moyix / panda Goto Github PK

I apologize if I put my question here in PANDA v1.0, as I was hesitant to put it in the new PANDA v2.0.

I am experimenting with your pmemaccess plugin, it is super interesting, since it exposes the physical memory of a guest VM through a linux socket.

According to what I read, once the connection is made through the socket, you can use the socket in whatever you want, I want to see the life memory of a guest VM. I used the plugin pmemaccess, in the command line of qemu-systemx86_64 ... -panda pmemaccess:path=/tmp/socket1,mode=0 (or I change it to mode 1), as through the console of it. What I did was occupy the volatility (example: volatility sockets -f socket1), I did not specify any profile, I just want it to be able to "open communication" with the socket, once I did it, both in volatility and In the QEMU-PANDA console it sends me the message that it is connected. Once I verify that the console tells me that the communication is already done, I open another terminal and use the socat to see how the data flows, through the socket (example: socat -t100 -x -v UNIX-LISTEN:/path/to/sock,mode=777,reuseaddr,fork UNIX-CONNECT:/path/to/sock.original).

And according to, you should see the data flow, but, nothing happens, it does not send me any message. Literally, it does not send me anything, only the cursor blinks, I did the test with an Arch ISO image, then I used an image with windows 7 64 bits. And again nothing.

I also comment, that in addition, I put that same complement in the QEMU v5.1.0 and the result is the same, I create the socket in the qemu console, I link it with the volatility and nothing.

I occupy a sony vaio i5, 8 gigs of memory
Kali 2020.3 64 bits.

I hope you can help me to see if it is possible to see the guest's memory live.

Thanks for your time and advice in advance.

I have an exe file that makes encrypted SSL connection to its server. I would like to be able to intercept it and capture the key. Should I run this inside Docker on Windows or a virtual machine or is there a better way?

I am experiencing the following problem with PANDA recording. We use PANDA 1.0.

I record back-to-back record files that each last 2 minutes. Each record file has a certain amount of size in bits. It seems that when the record size is more than 2GB, there is a casting overflow problem. And the linux (host) cannot handle it, PANDA record crashes, and of course the guest stops. Specifically, I think that the guest or the host "translates" the record (filesize) 2GB into some thousands of terrabytes (due to the potential casting error), and I get the error:
Glib-ERROR **: build/buildd/gliz2.40.2/./glib/gmem.c:103: failed to allocate 18446744071595337090 bytes.

Overall, it seems that PANDA cannot handle more than 2GB record filesize (more precisely, PANDA cannot handle a workload (in the guest) that corresponds to a record size higher than 2GB ). Has anyone got this issue before?

It's really annoying to not be able to record a heavy workload because the record filesize might exceed 2GB and PANDA crash.