 image snaphsot that I've
>>> previously created with qemu monitor's "savevm <snap_name>" command,
>>> do I need to extract the reference snapshot from the qcow2 image?
>>>
>>> Regards,
>>> Samuele
>>>
>>> Quoting Brendan Dolan-Gavitt <brendandg at nyu.edu>:
>>>
>>> The basic idea is very simple. The -rr-snp files differ from the
>>>> "reference" snapshots by only a few bytes, so you can just make a diff. I
>>>> wrote to small programs to diff and patch the snapshots, bdiff and
>>>> bpatch.py:
>>>>
>>>> http://giantpanda.gtisc.gatech.edu/malrec/rr/tools/
>>>>
>>>> There is also a script there that will create the diff and pack up a
>>>> recording automatically given a snapshot and a list of possible reference
>>>> snapshots:
>>>>
>>>> http://giantpanda.gtisc.gatech.edu/malrec/rr/tools/pack_opt.sh
>>>>
>>>> Hope this helps!
>>>>
>>>> Best,
>>>> Brendan
>>>>
>>>>
>>>>
>>>> On Mon, Nov 6, 2017 at 5:12 AM, <aicardi at eurecom.fr> wrote:
>>>>
>>>> Hello Brendan,
>>>>>
>>>>> I am writing a script to apply my panda plugin on a large number of
>>>>> recordings.
>>>>> To do so I need to take a lot of recordings starting from the same
>>>>> qemu snapshot.
>>>>> My problem is that I don't have enough space to save all the *-rr-snp
>>>>> files on disk. I saw on this article
>>>>> (https://irfanulhaq.info/2015/12/09/replay-panda-malware-recordings/)
>>>>> that it's possible to save just a "patch" file containing only the
>>>>> differences from the original snapshot and then generate the actual
>>>>> *-rr-snp file only when it's needed.
>>>>>
>>>>> How can I produce such "patch" file?
>>>>>
>>>>> Thank you in advance,
>>>>>
>>>>> Samuele
>>>>>
>>>>> ------------------------------------------------------------
>>>>> -------------------
>>>>> This message was sent using EURECOM Webmail: http://webmail.eurecom.fr
>>>>>
>>>>>
>>>>>
>>>>
>>>> --
>>>> Brendan Dolan-Gavitt
>>>> Assistant Professor, Department of Computer Science and Engineering
>>>> NYU Tandon School of Engineering
>>>>
>>>>
>>> ------------------------------------------------------------
>>> -------------------
>>> This message was sent using EURECOM Webmail: http://webmail.eurecom.fr
>>>
>>>
>>
>>
>> --
>> Brendan Dolan-Gavitt
>> Assistant Professor, Department of Computer Science and Engineering
>> NYU Tandon School of Engineering
>>
>
>
>
> --
> Brendan Dolan-Gavitt
> Assistant Professor, Department of Computer Science and Engineering
> NYU Tandon School of Engineering
>
-------------------------------------------------------------------------------
This message was sent using EURECOM Webmail: http://webmail.eurecom.fr
More information about the panda-users
mailing list