something like syscalls2 for non-syscall operating system functions?

[hanetzer]

Say for instance someone wanted to catch all uses of RtlZeroMemory (macro which calls memset to set a given range of memory to 0) within a windows playback, how would you go about doing this? As far as I can tell its not a proper syscall.

[m000]

I'd say first you need to identify the address of memset. If this is in a fixed location in Windows, you just need to look it up in the debug symbols. Otherwise you'll need to devise some heuristic. Knowing when memset is called, you'll then need to filter-out cases where it is called through RtlZeroMemory. Since macros only exist at source-code level, this will also involve some sort of heuristics. callstack_instr plugin may come handy.

Note: Not an expert in Windows/callstack_instr.

[hanetzer]

Well on second look at the dll (ntdll.dll) in ida/objdump show's this function/whatever is pretty much identical to reactos's code, and both objdump and ida say it lives at 0x77ef5c90. I'm not sure how these map to one another, as objdump -p ntdll.dll says it has a base address of 0x77ec0000 but osi_test puts it at 0x77af0000.

Assuming that I do have said address (I'm guessing I basically rebase it), how would I go about logging it and the args passed to it (it takes two; Destination and Length, which are a void* and size_t respectively)? The idea is, I'd use some form of panda memory read to dump the zero'd memory to a file before its erased.

[AndrewFasano]

Take a look at the hooks plugin. That provides an API where you can register a function that should be called before the guest begins executing code at a given basic block.

It's designed to be used with the python interface which has some code to ensure the hook only runs when in the right process so you'd either need to reimplement that logic or use the python interface

[hanetzer]

@AndrewFasano neat. As I had mentioned before, I cant seem to build a large amount of the stuff on my machine so I've been using the docker image (and extending it). What would it look like to 'just use' this, assuming I'll write the code later?

[AndrewFasano]

Here's a Linux-based example that logs whenever the kernel functions system_call or sys_access are called. The kallsyms dictionary is just a mapping of kernel symbol names to addresses.

https://github.com/panda-re/panda/blob/master/panda/python/examples/hooking.py

If you use the python interface it should be straightforward, you'd just change the address that's hooked to be the address of RtlZeroMemory or you're interested in.

[hanetzer]

But what I mean is, is the process python panda/python/examples/hooking.py (assuming you already installed the python library) or what?

[AndrewFasano]

Yeah, and the library should already be installed in the docker container. As mentioned in the comments for that script, you'll need to run the util/generate_kallsyms.py script to extract the kallsyms mapping of kernel symbols to addresses first.

[hanetzer]

Yeah, windows tho. so I'll have to take another tack here.

[hanetzer]

And this appears to want a premade wheezy image, how do I go about using my own recording?

[hanetzer]

Ah, I seem to have figured this out. However, video device issues have arose: Could not initialize SDL(No available video device) - exiting. Probably missing something really simple.

[hanetzer]

'Appears' to be working. Nothing is happening visibly, other than starting and ending the record playback. Eyeballing example_fwrite says I should be able to hook by libname and address, not quite sure how to map these values into pypanda.

[hanetzer]

Hmm. Is there a method to report when functions are called from libraries? Would make it a bit easier to figure out what to feed to the hook decorators.

[hanetzer]

christ, I can't make this thing make even a single lick of noise.

[github-actions[bot]]

Stale issue message