[panda-users] memory detection

[Brendan Dolan-Gavitt]

There's no direct way to do this in PANDA. At the hardware level, there is
information in the page tables about whether a given page is executable (at
least on x86 – this is the NX bit). So you could walk the page tables and
check whether the current page is marked non-executable. There's code
in target/i386/monitor.c that shows how to walk page tables on x86 and
retrieve the various protection bits.

You could also look at the OS's data structures. On Windows the data
structure to look at is the Virtual Address Descriptor (VAD) tree , which
tracks the memory regions and protections for each process. I don't know
the Linux equivalent off this off the top of my head, but it should have
something similar. Doing this would require additions to the OS
introspection plugins (win7x86intro and wintrospection for Windows,
osi_linux for Linux).

Best,
Brendan

On Mon, Nov 27, 2017 at 9:40 AM, luca valerio <therealpighack at hotmail.com>
wrote:

> Hi all,
>
>
> I'm beginner with PANDA. I'm writing a plugin to make detection of memory
> write. In particular I need to detect when a part of memory, which can be
> executed, is written.
>
> I suppose that I must use the callback "PANDA_CB_VIRT_MEM_AFTER_WRITE"
> but this doesn't say anything w.r.t. the possibility to execute the memory
> area that has been written.
>
> Is there a way to do this (i.e. detect memory write on executable memory)?
> Maybe I should use another callback?
>
>
> Thanks,
>
> Luca
>
>
> Sent from Outlook <http://aka.ms/weboutlook>
>
> _______________________________________________
> panda-users mailing list
> panda-users at mit.edu
> http://mailman.mit.edu/mailman/listinfo/panda-users
>
>


-- 
Brendan Dolan-Gavitt
Assistant Professor, Department of Computer Science and Engineering
NYU Tandon School of Engineering
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/panda-users/attachments/20171127/1b26c287/attachment.html