windhl
commented
4 years ago When I replace the implementation of callback_before_block_execute with only a print, there is no bug. So I think it is the cffi use in callback?
Closed windhl closed 4 years ago
windhl
commented
4 years ago When I replace the implementation of callback_before_block_execute with only a print, there is no bug. So I think it is the cffi use in callback?
Hi, everyone, I use the pypanda to trace win7 applications and get a segment fault.
pypanda-tracer.py
from sys import argv from panda import blocking, Panda, ffi
panda = Panda(generic="win7")
panda.load_plugin("syscalls2") panda.load_plugin("osi") panda.load_plugin("win7x86intro")
printed = set() ctr = 0 @panda.cb_before_block_exec def bbe(cpu, tb): proc = panda.plugins['osi'].get_current_process(cpu) name = ffi.string(proc.name)
if proc.pid not in printed: printed.add(proc.pid) print(name, proc.pid)
record_name = "win7test" panda.run_replay(record_name)
The py can only get few correct process name and pid, then SF comes, here is the call - stack:
0 convert_to_object (data=0x10 <error: Cannot access memory at address 0x10>, ct=0x7ffff66f3a98) at c/_cffi_backend.c:1041
1 0x0000000000576f1b in _PyEval_EvalFrameDefault () at ../Python/ceval.c:2872
2 0x000000000057ed45 in PyEval_EvalFrameEx (throwflag=0,
3 _PyEval_EvalCodeWithName (qualname=0x0, name=0x0, closure=0x0, kwdefs=0x0, defcount=, defs=0x0, kwstep=2, kwcount=, kwargs=0x7ffff7f95068, kwnames=0x7ffff7f95060,
4 PyEval_EvalCodeEx () at ../Python/ceval.c:4187
5 0x00000000004fc764 in function_call () at ../Objects/funcobject.c:604
6 0x00000000004e8b5a in PyObject_Call () at ../Objects/abstract.c:2261
7 0x00000000005785c0 in do_call_core (kwdict={}, callargs=(<_cffi_backend._CDataBase at remote 0x7ffff3726418>, <_cffi_backend._CDataBase at remote 0x7ffff37265a8>), func=<function at remote 0x7ffff372d950>)
8 _PyEval_EvalFrameDefault () at ../Python/ceval.c:3404
9 0x000000000057f071 in PyEval_EvalFrameEx (throwflag=0,
10 _PyEval_EvalCodeWithName (qualname=0x0, name=0x0, closure=(<cell at remote 0x7ffff372b438>, <cell at remote 0x7ffff372b3d8>), kwdefs=0x0, defcount=, defs=0x0, kwstep=2, kwcount=,
11 PyEval_EvalCodeEx () at ../Python/ceval.c:4187
12 0x00000000004fc663 in function_call () at ../Objects/funcobject.c:604
13 0x00000000004e8b5a in PyObject_Call () at ../Objects/abstract.c:2261
14 0x00007ffff51e94e7 in general_invoke_callback (userdata=0x7ffff35edea8, args=0x7fffb1c04c60 "PM\300\261\377\177", result=0x7fffb1c04e00, decode_args_from_libffi=1) at c/_cffi_backend.c:6100
15 invoke_callback (cif=, result=0x7fffb1c04e00, args=0x7fffb1c04c60, userdata=0x7ffff35edea8) at c/_cffi_backend.c:6175
16 0x00007ffff4fc8776 in ffi_closure_unix64_inner () from /usr/local/lib/python3.6/dist-packages/cffi.libs/libffi-806b1a9d.so.6.0.4
17 0x00007ffff4fc8f54 in ffi_closure_unix64 () from /usr/local/lib/python3.6/dist-packages/cffi.libs/libffi-806b1a9d.so.6.0.4
18 0x00007ffff0810610 in panda_callbacks_before_block_exec (cpu=cpu@entry=0x11622f0, tb=tb@entry=0x7fffb2997498) at /data/panda/panda/src/cb-support.c:49
19 0x00007ffff086115b in cpu_tb_exec (itb=, cpu=0x11622f0) at /data/panda/cpu-exec.c:188
20 cpu_loop_exec_tb (sc=0x7fffb1c04ec0, tb_exit=, last_tb=, tb=, cpu=0x11622f0) at /data/panda/cpu-exec.c:673
21 cpu_exec (cpu=cpu@entry=0x11622f0) at /data/panda/cpu-exec.c:864
22 0x00007ffff088317b in tcg_cpu_exec (cpu=0x11622f0) at /data/panda/cpus.c:1200
23 qemu_tcg_cpu_thread_fn (arg=) at /data/panda/cpus.c:1298
24 0x00007ffff7bc16ba in start_thread (arg=0x7fffb1c05700) at pthread_create.c:333
25 0x00007ffff6da44dd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
It is too far away from QEMU code, so where should I focus on to solve this problem, thanks!