qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] How to make shadow memory for a process? and how to tra


From: Mulyadi Santosa
Subject: Re: [Qemu-devel] How to make shadow memory for a process? and how to trace the data propation from the instruction level in QEMU?
Date: Sun, 14 Nov 2010 15:02:34 +0700

Hi Zhang...

Please consider it a casual user trying to share simple ideas with you....

2010/11/14 F. Zhang <address@hidden>:
> Hi,
>
> I am a newbie of QEMU. I want to use the QEMU for the dynamic analysis of
> malware, usually called “taint analysis”.

Just before it goes too far, have you check quite similar project
which is Argos (http://www.few.vu.nl/argos/)?

>The main idea is to tag data from
> some specific sources, for example, network packets, files in a harddisk,
> and user inputs and so on, and then trace the propagation of the tagged data
> in the system. Once the tagged data is maliciously used, an alarm is raised.

Quite alike valgrind in general sense, don't you think? Who knows you
can adopt its architecture  (and possibly codes too)?

> To build an analysis environment, I need to solve the following problems:
>
> (1)     Make  the shadow memory for each process under analysis. How can I
> make the shadow memory in QEMU? I think I can partition the memory of QEMU
> into two blocks, one for the process under analysis, the other for the
> process’s shadow memory. Is that right?
>

Are you going to say you wanna mimic the way shadow page table works?

> (2)     Tracing propagation of tagged data is implemented in the instruction
> level. That is to say, for example, if the source operand of an instruction
> is tagged, then the destination operand of the instruction is also tagged.

> How can I implement the idea? Should I modify the instruction translation
> functions to add code for tagging and recompile QEMU?

How about using unused one of unused PTE flags for such tag?


> (3)     In the process of analyzing malware, two types of semantic
> information should be combined. One from the OS, including process
> information, stack information, heap information and so on; the other from
> the QEMU, including mostly the tag propagation information. The question is,
> how can I code to relate both of the information? That is to say, how to
> make QEMU receive information from OS, and how to make OS receive
> information from QEMU?

Now that's the real "bomb"... I was thinking about creating pseudo
device...oh wait, maybe using QMP (Qemu monitoring protocol)? Maybe
you can use the trace framework introduced in Qemu lately?

This is assuming, you wanna "make Qemu cooperate with host OS"...

-- 
regards,

Mulyadi Santosa
Freelance Linux trainer and consultant

blog: the-hydra.blogspot.com
training: mulyaditraining.blogspot.com



reply via email to

[Prev in Thread] Current Thread [Next in Thread]