[panda-users] Memory callbacks and x86_64
Bridgey theGeek
bridgeythegeek at gmail.com
Mon Feb 26 16:08:47 EST 2018
Hey Vincent,
Hmm, that is odd. Like you say, seeing the load/unload messages suggests
all is fine.
My gut feeling is that maybe your recording is corrupt? Maybe grab one of
the replay's Moyix makes available and test with that?
http://panda.gtisc.gatech.edu/malrec/
Let us know how you get on,
Adam
On Mon, 26 Feb 2018 at 20:32 Vincent Lee <vincent_lee at utexas.edu> wrote:
> Hi,
>
> I just tried running the plugin on a live CD boot up of Arch Linux 32 with
> qemu-system-i386, with my plugin tracking writes in all of physical memory
> (start=0,end=-1). However, there still are not any writes being recorded.
> The plugin prints its messages when loading and unloading, but sees 0 reads
> and writes.
>
> Perhaps I am building or invoking the plugin incorrectly? Though, since my
> load and unload messages appear, I don't know where my mistake might be.
>
> Thanks,
> Vincent
>
>
>
> On Sat, Feb 24, 2018 at 6:17 AM, Bridgey theGeek <bridgeythegeek at gmail.com
> > wrote:
>
>> Hi Vincent,
>>
>> Out of interest, did you try your code with an i386 environment? Did that
>> work?
>>
>> I don't have an x86_64 guest to hand, but your plugin code, copied
>> straight from your gist worked as I'd expect it to for i386:
>> testplugin loading
>> tracking range [40000000, 80000000)
>> loading snapshot
>> ... done.
>> opening nondet log for read : /slw/notepad01-rr-nondet.log
>> got a write at 2968c8c
>> got a write at 2968c88
>> got a write at 2968c84
>> got a write at 2968c80
>> got a write at 2968c7c
>> got a write at 2968c6c
>> got a write at 2968c68
>> got a write at 2968c64
>> got a read at 2968c98
>> got a read at 2968c94
>> got a read at 296bc00
>>
>> Adam
>>
>> On Fri, 23 Feb 2018 at 22:43 Vincent Lee <vincent_lee at utexas.edu> wrote:
>>
>>> Hello,
>>>
>>> I am trying to setup PANDA for monitoring the physical memory accesses
>>> of a x86_64 guest.
>>> I've written a toy test plugin [0], and have also tried running the
>>> stringsearch plugin looking for the hostname of the machine, as well as
>>> generic phrases likely to show up in logs, such as "Arch Linux" or "memory".
>>>
>>> However, no results are returned from stringsearch, and my test plugin
>>> records no accesses on any part of memory. PANDA is built from 8730ffb on
>>> Ubuntu 16.04 with the install_ubuntu script.
>>>
>>> Have I set up my environment incorrectly, or are memory callbacks not
>>> supported on x86_64?
>>> If they are not supported, is there a similar tool I can use to trace
>>> guest physical memory accesses on x86_64?
>>>
>>> Thanks in advance,
>>> Vincent
>>>
>>>
>>> [0]
>>> https://gist.github.com/williewillus/f0c96d8652e0f8b538da0c162c82069c
>>>
>>> _______________________________________________
>>> panda-users mailing list
>>> panda-users at mit.edu
>>> http://mailman.mit.edu/mailman/listinfo/panda-users
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/panda-users/attachments/20180226/f7cd48ab/attachment.html
More information about the panda-users
mailing list