panda-re / panda

Platform for Architecture-Neutral Dynamic Analysis
https://panda.re
Other
2.48k stars 479 forks source link

Faile to use panda-loaded plugin in PyPanda. #1218

Open tylzh97 opened 2 years ago

tylzh97 commented 2 years ago

I have read the docs and issues, cannot fix this problem. In https://github.com/panda-re/panda/blob/dev/panda/plugins/loaded/loaded.cpp#L121 , i saw this plugin register on_library_load, and i',m trying to run my script:

import capstone
md = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_32)
from pandare import Panda

panda = Panda(generic='i386') 
cmd = "whoami"
panda.load_plugin("loaded")

@panda.ppp("loaded", "on_library_load")
def waji_module_load(cpu, a, b, c, d):
    print("-+-+-+-+-> ", a, b, c, d)

@panda.queue_blocking
def run_cmd():
    panda.revert_sync("root")
    print(panda.run_serial_cmd(cmd))
    panda.end_analysis()

panda.run()

But there is an ffi.error following:

using generic i386
os_name=[linux-32-ubuntu:4.4.200-170-generic]
PANDA[core]:os_familyno=2 bits=32 os_details=ubuntu:4.4.200-170-generic
[PYPANDA] Panda args: [/home/ware/.venv/panda/lib/python3.8/site-packages/pandare/data/i386-softmmu/libpanda-i386.so -L /home/ware/.venv/panda/lib/python3.8/site-packages/pandare/data/pc-bios /home/ware/.panda/ubuntu_1604_x86.qcow -display none -m 1024 -serial unix:/tmp/pypanda_sbqk_0ffj,server,nowait -monitor unix:/tmp/pypanda_mraxger8d,server,nowait]
PANDA[core]:loading required plugin loaded
PANDA[core]:initializing loaded
PANDA[core]:loading required plugin osi
PANDA[core]:initializing osi
PANDA[core]:loading required plugin osi_linux
PANDA[core]:initializing osi_linux
PANDA[osi_linux]:W> failed to read task.start_time_offset
PANDA[osi_linux]:W> failed to read task.switch_task_hook_addr
PANDA[osi_linux]:W> kernelinfo bytes [20-23] not read
PANDA[core]:loading required plugin syscalls2
PANDA[core]:initializing syscalls2
PANDA[syscalls2]:using profile for linux x86 32-bit
PANDA[core]:loading required plugin hooks
PANDA[core]:initializing hooks
PANDA[core]:loading required plugin osi_linux
PANDA[core]:/home/ware/.venv/panda/lib/python3.8/site-packages/pandare/data//i386-softmmu/panda/plugins//panda_osi_linux.so already loaded
PANDA[core]:loading required plugin syscalls2
PANDA[core]:/home/ware/.venv/panda/lib/python3.8/site-packages/pandare/data//i386-softmmu/panda/plugins//panda_syscalls2.so already loaded
Traceback (most recent call last):
  File "qwe.py", line 17, in <module>
    def waji_module_load(cpu, a, b, c, d):
  File "/home/ware/.venv/panda/lib/python3.8/site-packages/pandare/panda.py", line 2844, in decorator
    cast_rc = self.ffi.callback(attr+"_t")(_run_and_catch)  # Wrap the python fn in a c-callback.
ffi.error: undefined type name
on_library_load_t
^

I'm confused, please tell me how to use ppp.loaded.on_library_load decorator in my script! Thanks!

jamcleod commented 2 years ago

From what I can tell, it seems like this is an issue with create_panda_datatypes.py not discovering this callback due to not having any headers named accordingly (no loaded_ppp.h). So effectively--the loaded plugin wasn't properly setup to support pypanda.

The fix would likely look something like how proc_start_linux handles it.

  1. rename loaded.h to loaded_ppp.h so that create_panda_datatypes.py discovers it
  2. include the BEGIN_PYPANDA_NEEDS_THIS and END_PYPANDA_NEEDS_THIS comments.

then to test you'd need to run setup.py in panda/python/core to rebuild/install the python package. Then cffi should have access to the function pointer typedef (on_library_load_t) needed for the callback function.

AndrewFasano commented 2 years ago

Yeah, @jamcleod is exactly right - plugins need to explicitly support the PyPANDA PPP interface by making sure their header files are organized as he described and it looks like the loaded plugin doesn't (yet) have that - if you're able to make those changes, we'd love to merge a fix! Otherwise you can wait until someone else eventually gets around to it.