Being someone who tries to play a lot with Windows memory, I really wanted to play with PANDA, but I was slightly scared because I'd never touched qemu before - all my experience had been with VirtualBox and VMware.
My goal was to install PANDA into a (relatively) clean install of Debian 8 'Jessie', capture a recording and successfully run a PANDA plugin.
$ git clone https://github.com/moyix/panda.git
Ok, that was easy.
$ cd panda
$ ./panda_install.bash
As I mentioned, (relatively) clean install of Debian 8 and this installed without a hitch.
I make a working directory to store the files for my test:
$ mkdir 20160423_test
$ cd 20160423_test
Now, my VM's going to need a HDD:
$ ../qemu/qemu-img create -f qcow2 test.img 32G
Let me explain:
../qemu/qemu-img- call the
qemu-imgprogram, it manages images.
- call the
create- create a new HDD image.
-f qcow2- specify the format as 'qcow2' (apparently that's the best??).
test.img- the file name of the file which will be my HDD image.
32G- the HDD will have a capacity of 32GB.
You'll note that if you do a ls -lh the test.img file isn't 32GB. This is because one of the advantages of the qcow format is that it only allocates spaces as it's needed. Basically, it'll grow as the guest OS actually uses the space.
../qemu/x86_64-softmmu/qemu-system-x86_64 test.img --monitor stdio -vnc 127.0.0.1:1 -k en-gb -m 2048
Let me explain:
../qemu/x86_64-softmmu/qemu-system-x86_64- launch the qemu hypervisor with x86_64 architecture.
test.img- the HDD that the VM is going to use.
--monitor stdio- as mentioned in PANDA's manual, this is a way of being able to send commands to qemu. We're going to need this to actually do PANDA things.
-vnc 127.0.0.1:1- this facilitates connecting to the VM using vnc. We'll connect to 127.0.0.1, display 1.
-k en-gb- the default keyboard is
en-us, I use aen-gbone.
- the default keyboard is
-m 2048- the amount of memory to give the VM, in MB, so 2048 = 2GB.
NOTE: You can quit qemu and poweroff the VM by issuing the quit command at the qemu prompt:
(qemu) quit
With the VM now running, I used 'Remote Desktop Viewer' to connect to the VM:
- Protocol: VNC
- Host: 127.0.0.1:1
Once connected, you should see the VM's BIOS complaining that it can't find an operating system. Because we haven't installed one yet.
Back at the qemu command prompt we need to attach an ISO to the CD drive:
(qemu) change ide1-cd0 /path/to/Windows7-x64-installer.iso
This will mount the ISO into the VM's CD drive.
You can then reboot the VM by sending a CTRL+ALT+DEL via Remote Desktop Viewer.
Once rebooted, you should be able to install Windows.
NOTE: You can mount the ISO at boot by adding a parameter, for example:
qemu-system-x86_64 test.img --monitor stdio -vnc 127.0.0.1:1 -k en-gb -m 2048 -cdrom /path/to/ISO
With Windows booted up and having logged in, I brought up the Windows 'Run' dialog (WIN+R) and typed "notepad" into the dialog - not hitting return just yet.
Then back to my qemu prompt to start recording:
(qemu) begin_record notepad
qemu (well, PANDA) reports taking a snapshot and starting the log file:
writing snapshot: ./notepad-rr-snp
opening nondet log for write : ./notepad-rr-nondet.log
I then went back to my VM, hit enter to launch Notepad, and typed "PANDA!" into Notepad.
Then, back to the qemu prompt, to end the recording:
(qemu) end_record
And qemu (well, PANDA) reports:
Time taken was: 16 seconds.
I now have a PANDA recording of my activity.
To end, from within my VM, I shut it down - in the normal way (Start -> Shutdown). This also terminated qemu.
Ok, so I have a replay. I thought it'd be good if I could get PANDA to generate a movie of the activity I recorded.
There's a replaymovie plugin that generates stills, and a script that will sew the stills into a movie.
So off we go:
$ ../qemu/x86_64-softmmu/qemu-system-x86_64 -replay notepad -panda replaymovie -m 2048
Let me explain:
../qemu/x86_64-softmmu/qemu-system-x86_64- the qemu program.
-replay notepad- we're replaying the recording named "notepad".
-panda replaymovie- invoke the PANDA plugin named "replaymovie".
-m 2048- qemu needs to know how much memory the original machine had.
I now have 101 PPM files, each being a still from the activity. That's pretty awesome.
Before being able to use the script to sew the stills together, I had to install libav-tools:
$ sudo aptitude install libav-tools
And then, to generate the mp4:
$ ../qemu/panda_plugins/replaymovie/movie.sh
This is really great, helped me so much. Thank you!