search

panda-re / panda

Platform for Architecture-Neutral Dynamic Analysis
https://panda.re
Other
2.48k stars 479 forks source link

get_process_name gets a thread name in a multi-threading program #960

Closed fengjian closed 3 years ago

fengjian commented 3 years ago

target_bin = "selinux"

@panda.hook_symbol("libssl", None, name="hook_ssl_symbols")
def hook_ssl_symbols(cpu, tb, h):
    procname = panda.get_process_name(cpu)
    libname = panda.ffi.string(h.sym.section).decode("utf-8", 'ignore')
    symname = panda.ffi.string(h.sym.name).decode("utf-8", 'ignore')
    #if procname == target_bin:
    print(f"{procname} {libname} {symname}")

@panda.ppp("syscalls2", "on_sys_execve_enter")
def on_sys_execve_enter(cpu, pc, fname_ptr, argv_ptr, envp):
    if panda.in_kernel(cpu):
        return
    try:
        procname = panda.get_process_name(cpu)
        fname = panda.read_str(cpu, fname_ptr)
        if os.path.basename(fname) == target_bin:
            argv_ptrlist = panda.virtual_memory_read(cpu, argv_ptr, 104, fmt='ptrlist')
            print(f"[hook] proc:{procname} sys_exceve_enter: {fname}")
    except ValueError:
        return
[PYPANDA] setup_sh = [mkdir -p target; while ! mount /dev/cdrom target; do sleep 0.3;  umount /dev/cdrom; done; target/setup.sh &> /dev/null || true ]
PANDA[core]:loading required plugin osi
PANDA[core]:/panda/build//x86_64-softmmu/panda/plugins//panda_osi.so already loaded
[PYPANDA] mount: /root/target: WARNING: device write-protected, mounted read-only.

[hook] proc:bash sys_exceve_enter: /tmp/selinux
selinux libssl.so.10 _init
reqwest-interna libssl.so.10 SSLv23_method
reqwest-interna libssl.so.10 SSL_library_init
reqwest-interna libssl.so.10 SSL_COMP_get_compression_methods
reqwest-interna libssl.so.10 ssl_load_ciphers
reqwest-interna libssl.so.10 SSL_load_error_strings
reqwest-interna libssl.so.10 ERR_load_SSL_strings
reqwest-interna libssl.so.10 SSL_CTX_new
reqwest-interna libssl.so.10 SSL_get_ex_data_X509_STORE_CTX_idx
lacraig2 commented 3 years ago

osi_linux finds the task name from the task struct comm field. If the thread changed its name to reqwest-interna there's not much we can do about that. That's the name of the task_struct now.

You can write some logic around the osi get_current_thread idea to keep track of separate threads by TID while keeping the same PID associated.

You could also run through get_processes and check if one matching your PID matches your name filter.

fengjian commented 3 years ago

osi_linux finds the task name from the task struct comm field. If the thread changed its name to reqwest-interna there's not much we can do about that. That's the name of the task_struct now.

You can write some logic around the osi get_current_thread idea to keep track of separate threads by TID while keeping the same PID associated.

You could also run through get_processes and check if one matching your PID matches your name filter.

Thanks! I understand. it’s better to rename to get_task_name