Replay PANDA malware recordings

PANDA provides a record and replay system. It executes a binary, records its execution and later provides the facility to replay the recording. A huge number of malware recordings exist on http://panda.gtisc.gatech.edu/malrec/.

But before you may run the replay, you need to patch the given recording to recover a snapshot file. To patch, we need (1) a tool called bpatch.py and (2) reference snapshots that can be downloaded from here. Please follow following instructions to download, patch and replay PANDA recordings:

  1. Create a file bpatch.py with following code:

#!/usr/bin/env python

import sys
import shutil
import os

if len(sys.argv) < 2:     print >>sys.stderr, "usage: %s <patchfile>" % sys.argv[0]
    sys.exit(1)

f = open(sys.argv[1])
ref = f.readline().strip()

if not os.path.exists(ref):
    print >>sys.stderr, "error: couldn't find reference snapshot %s" % ref
    sys.exit(1)
else:
    print "Using reference %s as a base" % ref

basename = os.path.splitext(sys.argv[1])[0]
patched = basename + '-rr-snp'
print "Creating patched snapshot %s" % patched
shutil.copy(ref, patched)

of = open(patched, 'rb+')

for line in f:
    off, val = line.strip().split()
    off = int(off, 16)
    val = val.decode('hex')
    of.seek(off)
    of.write(val)

f.close()
of.close()

print "All done, no errors." 

Create a directory ‘references’ anywhere on your system. We refer to this as REF_DIR.


$ cd REF_DIR
$ wget http://panda.gtisc.gatech.edu/malrec/rr/references/0000c18e-a947-42ea-abb2-234ea18facdc-rr-snp
$ wget http://panda.gtisc.gatech.edu/malrec/rr/references/0002f074-cd1b-4523-aacd-eeccd61c0f96-rr-snp
$ wget http://panda.gtisc.gatech.edu/malrec/rr/references/00568419-706b-4c2e-ad3a-4de0add3780d-rr-snp
$ wget http://panda.gtisc.gatech.edu/malrec/rr/references/023c870e-4be8-4f1c-a712-340e21c67565-rr-snp
$ wget http://panda.gtisc.gatech.edu/malrec/rr/references/0335fe75-a7bd-4963-8304-da7e59005692-rr-snp
$ wget http://panda.gtisc.gatech.edu/malrec/rr/references/097b607a-735e-4ac0-b853-c15dc58b58fc-rr-snp
$ wget http://panda.gtisc.gatech.edu/malrec/rr/references/1b5091e3-98a5-4058-a944-c5d6f87fe103-rr-snp
$ wget http://panda.gtisc.gatech.edu/malrec/rr/references/5ad7f823-1b5f-4f99-8f2b-53bf69e0fc08-rr-snp

Alternatively, you can manually download reference snapshots from http://panda.gtisc.gatech.edu/malrec/rr/references/.

$ cd /tmp
$ mkdir malware_recordings
$ cd malware_recordings

Download and unzip any `rrlog’ malware recordings from http://panda.gtisc.gatech.edu/malrec/ Or
http://giantpanda.gtisc.gatech.edu/malrec/ into `malware_recordings`.

For example, you can download recording with UUID 3618dea7-fe33-4726-b3c6-befc5f9b32d0 using following command:
$ wget http://panda.gtisc.gatech.edu/malrec/rr/3618dea7-fe33-4726-b3c6-befc5f9b32d0.txz
$ tar xvf 3618dea7-fe33-4726-b3c6-befc5f9b32d0.txz

Apply patch using bpatch.py tool.
$ ln -s REF_DIR logs/rr
$ python bpatch.py logs/rr/3618dea7-fe33-4726-b3c6-befc5f9b32d0.patch

If successful it will print following message:
“All done, no errors“

Run PANDA with following -replay command:
“ -replay /tmp/malware_recordings/logs/rr/3618dea7-fe33-4726-b3c6-befc5f9b32d“

Advertisements
This entry was posted in Binary Analysis, Dynamic analysis, Linux, Malware Analysis, Security and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s