[panda-users] memory detection

Brendan Dolan-Gavitt brendandg at nyu.edu
Thu Nov 30 07:49:45 EST 2017 

There isn't any support for it in PANDA currently – you would have to add
it.

-Brendan

On Thu, Nov 30, 2017 at 7:48 AM, luca valerio <therealpighack at hotmail.com>
wrote:

> Sorry for previous mail, I didn't finished writing.
>
> Ok, suppose that I want to access to the Virtual Address Descriptor. How
> can I do this from a Panda plugin?
>
> In particular I was looking to the "osi" module. It allows to access to
> the executed process and I saw that it defines a struct :
>
> typedef struct osi_proc_struct {
>         target_ulong offset;
>         char *name;
>         target_ulong asid;
>         OsiPage *pages;
>         target_ulong pid;
>         target_ulong ppid;
>     } OsiProc;
>
> What I want to do is to get access to the pages (through the OsiPage *
> pages attribute) of each process and get information about them (i.e. if
> they are executable). There is a structure that allow me to access the
> Virtual Address Descriptor?
>
>
> Sent from Outlook <http://aka.ms/weboutlook>
> ------------------------------
> *From:* luca valerio
> *Sent:* Thursday, November 30, 2017 1:43:07 PM
> *To:* Brendan Dolan-Gavitt
>
> *Cc:* panda-users at mit.edu
> *Subject:* Re: [panda-users] memory detection
>
>
> Ok, suppose that I want to access to the Virtual Address Descriptor. How
> can I do this from a Panda plugin?
>
>
> In particular I was looking to the "osi"
>
>
> Sent from Outlook <http://aka.ms/weboutlook>
> ------------------------------
> *From:* Brendan Dolan-Gavitt <brendandg at nyu.edu>
> *Sent:* Monday, November 27, 2017 5:22:32 PM
> *To:* luca valerio
> *Cc:* panda-users at mit.edu
> *Subject:* Re: [panda-users] memory detection
>
> There's no direct way to do this in PANDA. At the hardware level, there is
> information in the page tables about whether a given page is executable (at
> least on x86 – this is the NX bit). So you could walk the page tables and
> check whether the current page is marked non-executable. There's code
> in target/i386/monitor.c that shows how to walk page tables on x86 and
> retrieve the various protection bits.
>
> You could also look at the OS's data structures. On Windows the data
> structure to look at is the Virtual Address Descriptor (VAD) tree , which
> tracks the memory regions and protections for each process. I don't know
> the Linux equivalent off this off the top of my head, but it should have
> something similar. Doing this would require additions to the OS
> introspection plugins (win7x86intro and wintrospection for Windows,
> osi_linux for Linux).
>
> Best,
> Brendan
>
> On Mon, Nov 27, 2017 at 9:40 AM, luca valerio <therealpighack at hotmail.com>
> wrote:
>
> Hi all,
>
>
> I'm beginner with PANDA. I'm writing a plugin to make detection of memory
> write. In particular I need to detect when a part of memory, which can be
> executed, is written.
>
> I suppose that I must use the callback "PANDA_CB_VIRT_MEM_AFTER_WRITE"
> but this doesn't say anything w.r.t. the possibility to execute the memory
> area that has been written.
>
> Is there a way to do this (i.e. detect memory write on executable memory)?
> Maybe I should use another callback?
>
>
> Thanks,
>
> Luca
>
>
> Sent from Outlook <http://aka.ms/weboutlook>
>
> _______________________________________________
> panda-users mailing list
> panda-users at mit.edu
> http://mailman.mit.edu/mailman/listinfo/panda-users
>
>
>
>
> --
> Brendan Dolan-Gavitt
> Assistant Professor, Department of Computer Science and Engineering
> NYU Tandon School of Engineering
>



-- 
Brendan Dolan-Gavitt
Assistant Professor, Department of Computer Science and Engineering
NYU Tandon School of Engineering
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/panda-users/attachments/20171130/c8ba90de/attachment.html

More information about the panda-users mailing list