int main (int argc, char **argv) {
pandalog_open((const char *) argv[1], (const char*) "r");
Panda__LogEntry *ple;
while (1) {
ple = pandalog_read_entry();
if (ple == (Panda__LogEntry *)1) {
continue;
}
if (ple == NULL) {
break;
}
// pprint_ple(ple);
panda__log_entry__free_unpacked(ple, NULL);
}
}
static void __pandalog_free_entry(Panda__LogEntry *entry) {
panda__log_entry__free_unpacked(entry, NULL);
}
int main (int argc, char **argv) {
str2ind = LoadDB(std::string("/tmp/lavadb"));
ind2str = InvertDB(str2ind);
pandalog_open(argv[1], "r");
Panda__LogEntry *ple;
while (1) {
ple = pandalog_read_entry();
if (ple == NULL) {
break;
}
if (ple->instr == -1) {
printf ("[after replay end] : ");
}
else {
printf ("instr=%" PRIu64 " pc=0x%" PRIx64 " :", ple->instr, ple->pc);
}
// from asidstory / osi
if (ple->has_asid) {
printf (" asid=%" PRIx64, ple->asid);
}
if (ple->has_process_id != 0) {
printf (" pid=%d", ple->process_id);
}
if (ple->process_name != 0) {
printf (" process=[%s]", ple->process_name);
}
// from file_taint
if (ple->has_taint_label_number) {
printf (" tl=%d", ple->taint_label_number);
}
if (ple->has_taint_label_virtual_addr) {
printf (" va=0x%" PRIx64, ple->taint_label_virtual_addr);
}
if (ple->has_taint_label_physical_addr) {
printf (" pa=0x%" PRIx64 , ple->taint_label_physical_addr);
}
if (ple->n_callstack > 0) {
printf (" callstack=(%u,[", (uint32_t) ple->n_callstack);
uint32_t i;
for (i=0; i<ple->n_callstack; i++) {
printf (" 0x%" PRIx64 , ple->callstack[i]);
if (i+1 < ple->n_callstack) {
printf (",");
}
}
printf ("])");
}
if (ple->attack_point) {
Panda__AttackPoint *ap = ple->attack_point;
printf (" attack point: info=[%u][%s]", ap->info, gstr(ap->info));
}
if (ple->src_info) {
Panda__SrcInfo *si = ple->src_info;
printf (" src info filename=[%u][%s] astnode=[%u][%s] linenum=%d",
si->filename, gstr(si->filename), si->astnodename,
gstr(si->astnodename), si->linenum);
}
if (ple->has_tainted_branch && ple->tainted_branch) {
printf (" tainted branch");
}
if (ple->taint_query_hypercall) {
Panda__TaintQueryHypercall *tqh = ple->taint_query_hypercall;
printf (" taint query hypercall(buf=0x%" PRIx64 ",len=%u,num_tainted=%u)", tqh->buf, tqh->len, tqh->num_tainted);
}
if (ple->has_tainted_instr && ple->tainted_instr) {
printf (" tainted instr");
}
// dead data
if (ple->n_dead_data > 0) {
printf ("\n");
uint32_t i;
for (i=0; i<ple->n_dead_data; i++) {
printf (" dead_data(label=%d,deadness=%.2f\n", i, ple->dead_data[i]);
}
}
// taint queries
if (ple->taint_query_unique_label_set) {
printf (" taint query unqiue label set: ptr=%" PRIx64" labels: ", ple->taint_query_unique_label_set->ptr);
uint32_t i;
for (i=0; i<ple->taint_query_unique_label_set->n_label; i++) {
printf ("%d ", ple->taint_query_unique_label_set->label[i]);
}
}
if (ple->taint_query) {
Panda__TaintQuery *tq = ple->taint_query;
printf (" taint query: labels ptr %" PRIx64" tcn=%d off=%d", tq->ptr, (int) tq->tcn, (int) tq->offset);
}
// win7proc
if (ple->new_pid) {
printf (" new_pid ");
print_process(ple->new_pid);
}
if (ple->nt_create_user_process) {
printf (" nt_create_user_process ");
printf (" [ cur " );
print_process(ple->nt_create_user_process->cur_p);
printf (" ]");
printf (" [ new " );
print_process(ple->nt_create_user_process->new_p);
printf (" ]");
printf (" name=[%s] ",
ple->nt_create_user_process->new_long_name);
}
if (ple->nt_terminate_process) {
printf (" nt_terminate_process ");
printf (" [ cur " );
print_process(ple->nt_terminate_process->cur_p);
printf (" ]");
printf (" [ term " );
print_process(ple->nt_terminate_process->term_p);
printf (" ]");
}
if (ple->nt_create_file) {
printf (" nt_create_file ");
print_process_file(ple->nt_create_file);
}
if (ple->nt_read_file) {
printf (" nt_read_file ");
print_process_file(ple->nt_read_file);
}
if (ple->nt_delete_file) {
printf (" nt_delete_file ");
print_process_file(ple->nt_delete_file);
}
if (ple->nt_write_file) {
printf ("nt_write_file ");
print_process_file(ple->nt_write_file);
}
if (ple->nt_create_key) {
printf (" nt_create_key ");
print_process_key(ple->nt_create_key);
}
if (ple->nt_create_key_transacted) {
printf (" nt_create_key_transacted ");
print_process_key(ple->nt_create_key_transacted);
}
if (ple->nt_open_key) {
printf (" nt_open_key ");
print_process_key(ple->nt_open_key);
}
if (ple->nt_open_key_ex) {
printf (" nt_open_key_ex ");
print_process_key(ple->nt_open_key_ex);
}
if (ple->nt_open_key_transacted) {
printf (" nt_open_key_transacted ");
print_process_key(ple->nt_open_key_transacted);
}
if (ple->nt_open_key_transacted_ex) {
printf (" nt_open_key_transacted_ex ");
print_process_key(ple->nt_open_key_transacted_ex);
}
if (ple->nt_delete_key) {
printf (" nt_delete_key ");
print_process_key(ple->nt_delete_key);
}
if (ple->nt_query_key) {
printf (" nt_query_key ");
print_process_key(ple->nt_query_key);
}
if (ple->nt_query_value_key) {
printf (" nt_query_value_key ");
print_process_key_value(ple->nt_query_value_key);
}
if (ple->nt_delete_value_key) {
printf (" nt_delete_value_key ");
print_process_key_value(ple->nt_delete_value_key);
}
if (ple->nt_set_value_key) {
printf (" nt_set_value_key ");
print_process_key_value(ple->nt_set_value_key);
}
if (ple->nt_enumerate_key) {
printf (" nt_enumerate_key ");
print_process_key_index(ple->nt_enumerate_key);
}
if (ple->nt_enumerate_value_key) {
printf (" nt_enumerate_value_key ");
print_process_key_index(ple->nt_enumerate_value_key);
}
printf ("\n");
panda__log_entry__free_unpacked(ple, NULL);
}
}
