Use libosi to handle windows introspection

[Ben-Dumas]

Use panda-re/libosi library to handle windows introspection

1. removes the existing win* plugins, and IMO simplifies the wintrospection plugin.
2. splits out the windows-32-7 profile into windows-32-7sp[01].
3. slightly improves handle name stringifying (now registry keys are parsed)
4. adds 64-bit support for windows7

this has been verified on ubuntu 20.04 for 32/64-bit Windows 7, 32-bit Windows XP, and 32-bit Windows 2000. I tested osi_test, file_taint, and syscalls2 with the new library. happy to test anywhere else if i missed something!

[jamcleod]

@Ben-Dumas it seems like your usage of $_ is causing issues while building the docker container:

#12 [builder 4/7] RUN cd /tmp &&   git clone https://github.com/panda-re/libosi &&   mkdir libosi/build && cd $_ &&   cmake -GNinja .. && ninja && ninja package && dpkg -i libosi*.deb &&   cd /tmp && rm -rf libosi/
#12 sha256:8422d06c53f2ec6cf74152e23dfa6176552bf7f325dfe8d3bd95f57198ee1c2b
#12 0.338 Cloning into 'libosi'...
#12 0.769 CMake Error: The source directory "/" does not appear to contain CMakeLists.txt.

(See the build_container test)

[lacraig2]

Just some small things to consider.

[AndrewFasano]

🥳 Nice work @Ben-Dumas, thanks for upstreaming your code!!

(And thanks as always to @lacraig2 for getting it tested and merged)

[Coffeeri]

This looks great, thank you! I am currently trying to use Panda and get the PEB content, Windows API calls of a process.
Is there any documentation on the new API and how to use the new wintrospection plugin and library?

[Ben-Dumas]

@Coffeeri I'm glad you might find it useful! feel free to submit issues/PRs to libosi for issues you're having! But in general -

The wintrospection plugin should give you an example of initializing windows introspection. To walk through it, once the kernel introspection is initialized, you can interact with memory using the osi::i_t class or the windows introspection API. You would probably want to initialize introspection for the currently running process and then access the PEB like this. After that, we don't currently have a good way of knowing what types are available for you to use, outside of just looking at the code ☹️ For example, looking at windows-64-7sp1, I know i have these types for the PEB.

You can currently get a list of all processes, get a list of all modules, resolve handles to get a pointer to the object, and parse PE files in memory. The libosi library is still in a very early state, and documentation should definitely get added into the pipeline; that's a good point.

To your question of how to use wintrospection, it's not too different from other plugins (just make sure to give the os flag):

$PANDA_PATH/x86_64-softmmu/panda-system-x86_64 -replay mytrace \
  -m 2G -os windows-64-7sp1 -panda osi -panda wintrospection -panda osi_test

If you have any more questions, follow up with me via email ([email protected]), the panda slack (preferable, get access here https://panda.re/invite.php), or a new issue now that this PR is closed.