[panda-users] PANDA IRC
Sergej Schmidt
sergej.schmidt at uni-ulm.de
Sun Oct 29 09:33:58 EDT 2017
On 10/29/2017 04:01 AM, 王一帆 wrote:
> Here I have got a new problem when trying to use syscalls2 plugin and write a plugin filereadmon(1st attachment).
> Compiling it I got the wrong message as follows:
>
>
> It says that on_NtReadFile_enter_t was not declared in this scope, but it was defined in "syscalls2/gen_syscalls_ext_typedefs.h" and I have included it.
> Thanks in advance!
Hi,
there are couple of things, why it won't work. At first the more call
specific parts.
> PPP_REG_CB("syscalls2", on_NtReadFile_enter,on_NtReadFile_enter);
If you name your callback method like the name in the syscall2-api
function, there's gonna be trouble...
Second, the syscall you are using is defined inside a "define i386" in
the gen_syscalls_ext_typedefs.h file. When you compile Panda and your
plugin without any special flags to exclude other target architectures,
which is the default, then the compilation process will try to look for
"on_NtReadFile_enter" for the i386 and ARM (actually also for PPC, since
PANDA/taint2 supports that to a certain degree). The latter will fail.
The more generic solution would be something like:
> #if defined(TARGET_I386)
> PPP_REG_CB("syscalls2", on_NtReadFile_enter, my_NtReadFile_callback);
> #endif
Not sure anymore, but your callback definition should probably also be
in a define - just try it out.
The code has other issues that will prevent your plugin to work:
You don't require() and init() the syscalls2-plugin inside your plugin's
the init_plugin() function. You are not using the OSI-plugin, which you
need to use syscall2-pluigin. The syscall2-plguins USAGE.md is not yet
updated to PANDA2, as far as I see. I wrote my syscall2-plugin for
GNU/Linux, so I am pretty limited regarding Windows. I suggest you look
at the file_taint plugin. It really contains everything you're trying to
do and goes beyond:
https://github.com/panda-re/panda/blob/master/panda/plugins/file_taint/USAGE.md
Sergej
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20171029/dec275e2/attachment.bin
More information about the panda-users
mailing list