Replay PANDA malware recordings

PANDA provides a record and replay system. It executes a binary, records its execution and later provides the facility to replay the recording. A huge number of malware recordings exist on

But before you may run the replay, you need to patch the given recording to recover a snapshot file. To patch, we need (1) a tool called and (2) reference snapshots that can be downloaded from here. Please follow following instructions to download, patch and replay PANDA recordings:

  1. Create a file with following code:

#!/usr/bin/env python

import sys
import shutil
import os

if len(sys.argv) < 2:     print >>sys.stderr, "usage: %s <patchfile>" % sys.argv[0]

f = open(sys.argv[1])
ref = f.readline().strip()

if not os.path.exists(ref):
    print >>sys.stderr, "error: couldn't find reference snapshot %s" % ref
    print "Using reference %s as a base" % ref

basename = os.path.splitext(sys.argv[1])[0]
patched = basename + '-rr-snp'
print "Creating patched snapshot %s" % patched
shutil.copy(ref, patched)

of = open(patched, 'rb+')

for line in f:
    off, val = line.strip().split()
    off = int(off, 16)
    val = val.decode('hex')


print "All done, no errors." 

Create a directory ‘references’ anywhere on your system. We refer to this as REF_DIR.

$ cd REF_DIR
$ wget
$ wget
$ wget
$ wget
$ wget
$ wget
$ wget
$ wget

Alternatively, you can manually download reference snapshots from

$ cd /tmp
$ mkdir malware_recordings
$ cd malware_recordings

Download and unzip any `rrlog’ malware recordings from Or into `malware_recordings`.

For example, you can download recording with UUID 3618dea7-fe33-4726-b3c6-befc5f9b32d0 using following command:
$ wget
$ tar xvf 3618dea7-fe33-4726-b3c6-befc5f9b32d0.txz

Apply patch using tool.
$ ln -s REF_DIR logs/rr
$ python logs/rr/3618dea7-fe33-4726-b3c6-befc5f9b32d0.patch

If successful it will print following message:
“All done, no errors“

Run PANDA with following -replay command:
“ -replay /tmp/malware_recordings/logs/rr/3618dea7-fe33-4726-b3c6-befc5f9b32d“


Decaf trace reader installation program

First of all, there is no configuration file, as mentioned in INSTALL file, inside trace_reader directory. You should not worry about it.

When you run ‘make’ command, sometime compiler raises error for various undefined functions. You should make sure that binutils-multiarch is installed on the system. So, following instruction may help you — at least it worked for me 🙂 :

$ sudo apt-get install binutils-multiarch
$ sudo mv /usr/lib/ /usr/lib/
$ sudo mv /usr/lib/ /usr/lib/
$ sudo ln -s /usr/lib/libbfd-<VERSION-INFO> /usr/lib/
$ sudo ln -s /usr/lib/libopcodes-<VERSION-INFO> /usr/lib/

$ make