[panda-users] Tracking used memory pages

Brendan Dolan-Gavitt brendandg at nyu.edu
Mon Oct 15 11:20:48 EDT 2018 

The approach seems fine generally, just a few small notes:

- get_current_process can sometimes fail to retrieve the current
process (e.g. if some memory for the data structures used by the
kernel is paged out). You may want to instead track based on the ASID
(panda_current_asid()), which is always available.

- The page_addr fields may not be entirely simple (I would have to
look at the QEMU code in more detail before I'd be confident using
them):
    /* first and second physical page containing code. The lower bit
       of the pointer tells the index in page_next[] */
    struct TranslationBlock *page_next[2];
    tb_page_addr_t page_addr[2];
A more straightforward way would be to check tb->pc and then
tb->pc+tb->size as the two addresses (masking off the lower bits using
TARGET_PAGE_MASK).

- You're currently storing the pages in a list, which has O(n) lookup
time. You probably instead want to use an std::set (O(log(n)) lookup)
or an std::unordered_set (O(1) lookup)

Best,
Brendan


On Mon, Oct 15, 2018 at 11:06 AM, alessandro mantovani <alk13 at hotmail.it> wrote:
> Hi all,
>
>
> I'm writing a plugin to get the memory pages which are executed by a
> process. My idea is to work at the level of the translation blocks. In
> particular , the struct TranslationBlock has a field named "page_addr" which
> stores the addresses of the memory pages that the current block refers to.
> By registering the callback "PANDA_CB_BEFORE_BLOCK_EXEC" it is possible to
> get the currently executed translation block. So, at the moment, my callback
> is something similar:
>
>
> // Some global variables
>
> std::list<target_ulong> page_list;
>
> OsiProc *proc = NULL;
>
> .... // Here we have init and uninit, etc.
>
> int before_block_callback(CPUState *env, TranslationBlock *tb)
> {
>         proc = get_current_process(env);
>         if (proc == NULL)
>                 return false;
>         if (strcmp(proc->name, proc_to_track) == 0 && !panda_in_kernel(env))
>         {
>                 target_ulong page1 = tb->page_addr[0];
>                 target_ulong page2 = tb->page_addr[1];
>                 bool found1 = (std::find(page_list.begin(), page_list.end(),
> page1) != page_list.end());
>                 bool found2 = (std::find(page_list.begin(), page_list.end(),
> page2) != page_list.end());
>                 if (!found1)
>                         page_list.push_back(page1);
>                 if (!found2)
>                         page_list.push_back(page2);
>
>         }
>         free_osiproc(proc);
>         return 0;
> }
>
> My idea was adding a further filter to check if the executed memory page
> matches with a module or not. Is this approach the correct one?
>
> Thank you
> Best regards,
> elmanto
>
>
>
>
>
> _______________________________________________
> panda-users mailing list
> panda-users at mit.edu
> https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.mit.edu_mailman_listinfo_panda-2Dusers&d=DwICAg&c=slrrB7dE8n7gBJbeO0g-IQ&r=A4wu5Zmpus3hDmokNWeJTO0SLjrxguzCAxn30Hc-o48&m=rv5uaLlNl8OWEwmRs6O6YCaAPLGDP3-DIwT77Ty8rXo&s=q1wv0Bm4Thy9XBMRUE2LGfmLBnR8Kt9Zz3BoI09dD8s&e=
>



-- 
Brendan Dolan-Gavitt
Assistant Professor, Department of Computer Science and Engineering
NYU Tandon School of Engineering

More information about the panda-users mailing list