Comments (5)
hengyin
commented on May 26, 2024
Hi Zhenxiao,
Can you look into this?
Heng
…On Tue, Feb 26, 2019 at 7:57 AM Dakota Fulp ***@***.***> wrote:
Hello,
I am trying to write a plugin that will involve running a process in the
guest multiple times. The issue I am facing is that between guest runs the
modules in decaf are not cleared. I have found the issue to be within the
lm variable that is a _LoadModule_Params struct. Do you know of a way to
clear out past lm modules so that decaf sees the program as new each time
it runs?
Currently to do this we need to unload the plugin and then reload it.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#61>, or mute the thread
<https://github.com/notifications/unsubscribe-auth/ACydRnoJqkRh7nJogcwVSwgX3zFwRSPJks5vRVlegaJpZM4bSghf>
.
from decaf.
enlighten5
commented on May 26, 2024
Hi,
The problem is, there is a global list module_name containing the module info and a local list module_list for each process, both store the pointers to the module info. In normal cases, we get the module info indexed by the process ID. So in some sense, when a process is dead, we only need to remove the process from the process_map, which is what DECAF does for now. however, sometimes the global list is also used to traverse the module info, which results in some issues.
One possible solution is that in the VMI_remove_process function, where we delete the dead process info, try delete *mod_pointer and mod_pointer=NULL as well.
from decaf.
enlighten5
commented on May 26, 2024
Hi,
Could you give more details about how do you find that the modules in decaf are not cleared?
As far as I'm concerned, the module info belonging to the process is indexed by the process PID, the previous process's module should not mess up with that of the running process.
from decaf.
dkfulp
commented on May 26, 2024
Currently, when a module is loaded, we use the lm.name, lm.base, and lm.size. The issue we are having is that I will call a program say foo in the guest and decaf sees this as a new module that has not been seen before, but if I run foo again, it uses some kind of cached memory of sorts. If I wanted decaf to look at programs as brand new during each run, how would we go about that.
Would it be possible to clear all information that is related to the lm.cr3 of the program that we are running?
from decaf.
enlighten5
commented on May 26, 2024
It's normal that the module info has been seen before since the same module is loaded from the global module list and is reusable. If you run a program for multiple times, the cr3 and some other process info would be different and DECAF still recognizes the program as brand new during each run.
from decaf.
Related Issues (20)
- Makefile:214 qmp-commands.h : Python error on make? HOT 1
- Keylogger
- Compilation error on Ubuntu HOT 3
- Running performance benchmarks on DECAF HOT 3
- I have a question HOT 1
- Tracecap is not logging taint instructions, trace reader not working HOT 10
- trace_ reader build error HOT 1
- Query for starting up the project
- Error while compiling HOT 1
- Query on Starting the Virtual Machine HOT 2
- Error When creating qemu-system-arm vm
- The version of QEMU in DECAF matters? HOT 3
- VMI Configuration for new kernel version
- Where does the parameter proc_exec_connector in procinfo.ini file come from? HOT 2
- how to get the value of mips_pgd_current in procinfo.ini
- when make receive some problome
- The meaning of the output of "keylogger"?
- Demonstration of the research study Extract Me If You Can
- libtsk.so error doing make in decaf directory
- find_shadow_arg in tcg_taint.c HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from decaf.