moyix / panda Goto Github PK

Deprecated repo for PANDA 1.0 – see PANDA 2.0 repository

Home Page: http://github.com/panda-re/panda

Python 0.71% Shell 0.18% Makefile 0.57% C 83.21% C++ 9.12% Haxe 0.40% Objective-C 1.53% Protocol Buffer 0.02% Batchfile 0.01% Assembly 1.49% Forth 2.11% Perl 0.47% PHP 0.10% HTML 0.01% Groff 0.01% GDB 0.01% F# 0.01% QMake 0.01% XSLT 0.05% Lex 0.01%

panda's Introduction

PANDA

This repository is deprecated. Please refer to PANDA 2.

No new updates will be made to this repository.

PANDA is an open-source Platform for Architecture-Neutral Dynamic Analysis. It is built upon the QEMU whole system emulator, and so analyses have access to all code executing in the guest and all data. PANDA adds the ability to record and replay executions, enabling iterative, deep, whole system analyses. Further, the replay log files are compact and shareable, allowing for repeatable experiments. A nine billion instruction boot of FreeBSD, e.g., is represented by only a few hundred MB. PANDA leverages QEMU's support of thirteen different CPU architectures to make analyses of those diverse instruction sets possible within the LLVM IR. In this way, PANDA can have a single dynamic taint analysis, for example, that precisely supports many CPUs. PANDA analyses are written in a simple plugin architecture which includes a mechanism to share functionality between plugins, increasing analysis code re-use and simplifying complex analysis development.

It is currently being developed in collaboration with MIT Lincoln Laboratory, NYU, and Northeastern University.

Building

Because PANDA has a few dependencies, we've encoded the build instructions into a script, panda_install.bash. The script should actually work on Debian 7/8 and Ubuntu 14.04, and it shouldn't be hard to translate the apt-get commands into whatever package manager your distribution uses. We currently only vouch for buildability on Debian 7/8 and Ubuntu 14.04, but we welcome pull requests to fix issues with other distros.

Note that if you want to use our LLVM features (mainly the dynamic taint system), you will need to install LLVM 3.3 from OS packages or compiled from source. On Ubuntu 14.04 this will happen automatically via panda_install.bash.

We don't currently support building on Mac/BSD, although it shouldn't be impossible with a few patches. We do rely on a few Linux-specific APIs.

Support

If you need help with PANDA, or want to discuss the project, you can join our IRC channel at #panda-re on Freenode, or join the PANDA mailing list.

We have a basic manual here.

PANDA Plugins

Details about the architecture-neutral plugin interface can be found in docs/PANDA.md. Existing plugins and tools can be found in qemu/panda_plugins and qemu/panda_tools.

Record/Replay

PANDA currently supports whole-system record/replay execution of x86, x86_64, and ARM guests. Documentation can be found in docs/record_replay.md.

Android Support

PANDA supports ARMv7 Android guests, running on the Goldfish emulated platform. Documentation can be found in docs/Android.md.

Publications

[1] B. Dolan-Gavitt, T. Leek, J. Hodosh, W. Lee. Tappan Zee (North) Bridge: Mining Memory Accesses for Introspection. 20th ACM Conference on Computer and Communications Security (CCS), Berlin, Germany, November 2013.
[2] R. Whelan, T. Leek, D. Kaeli. Architecture-Independent Dynamic Information Flow Tracking. 22nd International Conference on Compiler Construction (CC), Rome, Italy, March 2013.
[3] B. Dolan-Gavitt, J. Hodosh, P. Hulin, T. Leek, R. Whelan. Repeatable Reverse Engineering with PANDA. 5th Program Protection and Reverse Engineering Workshop, Los Angeles, California, December 2015.
[4] M. Stamatogiannakis, P. Groth, H. Bos. Decoupling Provenance Capture and Analysis from Execution. 7th USENIX Workshop on the Theory and Practice of Provenance, Edinburgh, Scotland, July 2015.
[5] B. Dolan-Gavitt, P. Hulin, T. Leek, E. Kirda, A. Mambretti, W. Robertson, F. Ulrich, R. Whelan. LAVA: Large-scale Automated Vulnerability Addition. 37th IEEE Symposium on Security and Privacy, San Jose, California, May 2016.

License

GPLv2.

Acknowledgements

This work was sponsored by the Assistant Secretary of Defense for Research and Engineering under Air Force Contract #FA8721-05-C-0002.

panda's People

Contributors

Stargazers

Watchers

panda's Issues

PANDA 1.0 record cannot handle a record file that is more than 2GB

I am experiencing the following problem with PANDA recording. We use PANDA 1.0.

I record back-to-back record files that each last 2 minutes. Each record file has a certain amount of size in bits. It seems that when the record size is more than 2GB, there is a casting overflow problem. And the linux (host) cannot handle it, PANDA record crashes, and of course the guest stops. Specifically, I think that the guest or the host "translates" the record (filesize) 2GB into some thousands of terrabytes (due to the potential casting error), and I get the error:
Glib-ERROR **: build/buildd/gliz2.40.2/./glib/gmem.c:103: failed to allocate 18446744071595337090 bytes.

Overall, it seems that PANDA cannot handle more than 2GB record filesize (more precisely, PANDA cannot handle a workload (in the guest) that corresponds to a record size higher than 2GB ). Has anyone got this issue before?

It's really annoying to not be able to record a heavy workload because the record filesize might exceed 2GB and PANDA crash.

Doubts in the pmemaccess command in QEMU v5.1 and PANDA v1.0

I apologize if I put my question here in PANDA v1.0, as I was hesitant to put it in the new PANDA v2.0.

I am experimenting with your pmemaccess plugin, it is super interesting, since it exposes the physical memory of a guest VM through a linux socket.

According to what I read, once the connection is made through the socket, you can use the socket in whatever you want, I want to see the life memory of a guest VM. I used the plugin pmemaccess, in the command line of qemu-systemx86_64 ... -panda pmemaccess:path=/tmp/socket1,mode=0 (or I change it to mode 1), as through the console of it. What I did was occupy the volatility (example: volatility sockets -f socket1), I did not specify any profile, I just want it to be able to "open communication" with the socket, once I did it, both in volatility and In the QEMU-PANDA console it sends me the message that it is connected. Once I verify that the console tells me that the communication is already done, I open another terminal and use the socat to see how the data flows, through the socket (example: socat -t100 -x -v UNIX-LISTEN:/path/to/sock,mode=777,reuseaddr,fork UNIX-CONNECT:/path/to/sock.original).

And according to, you should see the data flow, but, nothing happens, it does not send me any message. Literally, it does not send me anything, only the cursor blinks, I did the test with an Arch ISO image, then I used an image with windows 7 64 bits. And again nothing.

I also comment, that in addition, I put that same complement in the QEMU v5.1.0 and the result is the same, I create the socket in the qemu console, I link it with the volatility and nothing.

I occupy a sony vaio i5, 8 gigs of memory
Kali 2020.3 64 bits.

I hope you can help me to see if it is possible to see the guest's memory live.

Thanks for your time and advice in advance.

What is the easiest way to run this on Windows 10?

I have an exe file that makes encrypted SSL connection to its server. I would like to be able to intercept it and capture the key. Should I run this inside Docker on Windows or a virtual machine or is there a better way?