[panda-users] Memory callbacks and x86_64

Mon Feb 26 16:23:42 EST 2018

Hi,

Ah, I was not running on a recording, but was running the system live with
-panda. If I try to make a recording and play it back with -replay and
-panda, I get the following assertion failure when the replay loads:
https://gist.github.com/williewillus/951c17eeac1da94efe48bdaacc7d009f
How would I use the logs listed on that website? They don't seem to come
with a snapshot to use.

Thanks!
Vincent

On Mon, Feb 26, 2018 at 3:08 PM, Bridgey theGeek <bridgeythegeek at gmail.com>
wrote:

> Hey Vincent,
>
> Hmm, that is odd. Like you say, seeing the load/unload messages suggests
> all is fine.
>
> My gut feeling is that maybe your recording is corrupt? Maybe grab one of
> the replay's Moyix makes available and test with that?
> http://panda.gtisc.gatech.edu/malrec/
>
> Let us know how you get on,
> Adam
>
> On Mon, 26 Feb 2018 at 20:32 Vincent Lee <vincent_lee at utexas.edu> wrote:
>
>> Hi,
>>
>> I just tried running the plugin on a live CD boot up of Arch Linux 32
>> with qemu-system-i386, with my plugin tracking writes in all of physical
>> memory (start=0,end=-1). However, there still are not any writes being
>> recorded. The plugin prints its messages when loading and unloading, but
>> sees 0 reads and writes.
>>
>> Perhaps I am building or invoking the plugin incorrectly? Though, since
>> my load and unload messages appear, I don't know where my mistake might be.
>>
>> Thanks,
>> Vincent
>>
>>
>>
>> On Sat, Feb 24, 2018 at 6:17 AM, Bridgey theGeek <
>> bridgeythegeek at gmail.com> wrote:
>>
>>> Hi Vincent,
>>>
>>> Out of interest, did you try your code with an i386 environment? Did
>>> that work?
>>>
>>> I don't have an x86_64 guest to hand, but your plugin code, copied
>>> straight from your gist worked as I'd expect it to for i386:
>>> testplugin loading
>>> tracking range [40000000, 80000000)
>>> loading snapshot
>>> ... done.
>>> opening nondet log for read :   /slw/notepad01-rr-nondet.log
>>> got a write at 2968c8c
>>> got a write at 2968c88
>>> got a write at 2968c84
>>> got a write at 2968c80
>>> got a write at 2968c7c
>>> got a write at 2968c6c
>>> got a write at 2968c68
>>> got a write at 2968c64
>>> got a read at 2968c98
>>> got a read at 2968c94
>>> got a read at 296bc00
>>>
>>> Adam
>>>
>>> On Fri, 23 Feb 2018 at 22:43 Vincent Lee <vincent_lee at utexas.edu> wrote:
>>>
>>>> Hello,
>>>>
>>>> I am trying to setup PANDA for monitoring the physical memory accesses
>>>> of a x86_64 guest.
>>>> I've written a toy test plugin [0], and have also tried running the
>>>> stringsearch plugin looking for the hostname of the machine, as well as
>>>> generic phrases likely to show up in logs, such as "Arch Linux" or "memory".
>>>>
>>>> However, no results are returned from stringsearch, and my test plugin
>>>> records no accesses on any part of memory. PANDA is built from 8730ffb on
>>>> Ubuntu 16.04 with the install_ubuntu script.
>>>>
>>>> Have I set up my environment incorrectly, or are memory callbacks not
>>>> supported on x86_64?
>>>> If they are not supported, is there a similar tool I can use to trace
>>>> guest physical memory accesses on x86_64?
>>>>
>>>> Thanks in advance,
>>>> Vincent
>>>>
>>>>
>>>> [0] https://gist.github.com/williewillus/f0c96d8652e0f8b538da0c162c8206
>>>> 9c
>>>>
>>>> _______________________________________________
>>>> panda-users mailing list
>>>> panda-users at mit.edu
>>>> http://mailman.mit.edu/mailman/listinfo/panda-users
>>>>
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/panda-users/attachments/20180226/d00a12e6/attachment-0001.html