Python: Truncated output from r2.cmd #54
Comments
|
can you len(output) to see if thats a magic value like 4096 or so? |
|
are you printing any \x00 nullbyte? |
|
@radare interesting, the output is always almost a magic size: either this: or this value: =) |
|
@radare no, i'm not printing any buffer, just strings. |
|
For example, if i try to intercept the kernel process (the one which is the most frequently scheduled),
|
|
Enotime right now but you may want to check the code of r2pipe with that simple test and try to fix the read loop and send a pr if you can. Otherwise i will try to find time but thats not easy for me
… On 14 Mar 2018, at 13:12, Mathieu Tarral ***@***.***> wrote:
For example, if i try to intercept the kernel process (the one which is the most frequently scheduled),
the script is working and i have pd 10 output:
len(output) here is 3457
libvirt: QEMU Driver error : Domain not found: no domain with matching name 'xenwin7'
--failed to find kvm domain
LibVMI Version 0.11.0
LibVMI Driver Mode 0
--completed driver init.
--got id from name (xenwin7 --> 2)
**set image_type = xenwin7
**set allocated_ram_size = 7d04a000, max_physical_address = 0xff000000
libvirt: QEMU Driver error : Domain not found: no domain with matching name 'xenwin7'
= attach 4 4
= attach 4 0
read 0xfffffffffffffe88: vmi_failure
read 0x28: vmi_failure
read (nil): vmi_failure
read (nil): vmi_failure
read 0x4: vmi_failure
read 0x165: vmi_failure
INFO:root:output len: 3457
INFO:root:__reg_profile
__open
VM: xenwin7, PID: 4
Initializing LibVMI
--failed to find kvm domain
LibVMI Version 0.11.0
LibVMI Driver Mode 0
--completed driver init.
--got id from name (xenwin7 --> 2)
**set image_type = xenwin7
**set allocated_ram_size = 7d04a000, max_physical_address = 0xff000000
**set pae = 1
**set pse = 1
**set lme = 1
**IA-32e paging
**sanity checking cr3 = 0x0000000000187000
--looking for config file at /home/tarrma/fsecure/radare2-extras/vmi/libvmi.conf
--looking for config file at /home/tarrma/etc/libvmi.conf
--looking for config file at /home/tarrma/etc/libvmi.conf
--looking for config file at /etc/libvmi.conf
**Using config file at /etc/libvmi.conf
**set os_type to Windows.
LibVMI Suggestion: set win_ntoskrnl=0x281b000 in libvmi.conf for faster startup.
LibVMI Suggestion: set win_kdbg=0x1e9070 in libvmi.conf for faster startup.
LibVMI Suggestion: set win_kdvb=0xfffff80002a04070 in libvmi.conf for faster startup.
__reg_profile
__getpid
__getpid
__select
__system command: pid 4
__kill, sig: 0
__reg_read, type: 0, size:7168
__reg_profile
__getpid
__getpid
__select
__system command: pid 4
__kill, sig: 0
__reg_read, type: 0, size:7168
Attaching to pid 4...
Listening on VMI events...
Listening on VMI events...
cb_on_cr3_load
Intercepted PID: 380, CR3: 0x20c66000
Listening on VMI events...
cb_on_cr3_load
Intercepted PID: 1476, CR3: 0x68eb9000
Listening on VMI events...
cb_on_cr3_load
Intercepted PID: 4, CR3: 0x187000
__select
__system command: pid 4
__kill, sig: 0
__reg_read, type: 0, size:7168
__select
__system command: pid 4
__kill, sig: 0
__reg_read, type: 0, size:7168
__system command: pid 4
__kill, sig: 0
__reg_read, type: 0, size:7168
__kill, sig: 0
__reg_read, type: 0, size:7168
__reg_read, type: 1, size:7168
__reg_read, type: 2, size:7168
__reg_read, type: 3, size:7168
__reg_read, type: 4, size:7168
__reg_read, type: 5, size:7168
__reg_read, type: 6, size:7168
__read, offset: fffff800028931a9
__read, offset: fffff800028931a9
__kill, sig: 0
__reg_read, type: 0, size:7168
;-- rip:
0xfffff800028931a9 4c8bbb88feff. mov r15, qword [rbx - 0x178]
0xfffff800028931b0 488b6e28 mov rbp, qword [rsi + 0x28]
0xfffff800028931b4 49896f04 mov qword [r15 + 4], rbp
0xfffff800028931b8 48896b28 mov qword [rbx + 0x28], rbp
0xfffff800028931bc f7057e741800. test dword [0xfffff80002a1a644], 4
,=< 0xfffff800028931c6 0f850b010000 jne 0xfffff800028932d7
| 0xfffff800028931cc c6474900 mov byte [rdi + 0x49], 0
| 0xfffff800028931d0 0fbe86650100. movsx eax, byte [rsi + 0x165]
| 0xfffff800028931d7 84c0 test al, al
,==< 0xfffff800028931d9 0f8489000000 je 0xfffff80002893268
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
Here: What |
|
@quim0 i'm developing a debugger plugin based on virtual machine introspection: Ask me if you want to test a script or a behavior :) |
|
Are you sure you're not printing any nullbytes? |
|
hmm, if you would print a nullbyte, the buffer length would not be a magic number like Thank you for investigating. |
|
Any specific info like OS? Or python version?
Can you cook a small script to test if that works or not to include in the testsuite and for us to test?
Thanks
… On 16 Mar 2018, at 19:52, Mathieu Tarral ***@***.***> wrote:
hmm, if you would print a nullbyte, the buffer length would not be a magic number like 4095 in my opinion.
Thank you for investigating.
I will take a look next week if i can
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
ping |
|
Hello, you know it's the week-end don't you :) but anyway: I made a video to demonstrate how it happens: Also note that i'm opening the url with the |
|
@radare i made some progress on this bug, it's still here, and i have a Dockerfile for you to reproduce: FROM radare/radare2
USER root
RUN apt-get update && apt-get install -y build-essential git libtool \
libvirt-dev autoconf pkg-config flex bison libglib2.0-dev libxen-dev libjson-c-dev \
python3-pip python3-docopt
USER r2
# install libvmi
RUN git clone https://github.com/libvmi/libvmi
USER root
RUN cd libvmi && ./autogen.sh && ./configure --prefix=/usr && make && make install
USER r2
# vmi plugin
RUN git clone https://github.com/Wenzel/r2vmi -b debug_r2pipe
ENV PKG_CONFIG_PATH /usr/lib/pkgconfig
RUN cd r2vmi && make install
# r2pipe
USER root
RUN pip3 install r2pipe
USER r2
ENTRYPOINT python3 r2vmi/examples/debug_r2pipe.py vm exploreroutput: We should have seen a
r2_url = "vmi://{}:{}".format(vm_name,target)
r2 = r2pipe.open(r2_url, ["-d"])
output = r2.cmd('pd 10')
logging.info(output)
logging.info("size of output: %s", len(output))Thanks guys ! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
I am testing r2pipe in Python and i have a case where the url that open generates a lot of output.
The rest of my script attempt to run
pd 10and get the result:When logging prints the content of
output, the output appears to have been truncated:As you can see the last line is
Intercep, and this whole output is the one from theopenmethod.So there is a limit somewhere in the buffer returned by
r2.cmd, which prevents me from receiving the complete output of my commands.Info
Thanks !
The text was updated successfully, but these errors were encountered: