You are not logged in.

#1 2020-09-20 15:44:17

Makakikus1865
Member
Registered: 2020-09-20
Posts: 2

Problems with PANDA V1.0

Hello everyone and I hope you can help me with this problem:

  I am practicing with the PANDA of moyix version v1.0 (https://github.com/moyix/panda), currently there is no support, but, there is a command in QEMU that can view or mount the guest memory, and if volatility is used, the guest's memory can be exposed. Although he sends me a message that the connection is already made, I use the socat command to see how the data flows, and nothing happens.

  Then there was a modification, but they did it separately (https://github.com/KVM-VMI/qemu), I downloaded it and again it sends me the messages that the connection is already made, but, I don't see the data flowing.

  In the memory-access.h file, there it says that FUSE takes care, to mount the guest memory, I use KALI 2020.3 and the fuse is already installed, I was verifying the source file, and it should work, but, I think that I am making a mistake, and I am missing something to do or build.

  My question is: Did anyone use the pmemaccess command??

  In QEMU can I specify it so that it can be built with fuse support? Since I have read the QEMU documentation and it only talks about libvirt and libvmi libraries, you have to download, build and install them. In this part, I think I'm making a mistake, it sends me virtio-html-xml-in errors.

I hope you can guide me where else to investigate.

Greetings and thanks for your support.

Offline

#2 2020-09-21 09:15:55

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 8,497

Re: Problems with PANDA V1.0

https://github.com/moyix/panda wrote:

This repository is deprecated. Please refer to PANDA 2

The last commit for PANDA 1 is from dec 2016 , is there a specific reason you need panda 1 ?


Multi-init booting with apg Openrc and systemd coexisting
Automounting : not needed, i prefer pmount
Aur helpers : makepkg + my own local repo === rarely need them

Offline

#3 2020-09-28 17:34:30

Makakikus1865
Member
Registered: 2020-09-20
Posts: 2

Re: Problems with PANDA V1.0

Hello, thanks for answering quickly, yes, I am in PANDA v.1.0, because it has a command called pmemaccess in QEMU v.1.0, and according to what it does, it is to put the memory of the guest of a VM in a domain socket, and using volatility (I do not occupy the profile, since according to it is not necessary) and socat, you can see how everything that happens in memory flows, but, I have not been able to see it, there is even a modification that occupies the libvirt or libvmi, for expose the memory but, I still can't get it.

Since I want to see live what happens in the memory of the guest through the QEMU pmemacces. But even modifying the QEMU V5.1., I have not been able to see the memory, only the cursor flashes. I thought my socat instruction was wrong, but, I tried several domain sockets, such as docker, and I see everything that happens. It was when I realized that there is something that I am missing or I am doing wrong, I am also trying with NUMA from QEMU, to expose the memory.

I await your comments and thank you for your response.

CHEERS!!!

Offline

Board footer

Powered by FluxBB