Next Generation Dynamic Analysis with PANDA

PANDA is a platform for architecture-neutral dynamic analysis [1] built on top of QEMU system emulator, which makes it feasible to access all code executing in the quest and all data being manipulated in the guest virtual machine. PANDA supports the same architectures as Qemu, so every instruction set can be executed in LLVM IR.

PANDA (Platform for Architecture-Neutral Dynamic Analysis) offers a number of features that can be effectively used to analyze software.

  • Record and Replay: offers recording functionality where all the system instructions are recorded in order to be replayed and analyzed later on, which makes it a unique powerful feature. Currently the i386, x86_64 and ARM architectures are supported.
  • Plugin Architecture: PANDA offers the ability to write plugins in an easy manner, which makes it ideal to extend the functionality of PANDA and act upon certain event that happens in Qemu.
  • LLVM Execution: provides a way to translate code executed in guest virtual machines to be translated to LLVM, which brings all the advantages of LLVM, including analyzing LLVM code samples. This provides great simplification of code analysis, since we only need a plugin to analyze LLVM code rather than having different plugins analyzing native code for each of the supported architectures.

PANDA can be used to record and replay everything that enables it to reproduce code execution when restarted from the same point with the same inputs. At certain point the recording start, which saves all the changes made to the CPU and RAM and the recording is again stopped at a later time.

Installing PANDA

The very first thing we have to decide when starting to use PANDA is whether we'll use a pre-built image or compile PANDA from scratch. The image can be downloaded from the web address http://amnesia.gtisc.gatech.edu/~moyix/pandavm.tar.bz2 .

To compile PANDA from sources, we must first clone the PANDA repository, which can be done by utilizing the “git clone” command.

panda1

Prior to building PANDA, w have to take care of dependencies, which are the following:

  • G++ : C++ compiler.
  • Qemu : emulator.
  • Nasm : assembler.
  • SSL Library : SSL implementation.
  • LLVM : low level virtual machine.
  • Clang : C frontend for LLVM.
  • Distorm : disassembler library.

We won't talk about how to install Panda, since great instructions have already been posted here . Rather than that, let's just share a few words about the installation process. We have to manually install distorm and llvm by following the instructions, which installs without any problems. Afterwards, we have to build the qemu part of Panda, which doesn't recognize the LLVM by default, which is why we have to provide the appropriate --with-llvm option in build.sh script. When compiling LLVM, we should enable the appropriate targets, which can be specified with --enable-targets option as presented below. To enable all targets, we should remove this option from the compilation parameters.

panda2

When we wish to enable LLVM, we have to know about the make command is used to build a “Debug+Asserts” mode, but if we use the --enable-optimized configuration option, a “Release” mode will be used instead. This directly affects the --with-llvm path we have to specify in the build.sh script. Below, we can see the build.sh script, where the appropriate path to the “Release” directory inside LLVM is specified; if the --enable-optimized configuration option is not used, then we have to provide the path to “Debug+Asserts” directory. This option is used, so the LLVM environment can be found and used together with PANDA. In the script below, we can also see the enabled architectures that can be used with PANDA, which are: x86_64, i386 and ARM. For instructions how to build LLVM manually, take a look at instructions posted here .

panda3

Note that build.sh is a script using the “./configure && make” commands to automate the installation process, so we don't want to provide the necessary configuration options manually. It's nothing magical about it, just open the script and take a look inside; those are basic commands every Linux enthusiast has to be familiar with. We're basically compiling a modified version of Qemu by source instead of using package managers provided by Linux distributions.

Preparing the Virtual Machine

Once we've compiled PANDA, there are three Qemu binaries available that can be used for starting virtual machines, which are the following:

  • i386-softmmu/qemu-system-i386
  • arm-softmmu/qemu-system-arm
  • x86_64-softmmu/qemu-system-x86_64

This gives us binaries to work with on three different architectures, namely i386, x86_64 and ARM. We can use the binary the same way as we use Qemu binary, which we'll be doing now to install a Windows XP SP3 into the virtual machine and use it to analyze malicious samples. We can use the command below in order to create a Windows XP SP3 image to install an operating system in. Note that it's a good practice to use QCOW2 format, which supports snapshots that are imperative when analyzing malicious samples in order to quicky restore the previous state of the virtual machine.

# ./qemu-img create -f qcow2 /srv/vms/windowsxpsp3.qcow2 40G

Afterwards we can use the following command to start the virtual machine by invoking the compiled /srv/panda/qemu/x86_64-softmmu/qemu-system-x86_64 executable and passing it the appropriate arguments. The -drive argument defines a new disk image with IDE interface type and writeback caching mechanism. The -m option gives virtual machine 256MB of RAM, while the -cdrom option specifies the first cdrom image that will be made available to the VM. The last -vnc option start s VNC server on port 5901, which can be used to remotely interacting with the virtual machine.

# /srv/panda/qemu/x86_64-softmmu/qemu-system-x86_64 -drive file=/srv/vms/windowsxpsp3.qcow2,if=ide,cache=writeback -m 256M -cdrom /srv/isos/Windows_XPSP3.iso -vnc :1

Afterwards, we can connect to the VNC server remotely by using the vncviewer command.

# vncviewer 192.169.1.2:5901

A successful connection is presented below, where the Windows operating system installation is in progress.

panda4

Next, we have to install the Windows XP SP3 operating system into the virtual machine, which will get used during malware analysis. A freshly installed operating system will look like presented below.

panda5

Afterwards we can start the virtual machine with the following command line, where we've removed the -cdrom option, since we're already installed the operating system. Additionally, we've added the “--monitor stdio”, which gives us access to the QEMU Monitor Protocol (QMP). Below, we can see the “(qemu)” line, where QMP commands can be entered and executed. If we would like to take a look how to interact with QMP in different ways, we can read this blog post.

# /srv/panda/qemu/x86_64-softmmu/qemu-system-x86_64 -drive file=/srv/vms/windowsxpsp3.qcow2,if=ide,cache=writeback -m 256M -vnc :1 --monitor stdio
QEMU 1.0,1 monitor -
type 'help' for more information
(qemu)

If we execute the help QMP command, we can see additional commands that are provided by PANDA and are not part of Qemu, which are the following:

  • begin_record: begins the recording session, which is saved under the name passed as the first and only parameter. Each recording session has two files, the <name>-rr-snp, which is the recording snapshot and <name>-rr.nondet.log, which is the recording log. Note that an already existing recording will be overwritten if the same name is passed to the command.
  • end_record: ends the recording session, which will pause the guest virtual machine, but can later be resumed to continue from there.
  • begin_replay: begins a replay of recording session passed in as a parameter. The replay can also be started by providing -replay command-line option to Qemu.
  • end_replay: ends an active replay of a recording session, which is not normally needed, since a replay will finish by it's own once all instructions are executed.
  • load_plugin: load certain plugin to Qemu.
  • unload_plugin: unload certain plugin from Qemu,
  • list_plugins: list PANDA loaded plugins.
  • plugin_cmd: a command used to send commands to the loaded plugin. If the plugin supports any commands to be passed to it after it has been loaded, it must implement the help command, which should show the usage information of the plugin.

The source code of each plugin is present in the qemu/panda_plugins/ directory, which also contains the config.panda configuration file specifying a list of plugins that will be built during the build process for every architecture specified by the --target-list option.

Configuring Networking in the Virtual Machine

To enable networking in Windows guest VMs, we should download the virtio driver and use the “-net nic,model=virtio” option rather than “-net nic” option to enable it. We can download the virtio driver from the https://alt.fedoraproject.org/pub/alt/virtio-win/latest/images/bin/ website.

# wget https://alt.fedoraproject.org/pub/alt/virtio-win/latest/images/bin/virtio-win-0.1-94.iso

Then we can boot the virtual machine with a few additional options that mount the iso image as a cdrom inserted cd into the computer. Note that if the latest virtio drivers don't work for you, you should downgrade to the previous version – for Windows XP virtual machines, the “virtio-win-0.1-52.iso” has always worked for me, while there were some problems with other versions. If you can't get virtio driver up and running, you can also try using “-net nic,model=e1000” or “-net nic,model=rtl8139” drivers, which could work depending on your actual system components.

To boot the virtual machine with networking connection by using the virtuo driver, we need to issue the following command.

# /srv/panda/qemu/x86_64-softmmu/qemu-system-x86_64 -drive
file=/srv/vms/windowsxpsp3.qcow2,if=ide,cache=writeback -m 256M -vnc
:1 --monitor stdio -net nic,model=virtio -cdrom
/srv/panda/virtio-win-0.1-94.iso

panda6

To boot the virtual machine with networking connection by using the older “-net” directive, we need to issue the following command.

# /srv/panda/qemu/x86_64-softmmu/qemu-system-x86_64 -drive
file=/srv/vms/windowsxpsp3.qcow2,if=ide,cache=writeback -m 256M -vnc
:1 --monitor stdio -net nic,model=rtl8139 -net user

To print the supported NIC models that we can use in the “-net nic,model=MODEL” command line option, we can execute the command below, where we can see that quite a few models are supported.

# /srv/panda/qemu/x86_64-softmmu/qemu-system-x86_64 -net nic,model=?
qemu: Supported NIC
models:
ne2k_pci,i82551,i82557b,i82559er,rtl8139,e1000,pcnet,virtio

To boot the virtual machine with networking connection by using the newer “-netdev” directive, we need to issue the following command. The command below additionally uses the smb parameter option, which makes the /srv/share/ folder on the host available in the guest.

# /srv/panda/qemu/x86_64-softmmu/qemu-system-x86_64 -drive
file=/srv/vms/windowsxpsp3.qcow2,if=ide,cache=writeback -m 256M -vnc
:1 --monitor stdio -device rtl8139,netdev=net0 -netdev
user,id=net0,smb=/srv/share/

PANDA Recording

PANDA has a number of plugins, which can be invoked by using the -panda or -panda-plugin Qemu command-line parameter. PANDA plugins are named as “panda_*.so” and are present in each of the architecture folders. The x86_64-softmmu/panda_plugins/ directory contains the following plugins:

  • tapindex
  • stringsearch
  • osi
  • correlatetaps
  • taint
  • llvm_trace
  • textfinder
  • scissors
  • tainted_branch
  • bigrams
  • network
  • printstack
  • replaymovie
  • useafterfree
  • bir
  • memsnap
  • callstack_instr
  • textprinter
  • textprinter_fast
  • taint_compute_numbers
  • win7x86intro
  • bufmon
  • memsavep
  • memdump
  • memstats
  • keyfind
  • tstringsearch
  • sample
  • tralign

In this simple example we'll be using Pafish to record and replay it's execution on the Windows XP operating system. First, we have to copy the pafish.exe sample to the virtual machine. Then we have to begin the recording by using the begin_record command in Qemu as follows:

(qemu) begin_record wget
(qemu) writing snapshot: ./wget-rr-snp

The begin_record command will create a snapshot named pafish-rr-snp and a log file pafish-rr-nondet.log. After starting the recording, we can run pafish.exe program. Once pafish.exe is done executing, we can issue the end_record command in Qemu to stop recording the sample.

(qemu) end_record
(qemu) Time taken
was: 14 seconds.

On the picture below we can see that the pafish.exe has indeed been downloaded to Desktop; note that we had to use the --no-check-certificate to download a file from a HTTPS website, which skips checking the certificate.

panda7

Next, we can pass the name of the sample to the begin_replay command and pipe that the the PANDA virtual machine to replay the captured instructions. We can see replaying of the captures instructions below where the last few lines display statistics about the number of processed instructions.

panda8

Once all instructions have been processed, the process will display the number of seconds the replaying took place and whether the replaying was successful.

panda9

Conclusion

In this tutorial we've taken a look at the basics of PANDA dynamic analysis framework, which can be used to record the program and replay it at any later time, which can be very useful in malware analysis, since a recording just needs to be recorded once and then we can replay it over and over again. We haven't dug deep into PANDA, but we've provided enough details for you to install, configure and start using PANDA in malware analysis.

PANDA still has a long way to go, since it doesn't support latest version of Qemu and has various bugs that still need to be fixed. PANDA is not for the light hearted, since you have to take time to learn how to use it, nevermind doing something more complex. There are also other similar projects that you can take a look, which are: REVEN , S2E , DRAKVUF , KLEE , etc.

In the next article we'll take a look a the Pafish example, which includes the IsDebuggerPresent function call to determine whether currently executing program is being executed by a debugger.

References

[1] PANDA Github, https://github.com/moyix/panda.

Comments