[panda-users] Linux 32bit records always in kernel space
aicardi@eurecom.fr
aicardi at eurecom.fr
Mon Oct 2 05:24:57 EDT 2017
Hello everyone,
I'm having troubles in performing some analyses on Linux 32bit executables.
I would like to trace the execution of a particular process which I
know the PID of. To do so, I registered a callback for
PANDA_CB_AFTER_BLOCK_EXEC. Every time it is called I check whether the
basic block belongs to the target process or not by calling
'get_current_process' and comparing the current process' PID against
the target one (if the result of get_current_process is not NULL).
The problem is that I noticed that every 'good' basic block had a
program counter (tb->pc of the struct TranslationBlock *tb) which was
always higher than 0xC0000000 (and so in kernel space, right?).
Then I discovered that the reason for that was that every time a basic
block was in user space (tb->pc < 0xC0000000) get_current_process
returned a NULL value.
To be sure of that I tried recording a simple hello world C program
which I compiled with the -Wl,-Ttext-segment=0x12340000 option, just
to be able to spot the program counter with that particular value
among all the tb->pc that I printed during the execution. The
corresponding return value for get_current_process in the same basic
block was always NULL.
Can anyone tell me why this happens?
Thank you in advance,
samaicardi
-------------------------------------------------------------------------------
This message was sent using EURECOM Webmail: http://webmail.eurecom.fr
More information about the panda-users
mailing list