[panda-users] Memory callbacks and x86_64

Brendan Dolan-Gavitt brendandg at nyu.edu
Mon Feb 26 16:59:01 EST 2018 

Two quick things:

- The recordings on panda.gtisc are for PANDA 1.0 and won’t work with 2.0
- Memory callbacks should work on both live execution and replay. If they
don’t there is likely a bug. I will try to find some time to investigate in
the next couple days.

On Mon, Feb 26, 2018 at 4:33 PM Bridgey theGeek <bridgeythegeek at gmail.com>
wrote:

> Running about right now, but see if you can get the replay to run through
> without applying any plugins.
>
> Based on the command line from your gist, try:
> qemu-system-i386 -m 2G -replay TEST
>
> You shouldn't need any of the other parameters.
>
> It should count through the replay up to 100%.
>
> Adam
>
>
> On Mon, 26 Feb 2018, 21:23 Vincent Lee, <vincent_lee at utexas.edu> wrote:
>
>> Hi,
>>
>> Ah, I was not running on a recording, but was running the system live
>> with -panda. If I try to make a recording and play it back with -replay and
>> -panda, I get the following assertion failure when the replay loads:
>> https://gist.github.com/williewillus/951c17eeac1da94efe48bdaacc7d009f
>> How would I use the logs listed on that website? They don't seem to come
>> with a snapshot to use.
>>
>> Thanks!
>> Vincent
>>
>>
>> On Mon, Feb 26, 2018 at 3:08 PM, Bridgey theGeek <
>> bridgeythegeek at gmail.com> wrote:
>>
>>> Hey Vincent,
>>>
>>> Hmm, that is odd. Like you say, seeing the load/unload messages suggests
>>> all is fine.
>>>
>>> My gut feeling is that maybe your recording is corrupt? Maybe grab one
>>> of the replay's Moyix makes available and test with that?
>>> http://panda.gtisc.gatech.edu/malrec/
>>>
>>> Let us know how you get on,
>>> Adam
>>>
>>> On Mon, 26 Feb 2018 at 20:32 Vincent Lee <vincent_lee at utexas.edu> wrote:
>>>
>>>> Hi,
>>>>
>>>> I just tried running the plugin on a live CD boot up of Arch Linux 32
>>>> with qemu-system-i386, with my plugin tracking writes in all of physical
>>>> memory (start=0,end=-1). However, there still are not any writes being
>>>> recorded. The plugin prints its messages when loading and unloading, but
>>>> sees 0 reads and writes.
>>>>
>>>> Perhaps I am building or invoking the plugin incorrectly? Though, since
>>>> my load and unload messages appear, I don't know where my mistake might be.
>>>>
>>>> Thanks,
>>>> Vincent
>>>>
>>>>
>>>>
>>>> On Sat, Feb 24, 2018 at 6:17 AM, Bridgey theGeek <
>>>> bridgeythegeek at gmail.com> wrote:
>>>>
>>>>> Hi Vincent,
>>>>>
>>>>> Out of interest, did you try your code with an i386 environment? Did
>>>>> that work?
>>>>>
>>>>> I don't have an x86_64 guest to hand, but your plugin code, copied
>>>>> straight from your gist worked as I'd expect it to for i386:
>>>>> testplugin loading
>>>>> tracking range [40000000, 80000000)
>>>>> loading snapshot
>>>>> ... done.
>>>>> opening nondet log for read :   /slw/notepad01-rr-nondet.log
>>>>> got a write at 2968c8c
>>>>> got a write at 2968c88
>>>>> got a write at 2968c84
>>>>> got a write at 2968c80
>>>>> got a write at 2968c7c
>>>>> got a write at 2968c6c
>>>>> got a write at 2968c68
>>>>> got a write at 2968c64
>>>>> got a read at 2968c98
>>>>> got a read at 2968c94
>>>>> got a read at 296bc00
>>>>>
>>>>> Adam
>>>>>
>>>>> On Fri, 23 Feb 2018 at 22:43 Vincent Lee <vincent_lee at utexas.edu>
>>>>> wrote:
>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> I am trying to setup PANDA for monitoring the physical memory
>>>>>> accesses of a x86_64 guest.
>>>>>> I've written a toy test plugin [0], and have also tried running the
>>>>>> stringsearch plugin looking for the hostname of the machine, as well as
>>>>>> generic phrases likely to show up in logs, such as "Arch Linux" or "memory".
>>>>>>
>>>>>> However, no results are returned from stringsearch, and my test
>>>>>> plugin records no accesses on any part of memory. PANDA is built from
>>>>>> 8730ffb on Ubuntu 16.04 with the install_ubuntu script.
>>>>>>
>>>>>> Have I set up my environment incorrectly, or are memory callbacks not
>>>>>> supported on x86_64?
>>>>>> If they are not supported, is there a similar tool I can use to trace
>>>>>> guest physical memory accesses on x86_64?
>>>>>>
>>>>>> Thanks in advance,
>>>>>> Vincent
>>>>>>
>>>>>>
>>>>>> [0]
>>>>>> https://gist.github.com/williewillus/f0c96d8652e0f8b538da0c162c82069c
>>>>>>
>>>>>> _______________________________________________
>>>>>> panda-users mailing list
>>>>>> panda-users at mit.edu
>>>>>> http://mailman.mit.edu/mailman/listinfo/panda-users
>>>>>>
>>>>>
>>>>
>> _______________________________________________
> panda-users mailing list
> panda-users at mit.edu
> http://mailman.mit.edu/mailman/listinfo/panda-users
>
-- 
Brendan Dolan-Gavitt
Assistant Professor, Department of Computer Science and Engineering
NYU Tandon School of Engineering
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/panda-users/attachments/20180226/444b4fb6/attachment-0001.html

More information about the panda-users mailing list