Monitoring Mem Events

[dscdo]

Hi @Wenzel
I'm looking examples about monitoring syscall and in native examples mem events constant setted as lstar or cstar to catch syscall
But in your sample

vaddr = vmi.translate_ksym2v(symbol)
paddr = vmi.translate_kv2p(vaddr)
frame = paddr >> 12
....
mem_event = MemEvent(MemAccess.X, cb_mem_event, gfn=frame,data=user_data)

you are using symbol adress to set mem_event

What is the reason?
With cstar or lstar can we catch same RIP adress?

[Wenzel]

Well, simply because this memevent example here doesn't catch syscalls, only memory events when a certain address (symbol) is being executed.

[Wenzel]

https://github.com/libvmi/libvmi/blob/master/examples/event-example.c
and
https://github.com/libvmi/python/blob/master/examples/memaccess-event.py

are not related.

[dscdo]

Hmm firstly what's meaning of gfn and
how we can catch all symbol execution?

Is there a way to monitor all syscall events? (after i can convert it to symbol name)

[yguseto]

I'm just as curious as you are @dscdo
@Wenzel can you give some trick?

[Wenzel]

Hmm firstly what's meaning of gfn

you need to read the libvmi headers, its the official documentation ATM:
https://github.com/libvmi/libvmi/blob/48f6d8619bed4a7ab848a7bae890e1793425a92a/libvmi/events.h#L336

how we can catch all symbol execution

You would need to translate each symbol to their virtual address, and setup a memory event on each guest frame (physical memory) where your symbols are located.
I think @tklengyel should have details about generic memory events, which is more appropriate for your use case.
See https://github.com/libvmi/libvmi/blob/48f6d8619bed4a7ab848a7bae890e1793425a92a/libvmi/events.h#L235

Is there a way to monitor all syscall events

see generic memory events as I told you above

[Wenzel]

@dscdo can you already monitor NtOpenFile with memaccess-event.py script ?
Your VM should have only 1 VCPU for the script to work.

(venv) ./examples/memaccess-event.py win7 NtOpenFile

[dscdo]

Yes it's working but with some symbol(Process create or delete file) i cant get result @Wenzel

[Wenzel]

The script might fail if the page where the symbol is located is not mapped in the virtual address space.

[dscdo]

If we find a way to watch/save all syscall without symboll adress the problem will be solved.
I look at drakvuf but a little complicated to examine in a short time.
I think @tklengyel can give red pill and show the solution :D
we need to enter the rabbit hole

In addition how we can give sysenter_eip to as gfn.
It's not implemented in python lib.
@Wenzel

[Wenzel]

If we find a way to watch/save all syscall without symboll adress the problem will be solved.

You still need to have the page mappped in the virtual address space, it doesn't change your problem if you already have the [symbol] -> [address] association.

In addition how we can give sysenter_eip to as gfn.
It's not implemented in python lib.

Make a PR to add support for it 👍

[dscdo]

Yes i understand but i cant find logical way to do it with python module

[Wenzel]

@dscdo can you describe your use case ?
Drakvuf is already doing all of that plumbering on top of libvmi for you, so if you don't feel comportable tweaking or building your own solution, I advice you to use Drakvuf directly.

[dscdo]

My main goal is understand the system. So that tracing all syscall from vm is my personel homework 😄
After that with rip adress, i can convert they to function name

I used drakvuf but as i said i want to learn the technique.
As far as i can see in drakvuf didn't change gfn every time (it set a trap(symbol) to breakpoint. normally in struct of drakvuf_trap has gfn section but while adding trap, gfn is not setted. )
While craeting vmi_event in drakvuf, vmi_event's gfn has same situation with trap. I cant see in vmi.c
Still i try to understand drakvuf

@Wenzel
@tklengyel

[tklengyel]

Drakvuf is open-source and you are welcome to review the code to better understand it. There is also the publication describing it in detail. Or you may also find this (old) example useful https://github.com/tklengyel/troopers-training/blob/master/exercise3-solution/syscalls.c