PANDA is an open-source Platform for Architecture-Neutral Dynamic Analysis. It is built upon the QEMU whole system emulator, and so analyses have access to all code executing in the guest and all data. PANDA adds the ability to record and replay executions, enabling iterative, deep, whole system analyses. PANDA can be controlled from the command line, through our Python package, or even a Jupyter notebook.
Whole-System Record and Replay
PANDA record whole system behavior such that it can be subsequently analyzed iteratively and reproducibly.Pre-Built VMs
We provide LinuxQCOW
images for many PANDA supported architectures: i386, x86_64, arm, mips, and mipsel. These images are downloaded on demand or you can find them here.
PANDA Callbacks
PANDA provides over 40 callbacks at various points in our emulation code. Custom analyses can register functions to run at each of these locations.Plugin Architecture
PANDA includes a large number of plugins for common analyses which provide additional "Plugin-to-Plugin" callbacks enabling easy integrations between plugins.Taint Engine
PANDA has a powerful, byte-level, taint tracking system. Due to the fundamental performance overhead of taint analyses, we recommend only using this on a previously recorded system.Operating System Introspection
The OSI plugins analyze guest memory to identify OS-specific information such as the active process for both Linux and Windows. OSI profiles are required for analyses, but they are downloaded on demand (when available) or you can find them here.Get Started With PANDA
There are a bunch of easy ways get PANDA up and running on your system. For new users, we recommend the Docker container with the Python interface.- Get PANDA:
- Pull the PANDA docker container from DockerHub:
docker pull pandare/panda
, or - Clone our GitHub Repo:
git clone https://github.com/panda-re/panda.git
- Pull the PANDA docker container from DockerHub:
- Read our manual
- Read the PyPANDA docs
- Request an invite to our Slack channel