[panda-users] memory detection

luca valerio therealpighack at hotmail.com
Thu Nov 30 09:52:29 EST 2017 

Ok I understand. In the first mail you spoke about walking the page table so I looked for this into target/i386/monitor.c. I was wondering if it is correct to use (obviously changing something) the methods :


void tlb_info_32(Monitor *mon, CPUArchState *env)


void tlb_info_pae32(Monitor *mon, CPUArchState *env)


void tlb_info_la48(Monitor *mon, CPUArchState *env, uint64_t l0, uint64_t pml4_addr)



I saw that when this methods call the "print_pte()" it has access to the NX bit that is what I want to have. If I understood well, the "mem_info" methods don't provide access to the NX bit. Is this correct?

Thanks and sorry for stressing you

Luca


Sent from Outlook<http://aka.ms/weboutlook>
________________________________
From: Brendan Dolan-Gavitt <brendandg at nyu.edu>
Sent: Thursday, November 30, 2017 1:49:45 PM
To: luca valerio
Cc: panda-users at mit.edu
Subject: Re: [panda-users] memory detection

There isn't any support for it in PANDA currently – you would have to add it.

-Brendan

On Thu, Nov 30, 2017 at 7:48 AM, luca valerio <therealpighack at hotmail.com<mailto:therealpighack at hotmail.com>> wrote:

Sorry for previous mail, I didn't finished writing.

Ok, suppose that I want to access to the Virtual Address Descriptor. How can I do this from a Panda plugin?

In particular I was looking to the "osi" module. It allows to access to the executed process and I saw that it defines a struct :

typedef struct osi_proc_struct {
        target_ulong offset;
        char *name;
        target_ulong asid;
        OsiPage *pages;
        target_ulong pid;
        target_ulong ppid;
    } OsiProc;

What I want to do is to get access to the pages (through the OsiPage * pages attribute) of each process and get information about them (i.e. if they are executable). There is a structure that allow me to access the Virtual Address Descriptor?



Sent from Outlook<http://aka.ms/weboutlook>
________________________________
From: luca valerio
Sent: Thursday, November 30, 2017 1:43:07 PM
To: Brendan Dolan-Gavitt

Cc: panda-users at mit.edu<mailto:panda-users at mit.edu>
Subject: Re: [panda-users] memory detection


Ok, suppose that I want to access to the Virtual Address Descriptor. How can I do this from a Panda plugin?


In particular I was looking to the "osi"


Sent from Outlook<http://aka.ms/weboutlook>
________________________________
From: Brendan Dolan-Gavitt <brendandg at nyu.edu<mailto:brendandg at nyu.edu>>
Sent: Monday, November 27, 2017 5:22:32 PM
To: luca valerio
Cc: panda-users at mit.edu<mailto:panda-users at mit.edu>
Subject: Re: [panda-users] memory detection

There's no direct way to do this in PANDA. At the hardware level, there is information in the page tables about whether a given page is executable (at least on x86 – this is the NX bit). So you could walk the page tables and check whether the current page is marked non-executable. There's code in target/i386/monitor.c that shows how to walk page tables on x86 and retrieve the various protection bits.

You could also look at the OS's data structures. On Windows the data structure to look at is the Virtual Address Descriptor (VAD) tree , which tracks the memory regions and protections for each process. I don't know the Linux equivalent off this off the top of my head, but it should have something similar. Doing this would require additions to the OS introspection plugins (win7x86intro and wintrospection for Windows, osi_linux for Linux).

Best,
Brendan

On Mon, Nov 27, 2017 at 9:40 AM, luca valerio <therealpighack at hotmail.com<mailto:therealpighack at hotmail.com>> wrote:

Hi all,


I'm beginner with PANDA. I'm writing a plugin to make detection of memory write. In particular I need to detect when a part of memory, which can be executed, is written.

I suppose that I must use the callback "PANDA_CB_VIRT_MEM_AFTER_WRITE" but this doesn't say anything w.r.t. the possibility to execute the memory area that has been written.

Is there a way to do this (i.e. detect memory write on executable memory)? Maybe I should use another callback?


Thanks,

Luca


Sent from Outlook<http://aka.ms/weboutlook>

_______________________________________________
panda-users mailing list
panda-users at mit.edu<mailto:panda-users at mit.edu>
http://mailman.mit.edu/mailman/listinfo/panda-users




--
Brendan Dolan-Gavitt
Assistant Professor, Department of Computer Science and Engineering
NYU Tandon School of Engineering



--
Brendan Dolan-Gavitt
Assistant Professor, Department of Computer Science and Engineering
NYU Tandon School of Engineering
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/panda-users/attachments/20171130/8bc35c7c/attachment-0001.html

More information about the panda-users mailing list