void pprint_ple(Panda__LogEntry *ple) {
if (!started) {
#ifdef LAVA_PANDALOG_PRINT
str2ind = LoadDB(std::string("/tmp/lavadb"));
ind2str = InvertDB(str2ind);
#endif
started = 1;
}
if (ple == NULL){
printf("Null Panda Log Entry!\n");
return;
}
if (ple->instr == -1) {
printf ("[after replay end] : ");
}
else {
printf ("instr=%" PRIu64 " pc=0x%" PRIx64 " :", ple->instr, ple->pc);
}
// from dwarfp
if (ple->dwarf_call) {
printf(" !dwarf call!");
pprint_dwarf(ple->dwarf_call);
}
if (ple->dwarf_ret) {
printf(" !dwarf ret!");
pprint_dwarf(ple->dwarf_ret);
}
// from asidstory / osi
if (ple->has_asid) {
printf (" asid=%" PRIx64, ple->asid);
}
if (ple->has_process_id != 0) {
printf (" pid=%d", ple->process_id);
}
if (ple->process_name != 0) {
printf (" process=[%s]", ple->process_name);
}
// from file_taint
if (ple->has_taint_label_number) {
printf (" tl=%d", ple->taint_label_number);
}
if (ple->has_taint_label_virtual_addr) {
printf (" va=0x%" PRIx64, ple->taint_label_virtual_addr);
}
if (ple->has_taint_label_physical_addr) {
printf (" pa=0x%" PRIx64 , ple->taint_label_physical_addr);
}
if (ple->call_stack) {
pprint_call_stack(ple->call_stack);
}
#ifdef LAVA_PANDALOG_PRINT
if (ple->attack_point) {
pprint_attack_point(ple->attack_point);
}
#endif
if (ple->tainted_branch) {
pprint_tainted_branch(ple->tainted_branch);
}
// printf ("ple->tainted_branch_summary = 0x%x\n", ple->tainted_branch_summary);
if (ple->tainted_branch_summary) {
pprint_tainted_branch_summary(ple->tainted_branch_summary);
}
if (ple->taint_query_hypercall) {
pprint_taint_query_hypercall(ple->taint_query_hypercall);
}
if (ple->tainted_instr) {
pprint_tainted_instr(ple->tainted_instr);
}
if (ple->tainted_instr_summary) {
pprint_tainted_instr_summary(ple->tainted_instr_summary);
}
// win7proc
if (ple->new_pid) {
pprint_process("new_pid", ple->new_pid);
}
if (ple->nt_create_user_process) {
printf (" nt_create_user_process ");
printf (" [ " );
pprint_process("cur",ple->nt_create_user_process->cur_p);
printf (" ]");
printf (" [ " );
pprint_process("new",ple->nt_create_user_process->new_p);
printf (" ]");
printf (" name=[%s] ",
ple->nt_create_user_process->new_long_name);
}
if (ple->nt_terminate_process) {
printf (" nt_terminate_process ");
printf (" [ " );
pprint_process("cur",ple->nt_terminate_process->cur_p);
printf (" ]");
printf (" [ " );
pprint_process("term",ple->nt_terminate_process->term_p);
printf (" ]");
}
if (ple->nt_create_file) {
printf (" nt_create_file ");
pprint_process_file(ple->nt_create_file);
}
if (ple->nt_create_file_ret) {
printf (" nt_create_file_ret ");
pprint_process_file(ple->nt_create_file_ret);
}
if (ple->nt_read_file) {
printf (" nt_read_file ");
pprint_process_file(ple->nt_read_file);
}
if (ple->nt_delete_file) {
printf (" nt_delete_file ");
pprint_process_file(ple->nt_delete_file);
}
if (ple->nt_write_file) {
printf (" nt_write_file ");
pprint_process_file(ple->nt_write_file);
}
if (ple->nt_set_information_file) {
printf (" nt_set_information_file ");
pprint_process("",ple->nt_set_information_file->proc);
printf ("(orig_filename,%s)", ple->nt_set_information_file->orig_filename);
printf ("(new_filename,%s)", ple->nt_set_information_file->new_filename);
}
if (ple->nt_create_key) {
printf (" nt_create_key ");
pprint_process_key(ple->nt_create_key);
}
if (ple->nt_create_key_transacted) {
printf (" nt_create_key_transacted ");
pprint_process_key(ple->nt_create_key_transacted);
}
if (ple->nt_open_key) {
printf (" nt_open_key ");
pprint_process_key(ple->nt_open_key);
}
if (ple->nt_open_key_ex) {
printf (" nt_open_key_ex ");
pprint_process_key(ple->nt_open_key_ex);
}
if (ple->nt_open_key_transacted) {
printf (" nt_open_key_transacted ");
pprint_process_key(ple->nt_open_key_transacted);
}
if (ple->nt_open_key_transacted_ex) {
printf (" nt_open_key_transacted_ex ");
pprint_process_key(ple->nt_open_key_transacted_ex);
}
if (ple->nt_delete_key) {
printf (" nt_delete_key ");
pprint_process_key(ple->nt_delete_key);
}
if (ple->nt_query_key) {
printf (" nt_query_key ");
pprint_process_key(ple->nt_query_key);
}
if (ple->nt_query_value_key) {
printf (" nt_query_value_key ");
pprint_process_key_value(ple->nt_query_value_key);
}
if (ple->nt_delete_value_key) {
printf (" nt_delete_value_key ");
pprint_process_key_value(ple->nt_delete_value_key);
}
if (ple->nt_set_value_key) {
printf (" nt_set_value_key ");
pprint_process_key_value(ple->nt_set_value_key);
}
if (ple->nt_enumerate_key) {
printf (" nt_enumerate_key ");
pprint_process_key_index(ple->nt_enumerate_key);
}
if (ple->nt_enumerate_value_key) {
printf (" nt_enumerate_value_key ");
pprint_process_key_index(ple->nt_enumerate_value_key);
}
if (ple->nt_create_section) {
printf (" nt_create_section ");
pprint_section(ple->nt_create_section);
}
if (ple->nt_open_section) {
printf (" nt_open_section ");
pprint_section(ple->nt_open_section);
}
if (ple->nt_map_view_of_section) {
printf (" nt_map_view_of_section ");
pprint_process("target", ple->nt_map_view_of_section->target);
pprint_section(ple->nt_map_view_of_section->section);
}
if (ple->nt_create_port) {
printf(" nt_create_port ");
printf("name = %s ", ple->nt_create_port->port_name);
pprint_local_port(ple->nt_create_port->port);
}
if (ple->nt_connect_port) {
printf(" nt_connect_port ");
printf("name = %s ", ple->nt_connect_port->port_name);
pprint_local_port(ple->nt_connect_port->port);
}
if (ple->nt_listen_port) {
printf(" nt_listen_port ");
pprint_local_port(ple->nt_listen_port);
}
if (ple->nt_accept_connect_port) {
printf(" nt_accept_connect_port ");
pprint_local_port(ple->nt_accept_connect_port);
}
if (ple->nt_complete_connect_port) {
printf(" nt_complete_connect_port ");
pprint_local_port(ple->nt_complete_connect_port);
}
if (ple->nt_request_port) {
printf(" nt_request_port ");
pprint_local_port(ple->nt_request_port);
}
if (ple->nt_request_wait_reply_port) {
printf(" nt_request_wait_reply_port ");
pprint_local_port(ple->nt_request_wait_reply_port);
}
if (ple->nt_reply_port) {
printf(" nt_reply_port ");
pprint_local_port(ple->nt_reply_port);
}
if (ple->nt_reply_wait_reply_port) {
printf(" nt_reply_wait_reply_port ");
pprint_local_port(ple->nt_reply_wait_reply_port);
}
if (ple->nt_reply_wait_receive_port) {
printf(" nt_reply_wait_receive_port ");
pprint_local_port(ple->nt_reply_wait_receive_port);
}
if (ple->nt_impersonate_client_of_port) {
printf(" nt_impersonate_client_of_port ");
pprint_local_port(ple->nt_impersonate_client_of_port);
}
if (ple->nt_read_virtual_memory) {
printf(" nt_read_virtual_memory ");
pprint_panda_vm(ple->nt_read_virtual_memory);
}
if (ple->nt_write_virtual_memory) {
printf(" nt_write_virtual_memory ");
pprint_panda_vm(ple->nt_write_virtual_memory);
}
if (ple->has_nt_any_syscall) {
printf (" nt_any_syscall (num=%d)", ple->nt_any_syscall);
}
if (ple->has_total_instr) {
printf (" total instr %" PRId64, ple->total_instr);
}
printf ("\n");
}
int main (int argc, char **argv) {
str2ind = LoadDB(std::string("/tmp/lavadb"));
ind2str = InvertDB(str2ind);
pandalog_open(argv[1], "r");
Panda__LogEntry *ple;
while (1) {
ple = pandalog_read_entry();
if (ple == NULL) {
break;
}
if (ple->instr == -1) {
printf ("[after replay end] : ");
}
else {
printf ("instr=%" PRIu64 " pc=0x%" PRIx64 " :", ple->instr, ple->pc);
}
// from asidstory / osi
if (ple->has_asid) {
printf (" asid=%" PRIx64, ple->asid);
}
if (ple->has_process_id != 0) {
printf (" pid=%d", ple->process_id);
}
if (ple->process_name != 0) {
printf (" process=[%s]", ple->process_name);
}
// from file_taint
if (ple->has_taint_label_number) {
printf (" tl=%d", ple->taint_label_number);
}
if (ple->has_taint_label_virtual_addr) {
printf (" va=0x%" PRIx64, ple->taint_label_virtual_addr);
}
if (ple->has_taint_label_physical_addr) {
printf (" pa=0x%" PRIx64 , ple->taint_label_physical_addr);
}
if (ple->n_callstack > 0) {
printf (" callstack=(%u,[", (uint32_t) ple->n_callstack);
uint32_t i;
for (i=0; i<ple->n_callstack; i++) {
printf (" 0x%" PRIx64 , ple->callstack[i]);
if (i+1 < ple->n_callstack) {
printf (",");
}
}
printf ("])");
}
if (ple->attack_point) {
Panda__AttackPoint *ap = ple->attack_point;
printf (" attack point: info=[%u][%s]", ap->info, gstr(ap->info));
}
if (ple->src_info) {
Panda__SrcInfo *si = ple->src_info;
printf (" src info filename=[%u][%s] astnode=[%u][%s] linenum=%d",
si->filename, gstr(si->filename), si->astnodename,
gstr(si->astnodename), si->linenum);
}
if (ple->has_tainted_branch && ple->tainted_branch) {
printf (" tainted branch");
}
if (ple->taint_query_hypercall) {
Panda__TaintQueryHypercall *tqh = ple->taint_query_hypercall;
printf (" taint query hypercall(buf=0x%" PRIx64 ",len=%u,num_tainted=%u)", tqh->buf, tqh->len, tqh->num_tainted);
}
if (ple->has_tainted_instr && ple->tainted_instr) {
printf (" tainted instr");
}
// dead data
if (ple->n_dead_data > 0) {
printf ("\n");
uint32_t i;
for (i=0; i<ple->n_dead_data; i++) {
printf (" dead_data(label=%d,deadness=%.2f\n", i, ple->dead_data[i]);
}
}
// taint queries
if (ple->taint_query_unique_label_set) {
printf (" taint query unqiue label set: ptr=%" PRIx64" labels: ", ple->taint_query_unique_label_set->ptr);
uint32_t i;
for (i=0; i<ple->taint_query_unique_label_set->n_label; i++) {
printf ("%d ", ple->taint_query_unique_label_set->label[i]);
}
}
if (ple->taint_query) {
Panda__TaintQuery *tq = ple->taint_query;
printf (" taint query: labels ptr %" PRIx64" tcn=%d off=%d", tq->ptr, (int) tq->tcn, (int) tq->offset);
}
// win7proc
if (ple->new_pid) {
printf (" new_pid ");
print_process(ple->new_pid);
}
if (ple->nt_create_user_process) {
printf (" nt_create_user_process ");
printf (" [ cur " );
print_process(ple->nt_create_user_process->cur_p);
printf (" ]");
printf (" [ new " );
print_process(ple->nt_create_user_process->new_p);
printf (" ]");
printf (" name=[%s] ",
ple->nt_create_user_process->new_long_name);
}
if (ple->nt_terminate_process) {
printf (" nt_terminate_process ");
printf (" [ cur " );
print_process(ple->nt_terminate_process->cur_p);
printf (" ]");
printf (" [ term " );
print_process(ple->nt_terminate_process->term_p);
printf (" ]");
}
if (ple->nt_create_file) {
printf (" nt_create_file ");
print_process_file(ple->nt_create_file);
}
if (ple->nt_read_file) {
printf (" nt_read_file ");
print_process_file(ple->nt_read_file);
}
if (ple->nt_delete_file) {
printf (" nt_delete_file ");
print_process_file(ple->nt_delete_file);
}
if (ple->nt_write_file) {
printf ("nt_write_file ");
print_process_file(ple->nt_write_file);
}
if (ple->nt_create_key) {
printf (" nt_create_key ");
print_process_key(ple->nt_create_key);
}
if (ple->nt_create_key_transacted) {
printf (" nt_create_key_transacted ");
print_process_key(ple->nt_create_key_transacted);
}
if (ple->nt_open_key) {
printf (" nt_open_key ");
print_process_key(ple->nt_open_key);
}
if (ple->nt_open_key_ex) {
printf (" nt_open_key_ex ");
print_process_key(ple->nt_open_key_ex);
}
if (ple->nt_open_key_transacted) {
printf (" nt_open_key_transacted ");
print_process_key(ple->nt_open_key_transacted);
}
if (ple->nt_open_key_transacted_ex) {
printf (" nt_open_key_transacted_ex ");
print_process_key(ple->nt_open_key_transacted_ex);
}
if (ple->nt_delete_key) {
printf (" nt_delete_key ");
print_process_key(ple->nt_delete_key);
}
if (ple->nt_query_key) {
printf (" nt_query_key ");
print_process_key(ple->nt_query_key);
}
if (ple->nt_query_value_key) {
printf (" nt_query_value_key ");
print_process_key_value(ple->nt_query_value_key);
}
if (ple->nt_delete_value_key) {
printf (" nt_delete_value_key ");
print_process_key_value(ple->nt_delete_value_key);
}
if (ple->nt_set_value_key) {
printf (" nt_set_value_key ");
print_process_key_value(ple->nt_set_value_key);
}
if (ple->nt_enumerate_key) {
printf (" nt_enumerate_key ");
print_process_key_index(ple->nt_enumerate_key);
}
if (ple->nt_enumerate_value_key) {
printf (" nt_enumerate_value_key ");
print_process_key_index(ple->nt_enumerate_value_key);
}
printf ("\n");
panda__log_entry__free_unpacked(ple, NULL);
}
}
