PANDA is an open-source Platform for Architecture-Neutral Dynamic Analysis.
It is built upon the QEMU whole system emulator, and so analyses have access to all code executing in the guest and all data.
PANDA adds the ability to record and replay executions, enabling iterative, deep, whole system analyses.
PANDA can be controlled from the command line, through our Python package, or even a Jupyter notebook.
Whole-System Record and Replay
PANDA record whole system behavior such that it can be subsequently analyzed iteratively and reproducibly.
We provide Linux
images for many PANDA supported architectures: i386, x86_64, arm, mips, and mipsel. These images are downloaded on demand or you can find them here
PANDA provides over 40 callbacks
at various points in our emulation code. Custom analyses can register functions to run at each of these locations.
PANDA includes a large number of plugins
for common analyses which provide additional "Plugin-to-Plugin" callbacks enabling easy integrations between plugins.
PANDA has a powerful, byte-level, taint tracking system
. Due to the fundamental performance overhead of taint analyses, we recommend only using this on a previously recorded system.
Operating System Introspection
The OSI plugins
analyze guest memory to identify OS-specific information such as the active process for both Linux
. OSI profiles are required for analyses, but they are downloaded on demand (when available) or you can find them here