panda-re / panda Goto Github PK

Platform for Architecture-Neutral Dynamic Analysis

License: Other

Python 6.40% Shell 1.14% Makefile 0.30% C 85.39% C++ 5.12% Haxe 0.47% Objective-C 0.11% Assembly 0.46% Perl 0.30% Batchfile 0.01% GDB 0.01% Emacs Lisp 0.01% NSIS 0.01% GLSL 0.01% HTML 0.02% SmPL 0.01% Smarty 0.01% Dockerfile 0.02% Rust 0.25% Vim Script 0.01%

dynamic-analysis pandare pypanda qemu reverse-engineering

panda's People

Contributors

Stargazers

Watchers

Forkers

idkwim jhodosh peterclemenko sucof kursh chubbymaggie phulin shaded-enmity cherry-wb littlewidder dwskoog suto yshalabi apatheticsanonymous johnjohnsp1 d4nnyk prodigeni voodoologic basicscandal asherbond inking bincker bkerler danielshir dbennett455 m000 techvoltage vinaygjain tempbottle greyseason blaquee xshield360 wchen-r7 drmilhous fairuzan daodewang rickkar tss fashioncj sanek1992 debug-orz lucabongiorni peta909 tml surajsinghmehta schevalier skintigh volpino glindor87 tboning he0x chyyuu decomp-mirror wushenwu cnbird1999 confocus aburan28 windhl felipevb trachten kapous111 grail stjanovitz qhnetspirit moniren andymillar martindale m4mbr3 guanxianchun friedbutter pyq881120 dptechma a-helberg yizhibenpao josh200501 jiangzhw jaonlin zhuyue1314 hendersa mattiafazzini notawa wxdublin fry melbshark grnd gavin4code oyjb kissthink longjohncoder hkingz yep0 hankw507 fortenforge bet4it foxsen notjustageek carriegardner428 maodapeng allewwaly gitttt

panda's Issues

Compiling error on Debian Unstable (SID)

HI. I trying to build PANDA on my system. I'm using Bunsen Labs, which is a Debian with Openbox, but I'm using the unstable (sid) repositories instead of stable.

First thing I noted: The llvm versions in the repository goes grom 3.5 up to 3.9, no 3.3. I don't know yet why it's lock down to this version, but is there any specific reason?

The main question: I followed the panda_install.bash manually. Everything went well, except the optional part of llvm, until the last command ./build.sh. The complete log is in attached, but I'm pasting the last line with errors here:

  CXX   /home/user/src/panda/panda/qemu/i386-softmmu/panda_plugins/textfinder.o
  CXX   /home/user/src/panda/panda/qemu/x86_64-softmmu/panda_plugins/stringsearch.o
  PLUGIN  /home/user/src/panda/panda/qemu/i386-softmmu/panda_plugins/panda_textfinder.so
  CXX   /home/user/src/panda/panda/qemu/i386-softmmu/panda_plugins/textprinter.o
syscalls2.cpp:373:6: error: ‘vector’ in namespace ‘std’ does not name a template type
 std::vector<void (*)(CPUState*, target_ulong)> preExecCallbacks;
      ^
syscalls2.cpp: In function ‘void registerExecPreCallback(void (*)(CPUX86State*, target_ulong))’:
syscalls2.cpp:376:5: error: ‘preExecCallbacks’ was not declared in this scope
     preExecCallbacks.push_back(callback);
     ^
syscalls2.cpp: In function ‘int exec_callback(CPUX86State*, target_ulong)’:
syscalls2.cpp:411:35: error: ‘preExecCallbacks’ was not declared in this scope
         for(const auto callback : preExecCallbacks){
                                   ^
../panda.mak:42: recipe for target '/home/user/src/panda/panda/qemu/x86_64-softmmu/panda_plugins/syscalls2.o' failed
make[2]: *** [/home/user/src/panda/panda/qemu/x86_64-softmmu/panda_plugins/syscalls2.o] Error 1
Makefile:564: recipe for target 'plugin-syscalls2' failed
make[1]: *** [plugin-syscalls2] Error 2
make[1]: *** Waiting for unfinished jobs....
  CXX   /home/user/src/panda/panda/qemu/i386-softmmu/panda_plugins/syscalls2.o
  PLUGIN  /home/user/src/panda/panda/qemu/x86_64-softmmu/panda_plugins/panda_stringsearch.so
  PLUGIN  /home/user/src/panda/panda/qemu/i386-softmmu/panda_plugins/panda_textprinter.so
Makefile:89: recipe for target 'subdir-x86_64-softmmu' failed
make: *** [subdir-x86_64-softmmu] Error 2
  CXX   /home/user/src/panda/panda/qemu/i386-softmmu/panda_plugins/gen_syscall_switch_enter_linux_arm.o
  CXX   /home/user/src/panda/panda/qemu/i386-softmmu/panda_plugins/stringsearch.o
  CXX   /home/user/src/panda/panda/qemu/i386-softmmu/panda_plugins/keyfind.o
  CXX   /home/user/src/panda/panda/qemu/i386-softmmu/panda_plugins/gen_syscall_switch_return_linux_arm.o
  CXX   /home/user/src/panda/panda/qemu/i386-softmmu/panda_plugins/gen_syscall_switch_enter_linux_x86.o
syscalls2.cpp:373:6: error: ‘vector’ in namespace ‘std’ does not name a template type
 std::vector<void (*)(CPUState*, target_ulong)> preExecCallbacks;
      ^
syscalls2.cpp: In function ‘void registerExecPreCallback(void (*)(CPUX86State*, target_ulong))’:
syscalls2.cpp:376:5: error: ‘preExecCallbacks’ was not declared in this scope
     preExecCallbacks.push_back(callback);
     ^
syscalls2.cpp: In function ‘int exec_callback(CPUX86State*, target_ulong)’:
syscalls2.cpp:411:35: error: ‘preExecCallbacks’ was not declared in this scope
         for(const auto callback : preExecCallbacks){
                                   ^
../panda.mak:42: recipe for target '/home/user/src/panda/panda/qemu/i386-softmmu/panda_plugins/syscalls2.o' failed
make[2]: *** [/home/user/src/panda/panda/qemu/i386-softmmu/panda_plugins/syscalls2.o] Error 1
make[2]: *** Waiting for unfinished jobs....
  CXX   /home/user/src/panda/panda/qemu/i386-softmmu/panda_plugins/tls_prf.o
  PLUGIN  /home/user/src/panda/panda/qemu/i386-softmmu/panda_plugins/panda_stringsearch.so
  CXX   /home/user/src/panda/panda/qemu/i386-softmmu/panda_plugins/memstats.o
  PLUGIN  /home/user/src/panda/panda/qemu/i386-softmmu/panda_plugins/panda_memstats.so
make[2]: Nothing to be done for 'all'.
make[2]: Nothing to be done for 'all'.
  CXX   /home/user/src/panda/panda/qemu/i386-softmmu/panda_plugins/memdump.o
  CXX   /home/user/src/panda/panda/qemu/i386-softmmu/panda_plugins/correlatetaps.o
  PLUGIN  /home/user/src/panda/panda/qemu/i386-softmmu/panda_plugins/panda_memdump.so
  CXX   /home/user/src/panda/panda/qemu/i386-softmmu/panda_plugins/memsnap.o
  PLUGIN  /home/user/src/panda/panda/qemu/i386-softmmu/panda_plugins/panda_correlatetaps.so
  CXX   /home/user/src/panda/panda/qemu/i386-softmmu/panda_plugins/bigrams.o
  PLUGIN  /home/user/src/panda/panda/qemu/i386-softmmu/panda_plugins/panda_keyfind.so
  CXX   /home/user/src/panda/panda/qemu/i386-softmmu/panda_plugins/tapindex.o
  PLUGIN  /home/user/src/panda/panda/qemu/i386-softmmu/panda_plugins/panda_memsnap.so
make[2]: Nothing to be done for 'all'.
  CXX   /home/user/src/panda/panda/qemu/i386-softmmu/panda_plugins/callstack_instr.o
  PLUGIN  /home/user/src/panda/panda/qemu/i386-softmmu/panda_plugins/panda_bigrams.so
  PLUGIN  /home/user/src/panda/panda/qemu/i386-softmmu/panda_plugins/panda_tapindex.so
  CXX   /home/user/src/panda/panda/qemu/i386-softmmu/panda_plugins/textprinter_fast.o
  CXX   /home/user/src/panda/panda/qemu/i386-softmmu/panda_plugins/tstringsearch.o
  PLUGIN  /home/user/src/panda/panda/qemu/i386-softmmu/panda_plugins/panda_textprinter_fast.so
  PLUGIN  /home/user/src/panda/panda/qemu/i386-softmmu/panda_plugins/panda_tstringsearch.so
Makefile:564: recipe for target 'plugin-syscalls2' failed
make[1]: *** [plugin-syscalls2] Error 2
make[1]: *** Waiting for unfinished jobs....
  PLUGIN  /home/user/src/panda/panda/qemu/i386-softmmu/panda_plugins/panda_callstack_instr.so
Makefile:89: recipe for target 'subdir-i386-softmmu' failed
make: *** [subdir-i386-softmmu] Error 2

I thing that making it works with Debian Sid will make it easier to support any Debian version from the one used to develop Panda til anyone that may come.

panda.make.err.txt

linux_osi: kernelinfo cannot be build on Debian 8 Jessie: error: ‘struct vfsmount’ has no member named ‘mnt_parent’

When following the step from qemu/panda_plugins/osi_linux/USAGE.md I get:

Makefile:10: *** mixed implicit and normal rules: deprecated syntax
/home/asdf/panda/qemu/panda_plugins/osi_linux/utils/kernelinfo/kernelinfo.c: In function ‘init_module’:
/home/asdf/panda/qemu/panda_plugins/osi_linux/utils/kernelinfo/kernelinfo.c:56:132: error: ‘struct vfsmount’ has no member named ‘mnt_parent’
 #define PRINT_OFFSET(structp, memb, cfgname) printk(KERN_INFO "%s.%s_offset = %d", cfgname, cp_memb(#memb), (int)((void *)&(structp->memb) - (void *)structp))
                                                                                                                                    ^
/home/asdf/panda/qemu/panda_plugins/osi_linux/utils/kernelinfo/kernelinfo.c:138:2: note: in expansion of macro ‘PRINT_OFFSET’
  PRINT_OFFSET(vfsmnt_p, mnt_parent,  "fs");
  ^
/home/asdf/panda/qemu/panda_plugins/osi_linux/utils/kernelinfo/kernelinfo.c:56:132: error: ‘struct vfsmount’ has no member named ‘mnt_mountpoint’
 #define PRINT_OFFSET(structp, memb, cfgname) printk(KERN_INFO "%s.%s_offset = %d", cfgname, cp_memb(#memb), (int)((void *)&(structp->memb) - (void *)structp))
                                                                                                                                    ^
/home/asdf/panda/qemu/panda_plugins/osi_linux/utils/kernelinfo/kernelinfo.c:139:2: note: in expansion of macro ‘PRINT_OFFSET’
  PRINT_OFFSET(vfsmnt_p, mnt_mountpoint, "fs");
  ^
make[4]: *** [/home/asdf/panda/qemu/panda_plugins/osi_linux/utils/kernelinfo/kernelinfo.o] Error 1
make[3]: *** [_module_/home/asdf/panda/qemu/panda_plugins/osi_linux/utils/kernelinfo] Error 2
make[2]: *** [sub-make] Error 2
make[1]: *** [all] Error 2
make: *** [all] Error 2

The guest is a Debian 8 32bit.

qemu-system-x86_64: -replay: invalid option

Hey, having a dumb issue here, every time I try to replay a recording, I get this error (and it is the only feedback I get from qemu):
qemu-system-x86_64: -replay: invalid option
I built it properly with build.sh without any errors so I don't really get whats going on now huh

don't compile panda/qemu/panda/tainted_instr.cpp

I do command
g++ -g -o tainted_instr tainted_instr.cpp pandalog.c pandalog.pb-c.c -L/usr/local/lib -lprotobuf-c -I .. -lz -D PANDALOG_READER -std=c++11

and see

/qemu/panda$ g++ -g -o tainted_instr tainted_instr.cpp pandalog.c pandalog.pb-c.c -L/usr/local/lib -lprotobuf-c -I .. -lz -D PANDALOG_READER -std=c++11
tainted_instr.cpp: In function 'int main(int, char**)':
tainted_instr.cpp:54:36: error: 'Panda__LogEntry' has no member named 'n_callstack'
tainted_instr.cpp:55:22: error: 'Panda__LogEntry' has no member named 'taint_query_unique_label_set'
tainted_instr.cpp:56:22: error: 'Panda__LogEntry' has no member named 'taint_query'
tainted_instr.cpp:70:22: error: 'Panda__LogEntry' has no member named 'n_callstack'
tainted_instr.cpp:71:61: error: 'Panda__LogEntry' has no member named 'n_callstack'
tainted_instr.cpp:73:34: error: 'Panda__LogEntry' has no member named 'n_callstack'
tainted_instr.cpp:74:50: error: 'Panda__LogEntry' has no member named 'callstack'
tainted_instr.cpp:75:36: error: 'Panda__LogEntry' has no member named 'n_callstack'
tainted_instr.cpp:84:22: error: 'Panda__LogEntry' has no member named 'taint_query_unique_label_set'
tainted_instr.cpp:85:88: error: 'Panda__LogEntry' has no member named 'taint_query_unique_label_set'
tainted_instr.cpp:87:34: error: 'Panda__LogEntry' has no member named 'taint_query_unique_label_set'
tainted_instr.cpp:88:41: error: 'Panda__LogEntry' has no member named 'taint_query_unique_label_set'
tainted_instr.cpp:93:18: error: 'Panda__LogEntry' has no member named 'taint_query'
tainted_instr.cpp:94:42: error: 'Panda__LogEntry' has no member named 'taint_query'

May be I something do wrong but I think it is because of the lack of initialization in panda/qemu/panda_plugins/tainted_instr/tainted_instr.proto.

New QEMU savevm version

The current version of the snapshot format does not include a length field for its sections. This is logical for loadvm where any missing device is fatal but not for replay where only core devices and devices tracked by plug-ins are needed. It would also be nice to be able to include plug in state information in a snapshot, eg the FD tracker's state or DroidScope's state, without requiring them to be active on loading the snapshot.

tainted_instructions tutorial is broken

I tried to do some experiments with the taint plugin with my own recordings. I encountered some issues so I went back to the tainted_instructions tutorial. I tried to reproduce it with the current version of PANDA but it's failing (see error).
Is the tainting plugin broken or am I missing something?

$ ~/git/panda/qemu/x86_64-softmmu/qemu-system-x86_64 -m 128 -replay sshksci -display none -panda callstack_instr -panda stringsearch -panda taint:tainted_instructions=1 -panda tstringsearch

adding /home/federico/git/panda/qemu/x86_64-softmmu/panda_plugins/panda_callstack_instr.so to panda_plugin_files 0
adding /home/federico/git/panda/qemu/x86_64-softmmu/panda_plugins/panda_stringsearch.so to panda_plugin_files 1
Adding PANDA arg taint:tainted_instructions=1.
adding /home/federico/git/panda/qemu/x86_64-softmmu/panda_plugins/panda_taint.so to panda_plugin_files 2
adding /home/federico/git/panda/qemu/x86_64-softmmu/panda_plugins/panda_tstringsearch.so to panda_plugin_files 3
loading /home/federico/git/panda/qemu/x86_64-softmmu/panda_plugins/panda_callstack_instr.so
Initializing plugin callstack_instr
Success
loading /home/federico/git/panda/qemu/x86_64-softmmu/panda_plugins/panda_stringsearch.so
Initializing plugin stringsearch
panda_require: callstack_instr
panda_load_plugin: /home/federico/git/panda/qemu/x86_64-softmmu/panda_plugins/panda_callstack_instr.so already loaded
stringsearch: added string of length 44 to search set
Success
loading /home/federico/git/panda/qemu/x86_64-softmmu/panda_plugins/panda_taint.so
Initializing taint plugin
taint_label_mode=1
Taint: running in byte labeling mode.
max_taintset_card = 0
max_taintset_compute_number = 0
compute_is_delete = 0
taint_label_incoming_network_traffic = 0
taint_query_outgoing_network_traffic = 0
tainted_pointer = 1
tainted_instructions = 1
done initializing taint plugin
Success
loading /home/federico/git/panda/qemu/x86_64-softmmu/panda_plugins/panda_tstringsearch.so
Initializing tstringsearch
panda_require: stringsearch
panda_load_plugin: /home/federico/git/panda/qemu/x86_64-softmmu/panda_plugins/panda_stringsearch.so already loaded
panda_require: taint
panda_load_plugin: /home/federico/git/panda/qemu/x86_64-softmmu/panda_plugins/panda_taint.so already loaded
Success
loading snapshot
... done.

Logging all cpu states
CPU #0:
EAX=ffffffff EBX=00000003 ECX=0000001c EDX=0000001e
ESI=b886baf0 EDI=b886baf0 EBP=b886a030 ESP=bfcd0080
EIP=b75846a4 EFL=00200202 [-------] CPL=3 II=0 A20=1 SMM=0 HLT=0
ES =007b 00000000 ffffffff 00cff300 DPL=3 DS   [-WA]
CS =0073 00000000 ffffffff 00cffa00 DPL=3 CS32 [-R-]
SS =007b 00000000 ffffffff 00cff300 DPL=3 DS   [-WA]
DS =007b 00000000 ffffffff 00cff300 DPL=3 DS   [-WA]
FS =0000 00000000 00000000 00000000
GS =0033 b737a940 ffffffff 00dff300 DPL=3 DS   [-WA]
LDT=0000 00000000 00000000 00008200 DPL=0 LDT
TR =0080 c7ef0780 0000206b 00008900 DPL=0 TSS32-avl
GDT=     c7eeb000 000000ff
IDT=     c13de000 000007ff
CR0=80050033 CR2=b757cee0 CR3=05234000 CR4=000006f0
DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 
DR6=0000000000000000 DR7=0000000000000000
EFER=0000000000000800
FCW=037f FSW=0000 [ST=0] FTW=ff MXCSR=00001f80
FPR0=00000000d9e108d0 0000 FPR1=00000000453ff1ef 0000
FPR2=00000000817f3523 0000 FPR3=000000001474d45b 0000
FPR4=0000000030f3c130 0000 FPR5=6c1794c02cc234ac 0000
FPR6=000000006d26dadf 4004 FPR7=00000000ffffffff 4004
XMM00=00000000000000000000000000000000 XMM01=504f0074696e695f4c53534e45504f00
XMM02=00000000000000000000000000000000 XMM03=00000000000000000000000000000000
XMM04=00000000000000000000000000000000 XMM05=00000000000000000000000000000000
XMM06=00000000000000000000000000000000 XMM07=00000000000000000000000000000000
opening nondet log for read :   ./sshksci-rr-nondet.log
./sshksci-rr-nondet.log:  382 of 270906 (0.14%) bytes, 665907 of 18334409 (3.63%) instructions processed.
./sshksci-rr-nondet.log:  712 of 270906 (0.26%) bytes, 1487981 of 18334409 (8.12%) instructions processed.
./sshksci-rr-nondet.log:  1042 of 270906 (0.38%) bytes, 2298502 of 18334409 (12.54%) instructions processed.
./sshksci-rr-nondet.log:  1372 of 270906 (0.51%) bytes, 3205021 of 18334409 (17.48%) instructions processed.
./sshksci-rr-nondet.log:  1702 of 270906 (0.63%) bytes, 4010912 of 18334409 (21.88%) instructions processed.
./sshksci-rr-nondet.log:  2032 of 270906 (0.75%) bytes, 4809044 of 18334409 (26.23%) instructions processed.
./sshksci-rr-nondet.log:  2362 of 270906 (0.87%) bytes, 5620639 of 18334409 (30.66%) instructions processed.
./sshksci-rr-nondet.log:  2692 of 270906 (0.99%) bytes, 6336562 of 18334409 (34.56%) instructions processed.
./sshksci-rr-nondet.log:  3022 of 270906 (1.12%) bytes, 7151372 of 18334409 (39.01%) instructions processed.
./sshksci-rr-nondet.log:  3148 of 270906 (1.16%) bytes, 7413446 of 18334409 (40.43%) instructions processed.
./sshksci-rr-nondet.log:  3478 of 270906 (1.28%) bytes, 7948714 of 18334409 (43.35%) instructions processed.
./sshksci-rr-nondet.log:  3808 of 270906 (1.41%) bytes, 8757322 of 18334409 (47.76%) instructions processed.
./sshksci-rr-nondet.log:  4138 of 270906 (1.53%) bytes, 9671622 of 18334409 (52.75%) instructions processed.
./sshksci-rr-nondet.log:  4468 of 270906 (1.65%) bytes, 10411454 of 18334409 (56.79%) instructions processed.
./sshksci-rr-nondet.log:  4798 of 270906 (1.77%) bytes, 11132953 of 18334409 (60.72%) instructions processed.
./sshksci-rr-nondet.log:  5128 of 270906 (1.89%) bytes, 11959282 of 18334409 (65.23%) instructions processed.
./sshksci-rr-nondet.log:  5458 of 270906 (2.01%) bytes, 12169113 of 18334409 (66.37%) instructions processed.
./sshksci-rr-nondet.log:  5788 of 270906 (2.14%) bytes, 12783693 of 18334409 (69.73%) instructions processed.
./sshksci-rr-nondet.log:  6118 of 270906 (2.26%) bytes, 13349361 of 18334409 (72.81%) instructions processed.
./sshksci-rr-nondet.log:  6851 of 270906 (2.53%) bytes, 13867726 of 18334409 (75.64%) instructions processed.
./sshksci-rr-nondet.log:  7165 of 270906 (2.64%) bytes, 14054150 of 18334409 (76.65%) instructions processed.
./sshksci-rr-nondet.log:  7193 of 270906 (2.66%) bytes, 14064154 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  7221 of 270906 (2.67%) bytes, 14064172 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  7249 of 270906 (2.68%) bytes, 14064172 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  7277 of 270906 (2.69%) bytes, 14064184 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  7305 of 270906 (2.70%) bytes, 14064184 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  7333 of 270906 (2.71%) bytes, 14064196 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  7361 of 270906 (2.72%) bytes, 14064196 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  7389 of 270906 (2.73%) bytes, 14064222 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  7417 of 270906 (2.74%) bytes, 14064222 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  7445 of 270906 (2.75%) bytes, 14064237 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  7473 of 270906 (2.76%) bytes, 14064237 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  7501 of 270906 (2.77%) bytes, 14064265 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  7529 of 270906 (2.78%) bytes, 14064265 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  7557 of 270906 (2.79%) bytes, 14064317 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  7585 of 270906 (2.80%) bytes, 14064317 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  7613 of 270906 (2.81%) bytes, 14064334 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  7641 of 270906 (2.82%) bytes, 14064334 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  7669 of 270906 (2.83%) bytes, 14064367 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  7697 of 270906 (2.84%) bytes, 14064367 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  7725 of 270906 (2.85%) bytes, 14064384 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  7753 of 270906 (2.86%) bytes, 14064384 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  7781 of 270906 (2.87%) bytes, 14064387 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  7809 of 270906 (2.88%) bytes, 14064387 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  7837 of 270906 (2.89%) bytes, 14064398 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  7865 of 270906 (2.90%) bytes, 14064398 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  7893 of 270906 (2.91%) bytes, 14064404 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  7921 of 270906 (2.92%) bytes, 14064404 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  7949 of 270906 (2.93%) bytes, 14064421 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  7977 of 270906 (2.94%) bytes, 14064421 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  8005 of 270906 (2.95%) bytes, 14064424 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  8033 of 270906 (2.97%) bytes, 14064424 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  8061 of 270906 (2.98%) bytes, 14064450 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  8089 of 270906 (2.99%) bytes, 14064450 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  8117 of 270906 (3.00%) bytes, 14064454 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  8145 of 270906 (3.01%) bytes, 14064454 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  8173 of 270906 (3.02%) bytes, 14064506 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  8201 of 270906 (3.03%) bytes, 14064506 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  8229 of 270906 (3.04%) bytes, 14064508 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  8257 of 270906 (3.05%) bytes, 14064508 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  8285 of 270906 (3.06%) bytes, 14064522 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  8313 of 270906 (3.07%) bytes, 14064522 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  8341 of 270906 (3.08%) bytes, 14064571 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  8369 of 270906 (3.09%) bytes, 14064571 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  8397 of 270906 (3.10%) bytes, 14064577 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  8425 of 270906 (3.11%) bytes, 14064577 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  8453 of 270906 (3.12%) bytes, 14064596 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  8481 of 270906 (3.13%) bytes, 14064596 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  8509 of 270906 (3.14%) bytes, 14064614 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  8537 of 270906 (3.15%) bytes, 14064614 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  8565 of 270906 (3.16%) bytes, 14064616 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  8593 of 270906 (3.17%) bytes, 14064616 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  8621 of 270906 (3.18%) bytes, 14064652 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  8649 of 270906 (3.19%) bytes, 14064652 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  8677 of 270906 (3.20%) bytes, 14064663 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  8705 of 270906 (3.21%) bytes, 14064663 of 18334409 (76.71%) instructions processed.
./sshksci-rr-nondet.log:  15681 of 270906 (5.79%) bytes, 14117883 of 18334409 (77.00%) instructions processed.
./sshksci-rr-nondet.log:  37478 of 270906 (13.83%) bytes, 14305470 of 18334409 (78.03%) instructions processed.
./sshksci-rr-nondet.log:  48349 of 270906 (17.85%) bytes, 14485400 of 18334409 (79.01%) instructions processed.
./sshksci-rr-nondet.log:  69939 of 270906 (25.82%) bytes, 14673070 of 18334409 (80.03%) instructions processed.
WRITE Match of str 0 at: instr_count=14856968 :  00000000b7551cd7 00000000b76dc0c0 000000000503d000
thestring = [tygertygerburningbrightintheforestofthenigh.]
74 79 67 65 72 74 79 67 65 72 62 75 72 6e 69 6e 67 62 72 69 67 68 74 69 6e 74 68 65 66 6f 72 65 73 74 6f 66 74 68 65 6e 69 67 68 00 
search string is sitting in memory starting at 0xb897c136
READ Match of str 0 at: instr_count=14857702 :  00000000b74cb385 00000000b722c9b6 000000000503d000
thestring = [,tygertygerburningbrightintheforestofthenigh]
2c 74 79 67 65 72 74 79 67 65 72 62 75 72 6e 69 6e 67 62 72 69 67 68 74 69 6e 74 68 65 66 6f 72 65 73 74 6f 66 74 68 65 6e 69 67 68 
WRITE Match of str 0 at: instr_count=14857702 :  00000000b74cb385 00000000b722c9b6 000000000503d000
thestring = [,tygertygerburningbrightintheforestofthenig.]
2c 74 79 67 65 72 74 79 67 65 72 62 75 72 6e 69 6e 67 62 72 69 67 68 74 69 6e 74 68 65 66 6f 72 65 73 74 6f 66 74 68 65 6e 69 67 00 
READ Match of str 0 at: instr_count=14861371 :  00000000b76d1fee 00000000b722c9d1 000000000503d000
thestring = [..,tygertygerburningbrightintheforestoftheni]
00 00 2c 74 79 67 65 72 74 79 67 65 72 62 75 72 6e 69 6e 67 62 72 69 67 68 74 69 6e 74 68 65 66 6f 72 65 73 74 6f 66 74 68 65 6e 69 
WRITE Match of str 0 at: instr_count=14861371 :  00000000b76d1fee 00000000b722c9d1 000000000503d000
thestring = [...tygertygerburningbrightintheforestofthen.]
10 00 00 74 79 67 65 72 74 79 67 65 72 62 75 72 6e 69 6e 67 62 72 69 67 68 74 69 6e 74 68 65 66 6f 72 65 73 74 6f 66 74 68 65 6e 00 
READ Match of str 0 at: instr_count=14866608 :  00000000c11ce65e 00000000c11660ac 0000000000000000
thestring = [...tygertygerburningbrightintheforestoftheni]
10 00 00 74 79 67 65 72 74 79 67 65 72 62 75 72 6e 69 6e 67 62 72 69 67 68 74 69 6e 74 68 65 66 6f 72 65 73 74 6f 66 74 68 65 6e 69 
WRITE Match of str 0 at: instr_count=14866608 :  00000000c11ce65e 00000000c11660ac 0000000000000000
thestring = [...tygertygerburningbrightintheforestofthen.]
00 00 00 74 79 67 65 72 74 79 67 65 72 62 75 72 6e 69 6e 67 62 72 69 67 68 74 69 6e 74 68 65 66 6f 72 65 73 74 6f 66 74 68 65 6e 00 
READ Match of str 0 at: instr_count=14866904 :  00000000c11d4ee2 00000000c11d43b6 0000000000000000
thestring = [tygertygerburningbrightintheforestofthenight]
74 79 67 65 72 74 79 67 65 72 62 75 72 6e 69 6e 67 62 72 69 67 68 74 69 6e 74 68 65 66 6f 72 65 73 74 6f 66 74 68 65 6e 69 67 68 74 
search string is sitting in memory starting at 0xc53be000
WRITE Match of str 0 at: instr_count=14866904 :  00000000c11d4ee2 00000000c11d43b6 0000000000000000
thestring = [tygertygerburningbrightintheforestofthenigh.]
74 79 67 65 72 74 79 67 65 72 62 75 72 6e 69 6e 67 62 72 69 67 68 74 69 6e 74 68 65 66 6f 72 65 73 74 6f 66 74 68 65 6e 69 67 68 00 
search string is sitting in memory starting at 0xc53bec50
./sshksci-rr-nondet.log:  93511 of 270906 (34.52%) bytes, 14891627 of 18334409 (81.22%) instructions processed.
READ Match of str 0 at: instr_count=14911492 :  00000000c11d40d0 00000000c11d1288 0000000000000000
thestring = [tygertygerburningbrightintheforestofthenight]
74 79 67 65 72 74 79 67 65 72 62 75 72 6e 69 6e 67 62 72 69 67 68 74 69 6e 74 68 65 66 6f 72 65 73 74 6f 66 74 68 65 6e 69 67 68 74 
search string is sitting in memory starting at 0xc53bec50
WRITE Match of str 0 at: instr_count=14911573 :  00000000c11d1b7e 00000000c11d0274 0000000000000000
thestring = [tygertygerburningbrightintheforestofthenight]
74 79 67 65 72 74 79 67 65 72 62 75 72 6e 69 6e 67 62 72 69 67 68 74 69 6e 74 68 65 66 6f 72 65 73 74 6f 66 74 68 65 6e 69 67 68 74 
search string is sitting in memory starting at 0xc6e5f000
./sshksci-rr-nondet.log:  102065 of 270906 (37.68%) bytes, 15089706 of 18334409 (82.30%) instructions processed.
READ Match of str 0 at: instr_count=15098575 :  00000000c11ce1a1 00000000c11d2279 0000000000000000
thestring = [tygertygerburningbrightintheforestofthenight]
74 79 67 65 72 74 79 67 65 72 62 75 72 6e 69 6e 67 62 72 69 67 68 74 69 6e 74 68 65 66 6f 72 65 73 74 6f 66 74 68 65 6e 69 67 68 74 
search string is sitting in memory starting at 0xc6e5f000
WRITE Match of str 0 at: instr_count=15098625 :  00000000c11ce1a1 00000000c11d22d0 0000000000000000
thestring = [./......./.\./..6<......6<.~"..../.../......]
1c 2f c5 f5 da 05 c1 cc 1f 2f c5 5c 1d 2f c5 a0 36 3c c5 00 00 00 00 a0 36 3c c5 7e 22 03 c1 f4 1c 2f c5 f4 1c 2f c5 1b 01 cd bf 00 
READ Match of str 0 at: instr_count=15098711 :  00000000c11ce1a1 00000000c11d22f0 0000000000000000
thestring = [./......./.\./..6<......6<.~"..../.../.....t]
1c 2f c5 1b 01 cd bf cc 1f 2f c5 5c 1d 2f c5 a0 36 3c c5 00 00 00 00 a0 36 3c c5 7e 22 03 c1 f4 1c 2f c5 f4 1c 2f c5 1c 01 cd bf 74 
WRITE Match of str 0 at: instr_count=15098718 :  00000000c11d22fd 00000000c1165944 0000000000000000
thestring = [4...................\.....q.j.q.........\..h]
34 02 cd bf a8 01 cd bf 03 00 00 00 00 00 00 00 00 00 00 00 5c 07 cd bf c4 9f 71 b7 6a e4 71 b7 00 00 00 00 00 00 00 00 5c 07 cd 68 
READ Match of str 0 at: instr_count=15099353 :  00000000b77095e1 00000000b7717621 0000000005234000
thestring = [4...................\.....q.j.q.........\..t]
34 02 cd bf a8 01 cd bf 03 00 00 00 00 00 00 00 00 00 00 00 5c 07 cd bf c4 9f 71 b7 6a e4 71 b7 00 00 00 00 00 00 00 00 5c 07 cd 74 
WRITE Match of str 0 at: instr_count=15099363 :  00000000b77095e1 00000000b771764d 0000000005234000
thestring = [...........#.E..Zr..vq.....................h]
07 cd bf 01 00 00 00 1b 01 cd bf 23 ba 45 b7 f8 5a 72 b7 18 76 71 b7 03 00 00 00 1b 01 cd bf 01 00 00 00 ff ff ff ff ff ff ff ff 68 
READ Match of str 0 at: instr_count=15099379 :  00000000b77095e1 00000000b7717656 0000000005234000
thestring = [...........#.E.....Vvq.....................t]
07 cd bf 01 00 00 00 1b 01 cd bf 23 ba 45 b7 87 07 cd bf 56 76 71 b7 03 00 00 00 1b 01 cd bf 01 00 00 00 ff ff ff ff ff ff ff ff 74 
WRITE Match of str 0 at: instr_count=15099388 :  00000000b77095e1 00000000b77176a4 0000000005234000
thestring = [tygertygerburningbrightintheforestofthenigh.]
74 79 67 65 72 74 79 67 65 72 62 75 72 6e 69 6e 67 62 72 69 67 68 74 69 6e 74 68 65 66 6f 72 65 73 74 6f 66 74 68 65 6e 69 67 68 b7 
search string is sitting in memory starting at 0xbfcd075c
READ Match of str 0 at: instr_count=15117767 :  00000000b770a107 00000000b7717cdc 0000000005234000
thestring = [tygertygerburningbrightintheforestofthenight]
74 79 67 65 72 74 79 67 65 72 62 75 72 6e 69 6e 67 62 72 69 67 68 74 69 6e 74 68 65 66 6f 72 65 73 74 6f 66 74 68 65 6e 69 67 68 74 
search string is sitting in memory starting at 0xbfcd075c
WRITE Match of str 0 at: instr_count=15117767 :  00000000b770a107 00000000b7717ce2 0000000005234000
thestring = [tygertygerburningbrightintheforestofthenigh.]
74 79 67 65 72 74 79 67 65 72 62 75 72 6e 69 6e 67 62 72 69 67 68 74 69 6e 74 68 65 66 6f 72 65 73 74 6f 66 74 68 65 6e 69 67 68 00 
search string is sitting in memory starting at 0xb8869ad8
./sshksci-rr-nondet.log:  107564 of 270906 (39.71%) bytes, 15222397 of 18334409 (83.03%) instructions processed.
./sshksci-rr-nondet.log:  132398 of 270906 (48.87%) bytes, 15404149 of 18334409 (84.02%) instructions processed.
WRITE Match of str 0 at: instr_count=15469751 :  00000000b7551cd7 00000000b76dc0c0 000000000503d000
thestring = [tygertygerburningbrightintheforestofthenight]
74 79 67 65 72 74 79 67 65 72 62 75 72 6e 69 6e 67 62 72 69 67 68 74 69 6e 74 68 65 66 6f 72 65 73 74 6f 66 74 68 65 6e 69 67 68 74 
search string is sitting in memory starting at 0xb897c136
READ Match of str 0 at: instr_count=15470485 :  00000000b74cb385 00000000b722c9b6 000000000503d000
thestring = [,tygertygerburningbrightintheforestofthenigh]
2c 74 79 67 65 72 74 79 67 65 72 62 75 72 6e 69 6e 67 62 72 69 67 68 74 69 6e 74 68 65 66 6f 72 65 73 74 6f 66 74 68 65 6e 69 67 68 
WRITE Match of str 0 at: instr_count=15470485 :  00000000b74cb385 00000000b722c9b6 000000000503d000
thestring = [,tygertygerburningbrightintheforestofthenig.]
2c 74 79 67 65 72 74 79 67 65 72 62 75 72 6e 69 6e 67 62 72 69 67 68 74 69 6e 74 68 65 66 6f 72 65 73 74 6f 66 74 68 65 6e 69 67 00 
READ Match of str 0 at: instr_count=15474154 :  00000000b76d1fee 00000000b722c9d1 000000000503d000
thestring = [..,tygertygerburningbrightintheforestoftheni]
00 00 2c 74 79 67 65 72 74 79 67 65 72 62 75 72 6e 69 6e 67 62 72 69 67 68 74 69 6e 74 68 65 66 6f 72 65 73 74 6f 66 74 68 65 6e 69 
WRITE Match of str 0 at: instr_count=15474154 :  00000000b76d1fee 00000000b722c9d1 000000000503d000
thestring = [...tygertygerburningbrightintheforestoftheni]
10 00 00 74 79 67 65 72 74 79 67 65 72 62 75 72 6e 69 6e 67 62 72 69 67 68 74 69 6e 74 68 65 66 6f 72 65 73 74 6f 66 74 68 65 6e 69 
READ Match of str 0 at: instr_count=15479391 :  00000000c11ce65e 00000000c11660ac 0000000000000000
thestring = [...tygertygerburningbrightintheforestoftheni]
10 00 00 74 79 67 65 72 74 79 67 65 72 62 75 72 6e 69 6e 67 62 72 69 67 68 74 69 6e 74 68 65 66 6f 72 65 73 74 6f 66 74 68 65 6e 69 
WRITE Match of str 0 at: instr_count=15479391 :  00000000c11ce65e 00000000c11660ac 0000000000000000
thestring = [...tygertygerburningbrightintheforestoftheni]
00 00 00 74 79 67 65 72 74 79 67 65 72 62 75 72 6e 69 6e 67 62 72 69 67 68 74 69 6e 74 68 65 66 6f 72 65 73 74 6f 66 74 68 65 6e 69 
READ Match of str 0 at: instr_count=15479687 :  00000000c11d4ee2 00000000c11d43b6 0000000000000000
thestring = [tygertygerburningbrightintheforestofthenight]
74 79 67 65 72 74 79 67 65 72 62 75 72 6e 69 6e 67 62 72 69 67 68 74 69 6e 74 68 65 66 6f 72 65 73 74 6f 66 74 68 65 6e 69 67 68 74 
search string is sitting in memory starting at 0xc53be000
WRITE Match of str 0 at: instr_count=15479687 :  00000000c11d4ee2 00000000c11d43b6 0000000000000000
thestring = [tygertygerburningbrightintheforestofthenigh.]
74 79 67 65 72 74 79 67 65 72 62 75 72 6e 69 6e 67 62 72 69 67 68 74 69 6e 74 68 65 66 6f 72 65 73 74 6f 66 74 68 65 6e 69 67 68 00 
search string is sitting in memory starting at 0xc53bec7d
READ Match of str 0 at: instr_count=15488204 :  00000000c11d40d0 00000000c11d1288 0000000000000000
thestring = [tygertygerburningbrightintheforestofthenight]
74 79 67 65 72 74 79 67 65 72 62 75 72 6e 69 6e 67 62 72 69 67 68 74 69 6e 74 68 65 66 6f 72 65 73 74 6f 66 74 68 65 6e 69 67 68 74 
search string is sitting in memory starting at 0xc53bec7d
WRITE Match of str 0 at: instr_count=15488285 :  00000000c11d1b7e 00000000c11d0274 0000000000000000
thestring = [tygertygerburningbrightintheforestofthenight]
74 79 67 65 72 74 79 67 65 72 62 75 72 6e 69 6e 67 62 72 69 67 68 74 69 6e 74 68 65 66 6f 72 65 73 74 6f 66 74 68 65 6e 69 67 68 74 
search string is sitting in memory starting at 0xc6e5f000
./sshksci-rr-nondet.log:  143456 of 270906 (52.95%) bytes, 15587531 of 18334409 (85.02%) instructions processed.
READ Match of str 0 at: instr_count=15733830 :  00000000c11ce1a1 00000000c11d2279 0000000000000000
thestring = [tygertygerburningbrightintheforestofthenight]
74 79 67 65 72 74 79 67 65 72 62 75 72 6e 69 6e 67 62 72 69 67 68 74 69 6e 74 68 65 66 6f 72 65 73 74 6f 66 74 68 65 6e 69 67 68 74 
search string is sitting in memory starting at 0xc6e5f000
WRITE Match of str 0 at: instr_count=15733880 :  00000000c11ce1a1 00000000c11d22d0 0000000000000000
thestring = [./......./.\./..6<......6<.~"..../.../......]
1c 2f c5 f5 da 05 c1 cc 1f 2f c5 5c 1d 2f c5 a0 36 3c c5 00 00 00 00 a0 36 3c c5 7e 22 03 c1 f4 1c 2f c5 f4 1c 2f c5 1b 01 cd bf 00 
READ Match of str 0 at: instr_count=15733966 :  00000000c11ce1a1 00000000c11d22f0 0000000000000000
thestring = [./......./.\./..6<......6<.~"..../.../.....t]
1c 2f c5 1b 01 cd bf cc 1f 2f c5 5c 1d 2f c5 a0 36 3c c5 00 00 00 00 a0 36 3c c5 7e 22 03 c1 f4 1c 2f c5 f4 1c 2f c5 1c 01 cd bf 74 
WRITE Match of str 0 at: instr_count=15733973 :  00000000c11d22fd 00000000c1165944 0000000000000000
thestring = [4...................\.....q.j.q.........\..h]
34 02 cd bf a8 01 cd bf 03 00 00 00 00 00 00 00 00 00 00 00 5c 07 cd bf fc a8 71 b7 6a e4 71 b7 00 00 00 00 00 00 00 00 5c 07 cd 68 
READ Match of str 0 at: instr_count=15734608 :  00000000b77095e1 00000000b7717621 0000000005234000
thestring = [4...................\.....q.j.q.........\..t]
34 02 cd bf a8 01 cd bf 03 00 00 00 00 00 00 00 00 00 00 00 5c 07 cd bf fc a8 71 b7 6a e4 71 b7 00 00 00 00 00 00 00 00 5c 07 cd 74 
WRITE Match of str 0 at: instr_count=15734618 :  00000000b77095e1 00000000b771764d 0000000005234000
thestring = [...........#.E..Zr..vq.....................h]
07 cd bf 01 00 00 00 1b 01 cd bf 23 ba 45 b7 f8 5a 72 b7 18 76 71 b7 03 00 00 00 1b 01 cd bf 01 00 00 00 ff ff ff ff ff ff ff ff 68 
READ Match of str 0 at: instr_count=15734634 :  00000000b77095e1 00000000b7717656 0000000005234000
thestring = [...........#.E.....Vvq.....................t]
07 cd bf 01 00 00 00 1b 01 cd bf 23 ba 45 b7 87 07 cd bf 56 76 71 b7 03 00 00 00 1b 01 cd bf 01 00 00 00 ff ff ff ff ff ff ff ff 74 
WRITE Match of str 0 at: instr_count=15734643 :  00000000b77095e1 00000000b77176a4 0000000005234000
thestring = [tygertygerburningbrightintheforestofthenighx]
74 79 67 65 72 74 79 67 65 72 62 75 72 6e 69 6e 67 62 72 69 67 68 74 69 6e 74 68 65 66 6f 72 65 73 74 6f 66 74 68 65 6e 69 67 68 78 
search string is sitting in memory starting at 0xbfcd075c
READ Match of str 0 at: instr_count=15751902 :  00000000b770a107 00000000b7717cdc 0000000005234000
thestring = [tygertygerburningbrightintheforestofthenight]
74 79 67 65 72 74 79 67 65 72 62 75 72 6e 69 6e 67 62 72 69 67 68 74 69 6e 74 68 65 66 6f 72 65 73 74 6f 66 74 68 65 6e 69 67 68 74 
search string is sitting in memory starting at 0xbfcd075c
WRITE Match of str 0 at: instr_count=15751902 :  00000000b770a107 00000000b7717ce2 0000000005234000
thestring = [tygertygerburningbrightintheforestofthenigh.]
74 79 67 65 72 74 79 67 65 72 62 75 72 6e 69 6e 67 62 72 69 67 68 74 69 6e 74 68 65 66 6f 72 65 73 74 6f 66 74 68 65 6e 69 67 68 00 
search string is sitting in memory starting at 0xb8869b10
READ Match of str 0 at: instr_count=15752506 :  00000000b76ff8ec 00000000b740cbf8 0000000005234000
thestring = [tygertygerburningbrightintheforestofthenight]
74 79 67 65 72 74 79 67 65 72 62 75 72 6e 69 6e 67 62 72 69 67 68 74 69 6e 74 68 65 66 6f 72 65 73 74 6f 66 74 68 65 6e 69 67 68 74 
search string is sitting in memory starting at 0xb8869ad8
READ Match of str 0 at: instr_count=15752506 :  00000000b76ff8ec 00000000b740cbfa 0000000005234000
thestring = [tygertygerburningbrightintheforestofthenight]
74 79 67 65 72 74 79 67 65 72 62 75 72 6e 69 6e 67 62 72 69 67 68 74 69 6e 74 68 65 66 6f 72 65 73 74 6f 66 74 68 65 6e 69 67 68 74 
search string is sitting in memory starting at 0xb8869b10
READ Match of str 0 at: instr_count=15752570 :  00000000b73aae46 00000000b76ff900 0000000005234000
thestring = [tygertygerburningbrightintheforestofthenight]
74 79 67 65 72 74 79 67 65 72 62 75 72 6e 69 6e 67 62 72 69 67 68 74 69 6e 74 68 65 66 6f 72 65 73 74 6f 66 74 68 65 6e 69 67 68 74 
search string is sitting in memory starting at 0xb8869b10
./sshksci-rr-nondet.log:  145001 of 270906 (53.52%) bytes, 15778528 of 18334409 (86.06%) instructions processed.
READ Match of str 0 at: instr_count=16052276 :  00000000b754d331 00000000b740e9b6 0000000005234000
thestring = [...tygertygerburningbrightintheforestoftheni]
00 00 00 74 79 67 65 72 74 79 67 65 72 62 75 72 6e 69 6e 67 62 72 69 67 68 74 69 6e 74 68 65 66 6f 72 65 73 74 6f 66 74 68 65 6e 69 
WRITE Match of str 0 at: instr_count=16052276 :  00000000b754d331 00000000b740e9b6 0000000005234000
thestring = [...tygertygerburningbrightintheforestofthen.]
00 00 00 74 79 67 65 72 74 79 67 65 72 62 75 72 6e 69 6e 67 62 72 69 67 68 74 69 6e 74 68 65 66 6f 72 65 73 74 6f 66 74 68 65 6e 00 
./sshksci-rr-nondet.log:  145488 of 270906 (53.70%) bytes, 16053340 of 18334409 (87.56%) instructions processed.
READ Match of str 0 at: instr_count=16088462 :  00000000b754d446 00000000b740e9b6 0000000005234000
thestring = [...tygertygerburningbrightintheforestoftheni]
00 00 00 74 79 67 65 72 74 79 67 65 72 62 75 72 6e 69 6e 67 62 72 69 67 68 74 69 6e 74 68 65 66 6f 72 65 73 74 6f 66 74 68 65 6e 69 
WRITE Match of str 0 at: instr_count=16088462 :  00000000b754d446 00000000b740e9b6 0000000005234000
thestring = [).`tygertygerburningbrightintheforestofthen.]
29 b9 60 74 79 67 65 72 74 79 67 65 72 62 75 72 6e 69 6e 67 62 72 69 67 68 74 69 6e 74 68 65 66 6f 72 65 73 74 6f 66 74 68 65 6e 00 
./sshksci-rr-nondet.log:  146214 of 270906 (53.97%) bytes, 16171434 of 18334409 (88.20%) instructions processed.
READ Match of str 0 at: instr_count=16296193 :  00000000b73aae46 00000000b76fd492 0000000005234000
thestring = [tygertygerburningbrightintheforestofthenight]
74 79 67 65 72 74 79 67 65 72 62 75 72 6e 69 6e 67 62 72 69 67 68 74 69 6e 74 68 65 66 6f 72 65 73 74 6f 66 74 68 65 6e 69 67 68 74 
search string is sitting in memory starting at 0xb8869ad8
./sshksci-rr-nondet.log:  165636 of 270906 (61.14%) bytes, 16357229 of 18334409 (89.22%) instructions processed.
./sshksci-rr-nondet.log:  167229 of 270906 (61.73%) bytes, 16568563 of 18334409 (90.37%) instructions processed.
./sshksci-rr-nondet.log:  170211 of 270906 (62.83%) bytes, 16688392 of 18334409 (91.02%) instructions processed.
./sshksci-rr-nondet.log:  173568 of 270906 (64.07%) bytes, 16940647 of 18334409 (92.40%) instructions processed.
./sshksci-rr-nondet.log:  174233 of 270906 (64.31%) bytes, 17079150 of 18334409 (93.15%) instructions processed.
./sshksci-rr-nondet.log:  187799 of 270906 (69.32%) bytes, 17239933 of 18334409 (94.03%) instructions processed.
./sshksci-rr-nondet.log:  189181 of 270906 (69.83%) bytes, 17422568 of 18334409 (95.03%) instructions processed.
./sshksci-rr-nondet.log:  189914 of 270906 (70.10%) bytes, 17667311 of 18334409 (96.36%) instructions processed.
./sshksci-rr-nondet.log:  200000 of 270906 (73.83%) bytes, 17785766 of 18334409 (97.01%) instructions processed.
./sshksci-rr-nondet.log:  214870 of 270906 (79.32%) bytes, 17983775 of 18334409 (98.09%) instructions processed.
./sshksci-rr-nondet.log:  243566 of 270906 (89.91%) bytes, 18156575 of 18334409 (99.03%) instructions processed.
Infinite loop detected during replay, aborting.
{guest_instr_count=18334409 pc=0xc102439c, secondary=0xc7eedf80}
./sshksci-rr-nondet.log:  270880 of 270906 (99.99%) bytes, 18334409 of 18334409 (100.00%) instructions processed.
ERROR: replay failed!
Time taken was: 2 seconds.
Stats:
RR_INPUT_1 number = 0, size = 0 bytes
RR_INPUT_2 number = 0, size = 0 bytes
RR_INPUT_4 number = 900, size = 27000 bytes
RR_INPUT_8 number = 5824, size = 198016 bytes
RR_INTERRUPT_REQUEST number = 1303, size = 36484 bytes
RR_EXIT_REQUEST number = 0, size = 0 bytes
RR_SKIPPED_CALL number = 64, size = 9330 bytes
RR_DEBUG number = 0, size = 0 bytes
max_queue_len = 477
476 items on recycle list, 41888 bytes total
Replay completed successfully.
Logging all cpu states
CPU #0:
EAX=00000000 EBX=c14170ac ECX=c7eedf80 EDX=00000003
ESI=00000000 EDI=c13de000 EBP=0198a003 ESP=c13dbfd0
EIP=c102439c EFL=00000202 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =007b 00000000 ffffffff 00cff300 DPL=3 DS   [-WA]
CS =0060 00000000 ffffffff 00cf9a00 DPL=0 CS32 [-R-]
SS =0068 00000000 ffffffff 00c09300 DPL=0 DS   [-WA]
DS =007b 00000000 ffffffff 00cff300 DPL=3 DS   [-WA]
FS =00d8 06a70000 ffffffff 008f9300 DPL=0 DS16 [-WA]
GS =00e0 c7ef2940 00000018 00409100 DPL=0 DS   [--A]
LDT=0000 00000000 00000000 00008200 DPL=0 LDT
TR =0080 c7ef0780 0000206b 00008900 DPL=0 TSS32-avl
GDT=     c7eeb000 000000ff
IDT=     c13de000 000007ff
CR0=8005003b CR2=0a0c1808 CR3=06d3f000 CR4=000006f0
DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 
DR6=0000000000000000 DR7=0000000000000000
EFER=0000000000000800
FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80
FPR0=6cf1688329512685 0000 FPR1=00000000d29d27b1 0000
FPR2=d780d7801db87f19 0000 FPR3=a400000040000000 0000
FPR4=5cd2d8569401b6c6 0000 FPR5=00000000fc6c0ea7 0000
FPR6=3d1c3d1c80893d1c 4004 FPR7=2800000007000000 4004
XMM00=00000000000000000000000000000000 XMM01=ffffff00ffffff00ffff000000000000
XMM02=00000000000000000000000000000000 XMM03=00000000000000000000000000000000
XMM04=00000000000000000000000000000000 XMM05=00000000000000000000000000000000
XMM06=00000000000000000000000000000000 XMM07=00000000000000000000000000000000
[1]    16754 abort (core dumped)  ~/git/panda/qemu/x86_64-softmmu/qemu-system-x86_64 -m 128 -replay sshksci

taint2 plugin breaks build for g++-4.9

I get this error when building PANDA using g++/gcc v4.9. The error occurs when compiling taint_ops.cpp using clang.

In file included from taint_ops.cpp:28:
In file included from /home/user/panda/llvm/include/llvm/IR/Constants.h:24:
In file included from /home/user/panda/llvm/include/llvm/ADT/APFloat.h:104:
In file included from /home/user/panda/llvm/include/llvm/ADT/APInt.h:18:
In file included from /home/user/panda/llvm/include/llvm/ADT/ArrayRef.h:14:
In file included from /home/user/panda/llvm/include/llvm/ADT/SmallVector.h:17:
In file included from /home/user/panda/llvm/include/llvm/Support/AlignOf.h:19:
/usr/lib/gcc/x86_64-linux-gnu/4.9/../../../../include/c++/4.9/cstddef:51:11: error: no member named 'max_align_t' in the global namespace
  using ::max_align_t;
        ~~^

asidstory on debian wheezey - Segmentation fault

Hi!

When I run asidstory on replay from debian wheezey x86, it started to print asid, pc and proc entries, but after few thousands of instructions ends with Segmentation fault.

I run asidstory with this command:
panda/qemu/i386-softmmu/qemu-system-i386 -m 512 -replay rec_taint -panda 'osi;osi_linux:kconf_file=kernelinfo.conf,kconf_group=wheezy;asidstory'

On this replay I successfully run osi_test or tainted_instr plugins:

panda/qemu/i386-softmmu/qemu-system-i386 -m 512 -replay rec_taint -panda 'osi;osi_linux:kconf_file=kernelinfo.conf,kconf_group=wheezy;osi_test'

panda/qemu/i386-softmmu/qemu-system-i386 -hda wheezy.qcow2 -m 512 -replay rec_taint -panda 'osi;osi_linux:kconf_file=kernelinfo.conf,kconf_group=wheezy;syscalls2:profile=linux_x86;file_taint:filename=/home/user/license.txt,pos,first_instr=3854039;tainted_instr:summary=true' -pandalog taint_instr_summary_true.plog

I also created another replay to make me sure, that the problem is not in replay itself.

My kernelinfo.conf was created based on tutorial here

Asidstory works on replays from Windows7 32bit without any issue.

Here is replay , if you want to reproduce this issue.

Could you please fix this?

Thanks,
Richard

about android taint on arm

Hi,
I have a question about taint:
in the paper——Repeatable Reverse Engineering for the Greater Good with PANDA the "Taint analysis" part, you have used it to analysis ARM replays.
But when I build PANDA successfully, I have not find panda_taint.so(which is necessary in tainting) in /qemu/arm-softmmu/panda_plugins as well in /i386-softmmu/panda_plugins.And README.md which is included in taint directory says that "hard device and network taint is now supported for x86/64 systems".
How do you use taint plugin to analysis arm system?
Thanks a lot!

How to run panda_plugins correctly in android?

I try to run many plugins in android.there only are two result:load_faild or load success but no effect.

Replay failure: Infinite loop detected during replay, aborting

The instruction it is failing at is not very interesting, just a LEA x86 instruction. Pointers on where to read about debugging and inspecting replay log files will be helpful.

libdwarf: no such file or directory

So it seems like I'm already too dump for a simple build...
I'm trying to build panda on my kali linux and had several issues with installing, all in all I did a lot self-fixing with more or less working results and now when I try to build panda I get this message 3 times. If someone is interested in the complete log, I will add it.
What is libdwarf? I don't seem to find anything matching in the list of panda's prerequisites...

Segfault accessing memory read buffer

Hi there,

I'm getting a segfault when accessing the buffer passed to mem_read_callback() function, e.g. using the panda_syscalls plugin.

This is the command I used:
x86_64-softmmu/qemu-system-x86_64 ~/vmi/vms/xp.qcow2 -monitor stdio -loadvm booted -panda-plugin x86_64-softmmu/panda_plugins/panda_syscalls.so

This is the error message in syslog:
kernel: [22643.333306] qemu-system-x86[29152]: segfault at 7fc0616231e0 ip 00007fc0616231e0 sp 00007fc05e420608 error 15

The host os is ubuntu 12.04. The guest os is windows xp sp2.

OT: Thanks for developing PANDA, it's exactly what I was looking for for my project.

plugin-specific code included by pandalog.c

Some plugin-specific code has slipped into pandalog_print.c and pandalog_print.h. This makes enabling specific plugins in config.panda mandatory. Some kind of refactoring is required to remove this artificial requirement.

Steps to reproduce.

Disable the following plugins in config.panda:

taint
taint2
tainted_branch
file_taint
ida_taint
ida_taint2
tainted_instr

Run make distclean && ./build.sh from the qemu directory.

Compilation of pandalog.c fails:

In file included from /home/user/panda/qemu/panda/pandalog.c:10:0:
/home/user/panda/qemu/panda/pandalog_print.h:17:22: error: unknown type name ‘Panda__SrcInfo’
 void pprint_src_info(Panda__SrcInfo *si);
                      ^
/home/user/panda/qemu/panda/pandalog_print.h:18:42: error: unknown type name ‘Panda__TaintQueryUniqueLabelSet’
 void pprint_taint_query_unique_label_set(Panda__TaintQueryUniqueLabelSet *tquls);
                                          ^
/home/user/panda/qemu/panda/pandalog_print.h:19:25: error: unknown type name ‘Panda__TaintQuery’
 void pprint_taint_query(Panda__TaintQuery *tq);
                         ^
/home/user/panda/qemu/panda/pandalog_print.h:20:35: error: unknown type name ‘Panda__TaintQueryHypercall’
 void pprint_taint_query_hypercall(Panda__TaintQueryHypercall *tqh);
                                   ^
/home/user/panda/qemu/panda/pandalog_print.h:21:28: error: unknown type name ‘Panda__TaintedBranch’
 void pprint_tainted_branch(Panda__TaintedBranch *tb);
                            ^
/home/user/panda/qemu/panda/pandalog_print.h:22:27: error: unknown type name ‘Panda__TaintedInstr’
 void pprint_tainted_instr(Panda__TaintedInstr *tb);
                           ^
/home/user/panda/qemu/rules.mak:24: recipe for target 'panda/pandalog.o' failed

panda_disas: How to determine size of opcode ?

The doc says:

void panda_disas(FILE *out, void *code, unsigned long size);

Writes a textual representation of disassembly of the guest code at virtual address code of size bytes.

Ho do I determine the correct size of the instruction?

As PANDA_CB_INSN_EXEC and PANDA_CB_INSN_TRANSLATE do not provide the size of the instruction, I figured it must be in CPUState.

I looked into cpu.h and cpu-all.h but couldn't find anything.

Is there another approach or am I missing something?

.

Build panda qemu error with run CC=gcc-4.8 CXX=g++-4.8 ./build.sh

I followed the directions on how to build Panda and got everything built. When I run build.sh(root@ubuntu:/home/panda/panda/qemu# CC=gcc-4.8 CXX=g++-4.8 ./build.sh
) however, I get the following error:
In file included from taint_ops.cpp:28:
In file included from /home/panda/panda/llvm/include/llvm/IR/Constants.h:24:
In file included from /home/panda/panda/llvm/include/llvm/ADT/APFloat.h:104:
In file included from /home/panda/panda/llvm/include/llvm/ADT/APInt.h:18:
In file included from /home/panda/panda/llvm/include/llvm/ADT/ArrayRef.h:14:
In file included from /home/panda/panda/llvm/include/llvm/ADT/SmallVector.h:17:
/home/panda/panda/llvm/include/llvm/Support/AlignOf.h:19:10: fatal error: 'cstddef' file not found

include

1 error generated.
make[2]: *** [/home/panda/panda/qemu/arm-softmmu/panda_plugins/panda_taint2/llvm_taint_ops.bc] Error 1
make[1]: *** [plugin-taint2] Error 2
make[1]: *** Waiting for unfinished jobs....
CXX /home/panda/panda/qemu/i386-softmmu/panda_plugins/llvm_taint_lib.o
CXX /home/panda/panda/qemu/x86_64-softmmu/panda_plugins/taint.o
CXX /home/panda/panda/qemu/x86_64-softmmu/panda_plugins/llvm_taint_lib.o
PLUGIN /home/panda/panda/qemu/arm-softmmu/panda_plugins/panda_taint.so
make: *** [subdir-arm-softmmu] Error 2
make: *** Waiting for unfinished jobs....
PLUGIN /home/panda/panda/qemu/i386-softmmu/panda_plugins/panda_taint.so
make: *** [subdir-i386-softmmu] Error 2
PLUGIN /home/panda/panda/qemu/x86_64-softmmu/panda_plugins/panda_taint.so
make: *** [subdir-x86_64-softmmu] Error 2

Documentation for plugins

We need some documentation for existing plugins. Some have a bit already, such as the taint plugin, but most are completely undocumented.

about begin_record : vm will resume

Hi,
Thanks for your guys work first!
Now my question is: when I tried process described in the docs/panda_ssltut.md,I was confused about "Taking the snapshot can take a long time.once the snapshot is made, the vm will resume." Is it means that I must wait till the vm resume?and then i can take the next step?
But I have stayed this step for a long time,it seems not to resume.it just shows"opening nondet log for write:.****.log"
Thanks for checking!
Any suggestions?
Thanks a lot!

Segmentation Fault When Using file_taint

Hi!
I am trying file_taint plug-in, but I get some errors. I am not sure whether I am using the flags correctly.

I used TinyCore Linux, and use the following command to record:
~/panda/qemu/x86_64-softmmu/qemu-system-x86_64 ./vdisk.qcow2 -m 1024 -cdrom ~/Downloads/TinyCore-current.iso -vga std -monitor stdio
I begin_record tiny in panda, and I created a file named "foo123.txt" within the TinyCore OS, then end_record.
Then, I use the following command to replay with file_taint plug-in:
~/panda/qemu/x86_64-softmmu/qemu-system-x86_64 -replay tiny -m 1024 -vga std -monitor stdio -panda osi -panda osi_linux:kconf_group=lava32,kconf_file=~/panda/qemu/panda_plugins/osi_linux/kernelinfo.conf -panda syscalls2:profile=linux_x86 -panda file_taint:filename=foo123.txt,notaint

(I use lava32 because it is a relatively complete configuration. Missing attributes in the configuration will lead to osi_linux crash)

Then I get the following error message:
......
Success
QEMU 1.0,1 monitor - type 'help' for more information
(qemu) loading snapshot
... done.
opening nondet log for read : ./tiny-rr-nondet.log
Segmentation fault (core dumped)

Anyone has idea about what's wrong? Thanks!

android taint support

Hi,
I find PANDA is a great analysis platform since it supports many archs, so I want to do some Android taint analysis experiments with PANDA's taint analysis plugin-PIRATE. But I found that in taint.cpp there was a function called "guest_hypercall_callback()", which invoked the "enable_taint()" function. But in guest_hypercall_callback(), code seems to not support ARM as follows:
int guest_hypercall_callback(CPUState *env){

ifdef TARGET_I386

target_ulong buf_start = env->regs[R_EBX];
target_ulong buf_len = env->regs[R_ECX];
if (env->regs[R_EAX] == 7 || env->regs[R_EAX] == 8){
    if (!taintEnabled){
        printf("Taint plugin: Label operation detected\n");
        printf("Enabling taint processing\n");
        taintJustEnabled = true;
        taintEnabled = true;
        enable_taint();
    }

endif // TARGET_I386

return 1;

}

So, it seems that this taint plugin doesn't support ARM platform, or on ARM, there is anthor way to start analysis?

Best regards.
B. Zhang

Replays fail if VMWare Tools is installed

@rjwhelan noticed that if VMWare Tools is installed in the guest when a recording is taken, replays will fail. The point of failure is at RR_CALLSITE_IOPORT_READ, which leads me to suspect that it's caused by the VMWare backdoor, but we should still be able to handle this case.

Until then, note that the workaround is to just uninstall the VMWare tools (they don't do anything in PANDA anyway).

Make syscalls plugin use PPP instead of implementing VMI callbacks

PANDA shouldn't have AFTER_FORK, AFTER_EXEC, or AFTER_CLONE callbacks.
Make them exported from the syscalls plugin using PPP.

Since the DroidScope Linux introspection code uses those callbacks, it must be ported to its own plugin.
The DroidScope code does invasive things like "get memory using PGD value" which switches out the PGD in env, does its memory access, and switches it back.

Memory callbacks interfere with other callbacks

I noticed that if in a plugin I use PANDA_CB_VIRT_MEM_WRITE and PANDA_CB_VIRT_MEM_READ alone they work fine. However if I add another callback like PANDA_CB_BEFORE_BLOCK_TRANSLATE either the memory callbacks work or the before_block_translate one, but not all of them together. The final behavior is determined by the order in which I call panda_register_callback().

Is this due to the fact that panda_enable_memcb() adds some callbacks? My final goal is just to get the address of the basic block that is being executed when a memory operation is performed, so if there is another way that does not involve adding other callbacks, apart from memory read/write, it is ok for me.

Thank you

Make PANDA changes to QEMU patchfiles instead of source

Moving the PANDA changes to QEMU to patchfiles would make it easier to update QEMU used by PANDA when needed, which will allow for more and better functionality in analysis.

Examples of new functionality that has been added to QEMU that isn't in PANDA includes things such as USB and PCI Passthrough support. Both of these things can be very useful when analyzing more advanced applications.

Required android image creation options

I am wondering if you can provide the command line options that you use to create android images. It seems like the qemu ini files created for my images are not compatible with scripts/pandroidConverter.py causing the script to fail.

Thanks!

Request taint analysis test case

Hi,

I find panda is an amazing project. I just download the panda code and install it. It runs very well. I can load some plugins, such as taint plugin. The problem is that when I load taint plugin, and the I run some program, I cannot see any change or output. So I want to ask you how to use the taint plugin? Can you give me some test case?

Thank you very much!

Best Regards,
Pengfei Sun

Cannot replay: error -22 while loading vm state

Hi!
I get following error message when replay:

Here's what I do when record:

You can find my replay trace here: https://dl.dropboxusercontent.com/u/37908210/lss.rr

64-bit Windows guest support

QEMU 1.0.1 supports Windows 7 32-bit, but doesn't support Windows 7 64-bit. As of today, I'm not aware of this support in the current version of QEMU either. If 64-bit support is missing for Windows 7, is it likely missing for Windows 8 also. We need to track this bug down, or merge a fix in once someone else in the community does.

Relevant links:
https://bugs.launchpad.net/qemu/+bug/921208
http://lists.nongnu.org/archive/html/qemu-devel/2012-10/msg02350.html
http://lists.nongnu.org/archive/html/qemu-devel/2012-09/msg05066.html

Scissors plugin trying to open wrong file

Scissors plugin is trying to open a nondet log file in order to copy it, but it passes only the base of the filename to fopen() without the "-rr-nondet.log" suffix. The result is a failed assert on fopen and therefore an early abort.
The bug is on the line 344 in scissors.c . It's a simple enough fix, but I wasn't sure if it should be applied in the plugin , or in the panda replay loader.

Newer QEMU

Are there any plans to move to newer QEMU releases?

panda_install_bash.sh on 32bit Ubuntu 14.04: pycparser error

I tried to install panda on my Ubuntu 14.04 32bit system. I used the "panda_install_bash" script as recommended.
The Installation went well up to the point where it said:

Building API for plugin taint
Traceback (most recent call last):
File "../scripts/apigen.py", line 198, in
generate_api(plugin, plugin_dir)
File "../scripts/apigen.py", line 164, in generate_api
arglist = get_arglists(pf)
File "../scripts/apigen.py", line 24, in get_arglists
p = pyc.parse(pf)
File "/usr/local/lib/python2.7/dist-packages/pycparser/c_parser.py", line 146, in parse
debug=debuglevel)
File "/usr/local/lib/python2.7/dist-packages/pycparser/ply/yacc.py", line 265, in parse
return self.parseopt_notrack(input,lexer,debug,tracking,tokenfunc)
File "/usr/local/lib/python2.7/dist-packages/pycparser/ply/yacc.py", line 1047, in parseopt_notrack
tok = self.errorfunc(errtoken)
File "/usr/local/lib/python2.7/dist-packages/pycparser/c_parser.py", line 1680, in p_error
column=self.clex.find_tok_column(p)))
File "/usr/local/lib/python2.7/dist-packages/pycparser/plyparser.py", line 55, in parse_error
raise ParseError("%s: %s" % (coord, msg))
pycparser.plyparser.ParseError: /usr/include/stdint.h:57:1: before: _extension

In the /usr/include/stdint.h I have:

47 /* Unsigned. */
48 typedef unsigned char uint8_t;
49 typedef unsigned short int uint16_t;
50 #ifndef uint32_t_defined
51 typedef unsigned int uint32_t;
52 # define __uint32_t_defined
53 #endif
54 #if __WORDSIZE == 64
55 typedef unsigned long int uint64_t;
56 #else
57 __extension
58 typedef unsigned long long int uint64_t;
59 #endif

Any idea what this error is about?
Thanks for any hints!

Update SSL tutorial

Since PANDA moved to detached snapshots, a few things about the SSL tutorial don't make sense any more, and should be updated. In particular, the procedure should change so that an additional snapshot is taken before execution, so we have something to go back to when we want to look up function names.

While I'm at it, I should extract the ssltut replay and put it on www.rrshare.org.

panda_disas() outputs x86_64 although target is i386

If I set
#define __i386__ 1
in file panda/qemu/disas.c

the output seems correct (e.g. no more rbp registers etc.)
The information about the target architecture seems to get lost somewhere.

scissors plugin exits with "ERROR: replay failed"

Using the April PANDA VM published in the PANDA blog (pandavm-20150413.tar.bz2) I have made a recording of an android target approx. 2.3 billion instructions long (the recording files are ~450 MB snapshot and a ~5 MB log).

The issue scenario is as follows:

I verify that the captured replay is correct by running it again and again and watching it complete without errors.
Using the "stringsearch" plugin on the replay, I identify an interesting region in the recording that is approx. its last 10% (from ~2.1 G instructions to ~2.28 G instructions)
I copy the start and end GIC values from the stringsearch output, and then run the replay with various start and end values.
- if start ~2.1G and end ~2.28 G (the range I really need) I always get "ERROR: replay failed" at the precise moment the execution reaches the GIC specified in the 'start' parameter.
- Then I try to narrow down the problematic GIC range.
  - if start == 1000000 and end == 2000000, the scissors work
  - if start == 10000000 and end == 20000000, it crashes with a segfault
  - if start == 100000000 and end == 200000000, it reports "ERROR: replay failed" when the GIC = 99999998
  - if start == 0 and end ~2.1G, the scissors work
  - if start == 0 and end ~2.2G, the scissors work
  - if start == 100000000 and end ~2.2G, the scissors work
  - if start ~1G and end ~2.2G, it reports "ERROR: replay failed" when the GIC is slightly less than 1G

Please advise on how to debug and resolve such an issue.

some problems in runpandroid.py

i try it instead the long command,it is very simple.
but when i use it at api level 16,it seems has some problems.

line103:
if args.api_level > 18: # higher than 4.3
# have the NAND pretend to be a block device for ext4
fake_block_device = True

whenapi_levelis 16 but it still worked.

and the -S maybe removed or in some args.

PANDA_CB_VMI_PGD_CHANGED callback name/documentation

PANDA_CB_VMI_PGD_CHANGED callback works, but is not documented anywhere.
A rename of the callback should also be considered (i.e. remove "VMI" from its name).

How to using the DS Linux-level introspection?

In Android.md I find it but i don't know how to using it?using telnet localhost 4321 or telnet localhost 4421 or other?

qemu build fails on wheezy x86_64

I've built LLVM 3.3 according to the documentation (but not with the debug option). When I attempt to compile Panda I get the following:

nproc
make -j 1
GEN config-host.h
GEN trace.h
GEN trace.c
GEN config-target.h
LINK x86_64-softmmu/qemu-system-x86_64
../slirp/misc.o: In function memset': /usr/include/x86_64-linux-gnu/bits/string3.h:82: warning: memset used with constant zero length parameter; this could be due to transposed parameters panda/panda_dynval_inst.o:(.data.rel.ro._ZTIN4llvm22PandaInstrFunctionPassE[_ZTIN4llvm22PandaInstrFunctionPassE]+0x10): undefined reference totypeinfo for llvm::FunctionPass'
panda/panda_helper_call_morph.o:(.data.rel.ro._ZTIN4llvm26PandaCallMorphFunctionPassE[_ZTIN4llvm26PandaCallMorphFunctionPassE]+0x10): undefined reference to typeinfo for llvm::FunctionPass' tcg/tcg-llvm.o:(.data.rel.ro._ZTI17TJITMemoryManager[_ZTI17TJITMemoryManager]+0x10): undefined reference totypeinfo for llvm::SectionMemoryManager'
collect2: error: ld returned 1 exit status
make[1]: *** [qemu-system-x86_64] Error 1
make: *** [subdir-x86_64-softmmu] Error 2

Suggestions?

How can I go into qemu monitor model under nographic model

under the kvm desktop,I enter the command "#./qemu-system-x86_64 -hda /mnt/sdb/virtualmachines/debain-7_tut.qcow2 -m 512 -monitor stdio -net nic -net user ",and then enter into the (qemu) command line . but under nographic model,I ssh connect to host and enter the command "#./qemu-system-x86_64 -hda /mnt/sdb/virtualmachines/debain-7_tut.qcow2 -m 512 -monitor stdio -net nic -net user -nographic" and then the error has occurred,the error message as follow:
root@ubuntu:/home/software/panda/qemu/x86_64-softmmu# ./qemu-system-x86_64 -enable-kvm -hda /mnt/sdb/virtualmachines/debain-7_tut.qcow2 -m 512 -monitor stdio -net nic -net user -nographic
chardev: opening backend "stdio" failed: Device or resource busy
qemu: could not open serial device 'stdio': Success

Don't force GCC 4.7

The build.sh script is forcing gcc/g++ 4.7. There is no need of doing that. Instead, use $(CC) and $(CXX)

How to taint a memory address and check its propagation in the guest machine

Hi,
I download the Panda and be able to install and run VM successfully. What I'm trying to do is taint a memory address in the guest machine, and check its propagation during the process running. For example, a simple function call of program, and there is a temp array defined in it, if I taint the address of the temp array, how could I check the propagate of this tainted data during the function call executing? I checked the doc and the description in the taint folder, but I can't find related explanations of how to do it. I wonder if someone could help? It would be better if could list detail command. Thanks!

Best,
michael chen

Install Panda on CentOS 7(glib2.0 required)

When I tried to install panda on CentOS 7, I encountered error, the following is output :

$ ./build.sh 
Building API for plugin sample ... Done!
Building API for plugin taint ... Done!
Building API for plugin taint2 ... Done!
Building API for plugin callstack_instr ... Done!
Building API for plugin bir ... Done!
Building API for plugin osi ... Done!
Building API for plugin osi_linux ... Done!
Building API for plugin pri ... Done!
Building API for plugin pri_dwarf ... Done!
Building API for plugin wintrospection ... Done!
panda_plugins/dead_data/dead_data.proto
panda_plugins/taint2/taint2.proto
panda_plugins/callstack_instr/callstack_instr.proto
panda_plugins/bir/bir.proto
panda_plugins/tainted_branch/tainted_branch.proto
panda_plugins/asidstory/asidstory.proto
panda_plugins/file_taint/file_taint.proto
panda_plugins/win7proc/win7proc.proto
panda_plugins/ida_taint2/ida_taint2.proto
panda_plugins/tainted_instr/tainted_instr.proto
panda_plugins/pri_dwarf/pri_dwarf.proto
panda_plugins/pri_taint/pri_taint.proto
generating protobuf code with protoc-c
No suitable LLVM found -- LLVM SUPPORT IS DISABLED
glib-2.0 required to compile QEMU

However, I have installed glib on my CentOS 7.

rpm -qa | grep glib
glibc-common-2.17-106.el7_2.6.x86_64
glibc-devel-2.17-106.el7_2.6.x86_64
glibc-2.17-106.el7_2.6.x86_64
dbus-glib-0.100-7.el7.x86_64
glib2-2.42.2-5.el7.x86_64
glib-networking-2.42.0-1.el7.x86_64
glibc-headers-2.17-106.el7_2.6.x86_64

And I use the following "yum" commands to replace apt-get commands.

sudo yum groupinstall 'Development Tools'
(http://unix.stackexchange.com/questions/16422/cant-install-build-essential-on-centos)

sudo yum install nasm openssl-devel libpcap-devel subversion curl autoconf libtool \
  python-pip git protobuf-compiler protobuf-c-compiler  protobuf-c-devel protobuf-devel \
  glibc-devel elfutils-libelf-devel

PANDA-ize all platforms

We should implement the basic per-arch callbacks on all architectures supported by QEMU and make sure they build correctly. Currently this is a somewhat involved process; below I've listed what was necessary to add MIPS:

Add register info to panda/guestarch.h
Add TARGET_MIPS to tcg/tcg-llvm.cpp memory op array
Add _panda suffixed versions in target-mips/op_helper.c
Add the #ifdef LLVM global env in target-mips/translate.c

Add to target-mips/op_helper.c

#ifdef CONFIG_LLVM
struct CPUMIPSState *env = 0;
#endif

include "panda_plugin.h" and "panda_helper_ipml.h" in target-mips/op_helper.c

Add to target-mips/helper.c

target_phys_addr_t cpu_get_phys_addr(CPUState *env, target_ulong addr){
    return cpu_get_phys_page_debug(env, addr);
}

Implement init_regs, get_cpustate_val, printreg, and printspec in panda/guestarch.c
Add instruction callback to target-mips/translate.c
#include "panda_helper_defs.h" in target-mips/helper.h

Perhaps some of this can be streamlined?

debug code don't compile

OS - Debian 7
code version - last commit

download, extract and run panda_install.bash - ok
qemu/configure --enabled-debug - ok
make - error

.....
CC i386-softmmu/kvmclock.o
LINK i386-softmmu/qemu-system-i386
/usr/bin/ld: panda/tubtf.o: relocation R_X86_64_32 against `.rodata' can not be used when making a shared object; recompile with -fPIC
panda/tubtf.o: could not read symbols: Bad value
collect2: error: ld returned 1 exit status
make[1]: *** [qemu-system-i386] Error 1
make: *** [subdir-i386-softmmu] Error 2

Where can I download the system image specified in kernelinfo.conf?

Hi!
I get errors of unable to read kernel info when running the file taint plugin even after porting my system conf to the kernelinfo.conf file. I plan to switch to system specified in the kernelinfo.conf. Can you point me to where can I download these system images? For example, where can I download the "lava32" image: name = #1 SMP Debian 3.2.51-1 i686?

Thanks!

the droidscope seems not enable in panda android

i try make it on /panda_plugin/linux_vmi but it faild.

build.sh fails with an AttributeError for ArrayDecl

I followed the directions on how to build Panda and got everything built. When I run build.sh however, I get the following error:

skerr@gravel:~/panda/qemu$ ./build.sh 
Building API for plugin sample
Traceback (most recent call last):
  File "../scripts/apigen.py", line 198, in <module>
    generate_api(plugin, plugin_dir)
  File "../scripts/apigen.py", line 164, in generate_api
    arglist = get_arglists(pf)
  File "../scripts/apigen.py", line 33, in get_arglists
    for arg in fundec.args.params:
AttributeError: 'ArrayDecl' object has no attribute 'args'
skerr@gravel:~/panda/qemu$

Could this be from Pycparser being updated since the directions were written or some other script updated? The function it is struggling to process is 'sample_function'.

qemu-system-x86_64: Could not open VM state file

Hello, every time I try to replay the recording moyix used to show PANDA's abilities in his post on Push the Red Button, I get the following error message:

loading snapshot
qemu-system-x86_64: Could not open VM state file
... done.
opening nondet log for read : ./spotify-rr-nondet.log
RR rr_assertion `rr_nondet_log->fp != NULL' failed at /home/frank/Downloads/panda-master/qemu/rr_log.c:1323
Current log point:

Current replay point:
{guest_instr_count=0 pc=0x00000000, secondary=0x00000000}

don't really get what the problem is, would appreciate help!

Replay failure (rr_log.c:1027 assertion failed error, FOUND DISAGREEMENT! error)

Hi, I am learning how to use Panda's replay feature. After about 1/8 of instructions is replayed, repay stops with an error:

RR rr_assertion `0' failed at /home/panda/panda/qemu/rr_log.c:1027
Current log point:
{guest_instr_count=1440464191 pc=0x806e73c2, secondary=0x000000ff}
Next log entry type: RR_INPUT_4
Current replay point:
{guest_instr_count=1440464175 pc=0x806e7f2d, secondary=0x00000000}

Host: PANDA VM October 2015 (Debian)
Guest: Windows XP 2002 SP3 (qcow2 format created by qemu-img with -o compat=0.10)

Run qemu terminal command: /home/panda/panda/qemu/x86_64-softmmu/qemu-system-x86_64 -drive file=/home/panda/qcow/winXp-compat.qcow2,if=ide,cache=writeback -m 1024M -spice port=5001,disable-ticketing -vga qxl -monitor stdio

(then begin_record test2 to terminal, and end_record)

Replay qemu terminal command: home/panda/panda/qemu/x86_64-softmmu/qemu-system-x86_64 -drive file=/home/panda/qcow/winXp-compat.qcow2,if=ide,cache=writeback -m 1024M -vga qxl -monitor stdio -replay test2

I can start Windows XP with panda, problem is only with replay. Could you help me?

Record:
http://www.filedropper.com/test2-rr-snp
http://www.filedropper.com/test2-rr-nondet

I tried record new record and replay it. After 7% of record I got another error:

Ahead of log while looking for log entry of type RR_INPUT_4
{guest_instr_count=892953525 pc=0x806e79f0, secondary=0x8671d414}
RR_INPUT_4 from RR_CALLSITE_IO_READ_2
FOUND DISAGREEMENT!
Replay program point:
{guest_instr_count=892953530 pc=0x806e79f0, secondary=0x8658d14c}

Record program point:
{guest_instr_count=892953525 pc=0x806e79f0, secondary=0x8671d414}

guest instruction counts disagree
guest secondary info disagrees
ERROR: replay failed!

panda-re / panda Goto Github PK

panda's People

Contributors

Stargazers

Watchers

Forkers

panda's Issues

include

ifdef TARGET_I386

endif // TARGET_I386

include "panda_plugin.h" and "panda_helper_ipml.h" in target-mips/op_helper.c

Recommend Projects

Recommend Topics

Recommend Org

Jobs

include "panda_plugin.h" and "panda_helper_ipml.h" in `target-mips/op_helper.c`