Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Monitoring Mem Events #32

Open
dscdo opened this issue Jan 4, 2019 · 14 comments
Open

Monitoring Mem Events #32

dscdo opened this issue Jan 4, 2019 · 14 comments

Comments

@dscdo
Copy link

dscdo commented Jan 4, 2019

Hi @Wenzel
I'm looking examples about monitoring syscall and in native examples mem events constant setted as lstar or cstar to catch syscall
But in your sample

vaddr = vmi.translate_ksym2v(symbol)
paddr = vmi.translate_kv2p(vaddr)
frame = paddr >> 12
....
mem_event = MemEvent(MemAccess.X, cb_mem_event, gfn=frame,data=user_data)

you are using symbol adress to set mem_event

What is the reason?
With cstar or lstar can we catch same RIP adress?

@Wenzel
Copy link
Member

Wenzel commented Jan 4, 2019

Well, simply because this memevent example here doesn't catch syscalls, only memory events when a certain address (symbol) is being executed.

@dscdo
Copy link
Author

dscdo commented Jan 4, 2019

Hmm firstly what's meaning of gfn and
how we can catch all symbol execution?

Is there a way to monitor all syscall events? (after i can convert it to symbol name)

@yguseto
Copy link

yguseto commented Jan 4, 2019

I'm just as curious as you are @dscdo
@Wenzel can you give some trick?

@Wenzel
Copy link
Member

Wenzel commented Jan 4, 2019

Hmm firstly what's meaning of gfn

you need to read the libvmi headers, its the official documentation ATM:
https://github.com/libvmi/libvmi/blob/48f6d8619bed4a7ab848a7bae890e1793425a92a/libvmi/events.h#L336

how we can catch all symbol execution

You would need to translate each symbol to their virtual address, and setup a memory event on each guest frame (physical memory) where your symbols are located.
I think @tklengyel should have details about generic memory events, which is more appropriate for your use case.
See https://github.com/libvmi/libvmi/blob/48f6d8619bed4a7ab848a7bae890e1793425a92a/libvmi/events.h#L235

Is there a way to monitor all syscall events

see generic memory events as I told you above

@Wenzel
Copy link
Member

Wenzel commented Jan 4, 2019

@dscdo can you already monitor NtOpenFile with memaccess-event.py script ?
Your VM should have only 1 VCPU for the script to work.

(venv) ./examples/memaccess-event.py win7 NtOpenFile

@dscdo
Copy link
Author

dscdo commented Jan 4, 2019

Yes it's working but with some symbol(Process create or delete file) i cant get result @Wenzel

@Wenzel
Copy link
Member

Wenzel commented Jan 4, 2019

The script might fail if the page where the symbol is located is not mapped in the virtual address space.

@dscdo
Copy link
Author

dscdo commented Jan 4, 2019

If we find a way to watch/save all syscall without symboll adress the problem will be solved.
I look at drakvuf but a little complicated to examine in a short time.
I think @tklengyel can give red pill and show the solution :D
we need to enter the rabbit hole

In addition how we can give sysenter_eip to as gfn.
It's not implemented in python lib.
@Wenzel

@Wenzel
Copy link
Member

Wenzel commented Jan 4, 2019

If we find a way to watch/save all syscall without symboll adress the problem will be solved.

You still need to have the page mappped in the virtual address space, it doesn't change your problem if you already have the [symbol] -> [address] association.

In addition how we can give sysenter_eip to as gfn.
It's not implemented in python lib.

Make a PR to add support for it 👍

@dscdo
Copy link
Author

dscdo commented Jan 4, 2019

Yes i understand but i cant find logical way to do it with python module

@Wenzel
Copy link
Member

Wenzel commented Jan 4, 2019

@dscdo can you describe your use case ?
Drakvuf is already doing all of that plumbering on top of libvmi for you, so if you don't feel comportable tweaking or building your own solution, I advice you to use Drakvuf directly.

@dscdo
Copy link
Author

dscdo commented Jan 4, 2019

My main goal is understand the system. So that tracing all syscall from vm is my personel homework 😄
After that with rip adress, i can convert they to function name

I used drakvuf but as i said i want to learn the technique.
As far as i can see in drakvuf didn't change gfn every time (it set a trap(symbol) to breakpoint. normally in struct of drakvuf_trap has gfn section but while adding trap, gfn is not setted. )
While craeting vmi_event in drakvuf, vmi_event's gfn has same situation with trap. I cant see in vmi.c
Still i try to understand drakvuf

@Wenzel
@tklengyel

@tklengyel
Copy link
Contributor

Drakvuf is open-source and you are welcome to review the code to better understand it. There is also the publication describing it in detail. Or you may also find this (old) example useful https://github.com/tklengyel/troopers-training/blob/master/exercise3-solution/syscalls.c

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants