[panda-users] Extend plugin syscalls2

aicardi@eurecom.fr aicardi at eurecom.fr
Mon Oct 2 04:05:26 EDT 2017 

Hello,

Thank you for the answer, I would like to trace the Zw* routines  
because I thought it would have covered more system calls in that way.

The reason why I did it is because I am analyzing a PE which I know it  
calls ZwWriteVirtualMemory several times, but it seems there is no  
trace of those calls in the record I am replaying.

I implemented the hook to this function as follows:
void win7_NtWriteVirtualMemory_enter(CPUState* cpu,target_ulong  
pc,uint32_t ProcessHandle,uint32_t BaseAddress,uint32_t  
Buffer,uint32_t BufferSize,uint32_t NumberOfBytesWritten){
   // print something
}
and in another file I call:
PPP_REG_CB("syscalls2", on_NtWriteVirtualMemory_enter,  
win7_NtWriteVirtualMemory_enter);

I think that this piece of code works because I see some prints on  
stdout. The problem is that none of those prints is related to the PE  
I am monitoring.

Is it possible that this callback just 'misses' some calls for any reason?

Thank you in advance,
samaicardi


Quoting "Leek, Timothy - 0559 - MITLL" <tleek at ll.mit.edu>:

> Hello.  I think this is perhaps slightly simpler than you are thinking?
>
> The Zw* routines are the names for the publicly accessible versions   
> of the system calls in windows.  That is, ZwReadFile is a function   
> you can call from C or C++ with named, typed arguments
>
> NTSTATUS ZwReadFile( HANDLE FileHandle, HANDLE Event, ?)
>
> This isn?t a system call but it calls the actual system call   
> NtReadFile. That is, NtReadFile is a system call that is invoked   
> with ASM instruction ?sysenter? when EAX=178.  There is no way to   
> invoke ZwReadFile via syscall with EAX set to some different number.  
>   Its not a system call.
>
> However, if you write a PANDA plugin that sits on NtReadFile, I   
> believe you will intercept all calls to ZwReadFile.  It?s true that   
> you may get some other stuff, i.e., when something directly invokes   
> NtReadFile without using the ZwReadFile interface.
>
> Syscalls2 can?t really be used to intercept calls to ZwReadFile   
> itself since it?s a kernel function and not actually a system call.   
> I?m not sure exactly why you?d want to sit on ZwReadFile   
> specifically.  To do that you?d have to know ZwReadFile?s address   
> and know when someone had called it.
>
> At least ? this is my understanding!
>
> Cheers.
>
> Tim
>
>
>
> --
> Tim Leek
> Technical Staff
> Cyber System Assessments
> MIT Lincoln Laboratory
> 781-981-2975
>
>
>
>
> On 9/29/17, 8:59 AM, "panda-users-bounces at mit.edu on behalf of   
> aicardi at eurecom.fr" <panda-users-bounces at mit.edu on behalf of   
> aicardi at eurecom.fr> wrote:
>
>     Hello everyone!
>
>     I am working on Windows7 32bit replays and I would like to monitor all
>     the Zw* system calls. I saw that with the syscalls2 plugin it's
>     possible to hook all the Nt* system calls and I would like to do the
>     same with the Zw* ones.
>     If I got it correctly, in gen_syscall_switch_enter_windows7_x86.cpp
>     there is a huge switch case that determines which system call has been
>     called based on the value of EAX (which contains the system call
>     number (?)).
>     Is it possible to do the same thing for the Zw* system calls?
>
>     Thank you in advance,
>     samaicardi
>
>       
> -------------------------------------------------------------------------------
>     This message was sent using EURECOM Webmail: http://webmail.eurecom.fr
>
>     _______________________________________________
>     panda-users mailing list
>     panda-users at mit.edu
>     http://mailman.mit.edu/mailman/listinfo/panda-users
>
>



-------------------------------------------------------------------------------
This message was sent using EURECOM Webmail: http://webmail.eurecom.fr

More information about the panda-users mailing list