[panda-users] Memory callbacks and x86_64

Vincent Lee vincent_lee at utexas.edu
Sat Mar 3 17:18:25 EST 2018 

Update: I got the plugins to run on x86_64, simply by disabling kvm (remove
the -enable-kvm) flag.
There wasn't anything in manual.md saying to disable KVM, but in hindsight
this was an obvious error. Thanks all for the help!

Cheers,
Vincent

On Mon, Feb 26, 2018 at 3:59 PM, Brendan Dolan-Gavitt <brendandg at nyu.edu>
wrote:

> Two quick things:
>
> - The recordings on panda.gtisc are for PANDA 1.0 and won’t work with 2.0
> - Memory callbacks should work on both live execution and replay. If they
> don’t there is likely a bug. I will try to find some time to investigate in
> the next couple days.
>
> On Mon, Feb 26, 2018 at 4:33 PM Bridgey theGeek <bridgeythegeek at gmail.com>
> wrote:
>
>> Running about right now, but see if you can get the replay to run through
>> without applying any plugins.
>>
>> Based on the command line from your gist, try:
>> qemu-system-i386 -m 2G -replay TEST
>>
>> You shouldn't need any of the other parameters.
>>
>> It should count through the replay up to 100%.
>>
>> Adam
>>
>>
>> On Mon, 26 Feb 2018, 21:23 Vincent Lee, <vincent_lee at utexas.edu> wrote:
>>
>>> Hi,
>>>
>>> Ah, I was not running on a recording, but was running the system live
>>> with -panda. If I try to make a recording and play it back with -replay and
>>> -panda, I get the following assertion failure when the replay loads:
>>> https://gist.github.com/williewillus/951c17eeac1da94efe48bdaacc7d009f
>>> How would I use the logs listed on that website? They don't seem to come
>>> with a snapshot to use.
>>>
>>> Thanks!
>>> Vincent
>>>
>>>
>>> On Mon, Feb 26, 2018 at 3:08 PM, Bridgey theGeek <
>>> bridgeythegeek at gmail.com> wrote:
>>>
>>>> Hey Vincent,
>>>>
>>>> Hmm, that is odd. Like you say, seeing the load/unload messages
>>>> suggests all is fine.
>>>>
>>>> My gut feeling is that maybe your recording is corrupt? Maybe grab one
>>>> of the replay's Moyix makes available and test with that?
>>>> http://panda.gtisc.gatech.edu/malrec/
>>>>
>>>> Let us know how you get on,
>>>> Adam
>>>>
>>>> On Mon, 26 Feb 2018 at 20:32 Vincent Lee <vincent_lee at utexas.edu>
>>>> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I just tried running the plugin on a live CD boot up of Arch Linux 32
>>>>> with qemu-system-i386, with my plugin tracking writes in all of physical
>>>>> memory (start=0,end=-1). However, there still are not any writes being
>>>>> recorded. The plugin prints its messages when loading and unloading, but
>>>>> sees 0 reads and writes.
>>>>>
>>>>> Perhaps I am building or invoking the plugin incorrectly? Though,
>>>>> since my load and unload messages appear, I don't know where my mistake
>>>>> might be.
>>>>>
>>>>> Thanks,
>>>>> Vincent
>>>>>
>>>>>
>>>>>
>>>>> On Sat, Feb 24, 2018 at 6:17 AM, Bridgey theGeek <
>>>>> bridgeythegeek at gmail.com> wrote:
>>>>>
>>>>>> Hi Vincent,
>>>>>>
>>>>>> Out of interest, did you try your code with an i386 environment? Did
>>>>>> that work?
>>>>>>
>>>>>> I don't have an x86_64 guest to hand, but your plugin code, copied
>>>>>> straight from your gist worked as I'd expect it to for i386:
>>>>>> testplugin loading
>>>>>> tracking range [40000000, 80000000)
>>>>>> loading snapshot
>>>>>> ... done.
>>>>>> opening nondet log for read :   /slw/notepad01-rr-nondet.log
>>>>>> got a write at 2968c8c
>>>>>> got a write at 2968c88
>>>>>> got a write at 2968c84
>>>>>> got a write at 2968c80
>>>>>> got a write at 2968c7c
>>>>>> got a write at 2968c6c
>>>>>> got a write at 2968c68
>>>>>> got a write at 2968c64
>>>>>> got a read at 2968c98
>>>>>> got a read at 2968c94
>>>>>> got a read at 296bc00
>>>>>>
>>>>>> Adam
>>>>>>
>>>>>> On Fri, 23 Feb 2018 at 22:43 Vincent Lee <vincent_lee at utexas.edu>
>>>>>> wrote:
>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>> I am trying to setup PANDA for monitoring the physical memory
>>>>>>> accesses of a x86_64 guest.
>>>>>>> I've written a toy test plugin [0], and have also tried running the
>>>>>>> stringsearch plugin looking for the hostname of the machine, as well as
>>>>>>> generic phrases likely to show up in logs, such as "Arch Linux" or "memory".
>>>>>>>
>>>>>>> However, no results are returned from stringsearch, and my test
>>>>>>> plugin records no accesses on any part of memory. PANDA is built from
>>>>>>> 8730ffb on Ubuntu 16.04 with the install_ubuntu script.
>>>>>>>
>>>>>>> Have I set up my environment incorrectly, or are memory callbacks
>>>>>>> not supported on x86_64?
>>>>>>> If they are not supported, is there a similar tool I can use to
>>>>>>> trace guest physical memory accesses on x86_64?
>>>>>>>
>>>>>>> Thanks in advance,
>>>>>>> Vincent
>>>>>>>
>>>>>>>
>>>>>>> [0] https://gist.github.com/williewillus/
>>>>>>> f0c96d8652e0f8b538da0c162c82069c
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> panda-users mailing list
>>>>>>> panda-users at mit.edu
>>>>>>> http://mailman.mit.edu/mailman/listinfo/panda-users
>>>>>>>
>>>>>>
>>>>>
>>> _______________________________________________
>> panda-users mailing list
>> panda-users at mit.edu
>> http://mailman.mit.edu/mailman/listinfo/panda-users
>>
> --
> Brendan Dolan-Gavitt
> Assistant Professor, Department of Computer Science and Engineering
> NYU Tandon School of Engineering
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/panda-users/attachments/20180303/9c1768b3/attachment.html

More information about the panda-users mailing list