[panda-users] taint segmentation fault
Brendan Dolan-Gavitt
brendandg at gatech.edu
Thu Apr 23 12:45:28 EDT 2015
I'm not sure I understand your question. The assembly instructions being
executed are the code.
If you want higher-level information, like what library that code is in, or
what the process name is, this is typically done using memory analysis (for
example, tools like Volatility). If you can get the configuration right for
the osi_linux plugin, you can also get information about what libraries are
loaded and where they are from that interface.
What information are you trying to get?
-Brendan
On Wed, Apr 22, 2015 at 11:23 PM, xiaojuan Li <xiaotan6666 at gmail.com> wrote:
> excuse me, one more question:
> taint(use pandalog to write in name.plog which can be extract by
> tainted_instr) can get the asid-pc record,i want to find operating code
> further and replay with "-d in_asm -D asmlog.txt" and get the log like this:
> ************************************************************************
> IN:
> 0xb52dbbee: 4605 mov r5, r0
> 0xb52dbbf0: 2800 cmp r0, #0
> 0xb52dbbf2: f040 8172 bne.w 0xb52dbeda
>
> ----------------
> IN:
> 0xb52dbbf6: 462b mov r3, r5
> 0xb52dbbf8: 4620 mov r0, r4
> 0xb52dbbfa: 2101 movs r1, #1
> 0xb52dbbfc: aa06 add r2, sp, #24
> 0xb52dbbfe: f7fa f898 bl 0xffffffffb52d5d32
>
> ----------------
> IN:
> 0xb52d5d32: b5f7 push {r0, r1, r2, r4, r5, r6, r7, lr}
> 0xb52d5d34: 4606 mov r6, r0
> 0xb52d5d36: 4617 mov r7, r2
> 0xb52d5d38: 6800 ldr r0, [r0, #0]
> 0xb52d5d3a: aa01 add r2, sp, #4
> 0xb52d5d3c: 460d mov r5, r1
> 0xb52d5d3e: f7ff fecf bl 0xffffffffb52d5ae0
> *******************************************************************
> it just the instructions underlying, but how can i use these to locate the
> code that what i want?
>
> sorry to be a askhole, i just a new learner...
> And thanks for your patience!!
>
> 2015-04-10 21:24 GMT-04:00 Brendan Dolan-Gavitt <brendandg at gatech.edu>:
>
>> Once you have used PANDA's taint system to identify the portions of the
>> code that process the data you're interested in, you will still have to
>> analyze that code do understand how it works. One way to do that might be
>> to use the scissors plugin to extract out the portion of the trace that
>> contains the code you're interested in, and then replay it with QEMU's "-d
>> in_asm -D asmlog.txt" options to get the disassembly for that code.
>>
>> Alternatively, you could take a memory snapshot at some point when the
>> code you want to analyze is in memory (using something like the pmemsave
>> plugin in PANDA), then use Volatility to analyze that memory image to
>> extract out the binary, which you could look at in IDA or something similar.
>>
>> Basically – disassemble the code that handles the data you're interested
>> in and find out how it works. Exactly what that means will depend on what
>> you're hoping to accomplish.
>>
>> -Brendan
>>
>> On Fri, Apr 10, 2015 at 9:07 PM, xiaojuan Li <xiaotan6666 at gmail.com>
>> wrote:
>>
>>> Hi,
>>> Thanks for your job first.
>>> I am a little confused about the result of the tainted.how can I get
>>> enough information about the processing code from the binary? use the gdb?
>>> Thanks!
>>>
>>> 2015-04-10 12:05 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>
>>>> Thanks for your guys great work!
>>>> and I will try.
>>>>
>>>> 2015-04-10 11:42 GMT+08:00 Brendan Dolan-Gavitt <brendandg at gatech.edu>:
>>>>
>>>>> Hi,
>>>>>
>>>>> Tim has just updated the tainted_instructions tutorial so that it
>>>>> reflects how things work now. Could you look through that tutorial and see
>>>>> if it helps with your problem?
>>>>>
>>>>> https://github.com/moyix/panda/blob/master/docs/tainted_instructions.md
>>>>>
>>>>> Note that you will probably need to do a "git pull" and rebuild (make
>>>>> clean ; ./build.sh) in order to make sure everything works as it says in
>>>>> the tutorial.
>>>>>
>>>>> -Brendan
>>>>>
>>>>> On Thu, Apr 9, 2015 at 9:30 AM, xiaojuan Li <xiaotan6666 at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Now that the panda taint.md is not fresh,can you guys give me some
>>>>>> help?
>>>>>> I use the replay plugin,here is my command and the result.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> the content of pk_search_strings.txt is :"sdt"
>>>>>>
>>>>>> I am confused here:in the paper— Repeatable reverse with panda:
>>>>>> :
>>>>>> it is clear that:if I use the stringsearch and taint plugin,when it
>>>>>> matches, the taint label will be put and then taint action will start.but
>>>>>> when I use it, it seems wrong(the picture showed before):no taint action
>>>>>> execute,and i am confused about the tstringsearch's result.
>>>>>> how can i use it to analysis?
>>>>>> Thanks a lot!
>>>>>>
>>>>>>
>>>>>> 2015-04-08 10:14 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>>
>>>>>>> I get the replay file by running runandroid script. and i use
>>>>>>> qemu-system-arm command just to do some replay work.
>>>>>>> I may not understand you at all in this emal.do you mean that i
>>>>>>> should gdb the original program rather than the record file?
>>>>>>> Thansk
>>>>>>>
>>>>>>> 2015-04-08 9:52 GMT+08:00 Brendan Dolan-Gavitt <brendandg at gatech.edu
>>>>>>> >:
>>>>>>>
>>>>>>>> Hmm. gdb should normally stop when you get a segfault.
>>>>>>>>
>>>>>>>> Are you by any chance running PANDA using the runandroid script? If
>>>>>>>> so, you will need to instead invoke PANDA manually, i.e.:
>>>>>>>>
>>>>>>>> gdb --args arm-softmmu/qemu-system-arm [...]
>>>>>>>>
>>>>>>>> And then once it crashes, type "bt" at the gdb prompt to get a
>>>>>>>> backtrace.
>>>>>>>>
>>>>>>>> -Brendan
>>>>>>>>
>>>>>>>> On Tue, Apr 7, 2015 at 9:47 PM, xiaojuan Li <xiaotan6666 at gmail.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> when gdb,it shows:
>>>>>>>>> and then i see the log:it shows segfault:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> 2015-04-08 9:03 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>>>>>
>>>>>>>>>> maybe i am wrong.
>>>>>>>>>> i use the command
>>>>>>>>>> line:"taint2:label_mode=binary,query_outgoing_network=1"and I found that
>>>>>>>>>> when i use taint2, after it loads panda_taint2.so,it
>>>>>>>>>> shows:"taint2:instructed not to inline taint ops .success".
>>>>>>>>>>
>>>>>>>>>> 2015-04-08 8:54 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>>>>>>
>>>>>>>>>>> ok.
>>>>>>>>>>> 1.I want to use taint plugin to get information about some
>>>>>>>>>>> functions(of course, it is closed-source),so I think I can stringsearch
>>>>>>>>>>> potential data and then taint them and next I can locate the functions
>>>>>>>>>>> which solves these data.
>>>>>>>>>>>
>>>>>>>>>>> 2.the command line I used is : stringsearch:name=***;
>>>>>>>>>>> taint2:tainted_instructions=1.
>>>>>>>>>>>
>>>>>>>>>>> thanks
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> 2015-04-08 8:40 GMT+08:00 Brendan Dolan-Gavitt <
>>>>>>>>>>> brendandg at gatech.edu>:
>>>>>>>>>>>
>>>>>>>>>>>> Could you provide:
>>>>>>>>>>>>
>>>>>>>>>>>> 1. What information you're trying to get
>>>>>>>>>>>> 2. The command line you're using to run PANDA with the taint2
>>>>>>>>>>>> plugin
>>>>>>>>>>>>
>>>>>>>>>>>> ?
>>>>>>>>>>>>
>>>>>>>>>>>> Right now I believe taint2 does not produce very much output by
>>>>>>>>>>>> default. Instead you use the -pandalog <filename> command line option, and
>>>>>>>>>>>> taint2 will write its results there in pandalog format; you can then read
>>>>>>>>>>>> them using pandalog_reader (see panda/pandalog_reader.c for details on that
>>>>>>>>>>>> tool).
>>>>>>>>>>>>
>>>>>>>>>>>> -Brendan
>>>>>>>>>>>>
>>>>>>>>>>>> On Tue, Apr 7, 2015 at 8:32 PM, xiaojuan Li <
>>>>>>>>>>>> xiaotan6666 at gmail.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> when I tried taint2,it showed the same error with taint1, the
>>>>>>>>>>>>> olny difference is that taint2 has no segfault error,just uninit taint
>>>>>>>>>>>>> plugin.
>>>>>>>>>>>>>
>>>>>>>>>>>>> 2015-04-08 8:28 GMT+08:00 Brendan Dolan-Gavitt <
>>>>>>>>>>>>> brendandg at gatech.edu>:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Could you be a little more descriptive about how it failed?
>>>>>>>>>>>>>> Segfault? Error message? Incorrect output?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> -Brendan
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Tue, Apr 7, 2015 at 8:27 PM, xiaojuan Li <
>>>>>>>>>>>>>> xiaotan6666 at gmail.com> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> i tried taint2 too,it failed.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> 2015-04-07 5:20 GMT+08:00 Leek, Timothy - 0559 - MITLL <
>>>>>>>>>>>>>>> tleek at ll.mit.edu>:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Also note that the “taint” plugin is somewhat defunct.
>>>>>>>>>>>>>>>> “taint2” is the one we are actively using and developing.
>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>> Tim Leek
>>>>>>>>>>>>>>>> Technical Staff
>>>>>>>>>>>>>>>> Cyber System Assessments
>>>>>>>>>>>>>>>> MIT Lincoln Laboratory
>>>>>>>>>>>>>>>> 781-981-2975
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> From: Brendan Dolan-Gavitt <brendandg at gatech.edu>
>>>>>>>>>>>>>>>> Date: Monday, April 6, 2015 at 5:18 PM
>>>>>>>>>>>>>>>> To: xiaojuan Li <xiaotan6666 at gmail.com>
>>>>>>>>>>>>>>>> Cc: "panda-users at mit.edu" <panda-users at mit.edu>
>>>>>>>>>>>>>>>> Subject: Re: [panda-users] taint segmentation fault
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Could you run that under gdb and provide us with a
>>>>>>>>>>>>>>>> backtrace when it crashes?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> -Brendan
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On Sunday, April 5, 2015, xiaojuan Li <
>>>>>>>>>>>>>>>> xiaotan6666 at gmail.com> wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>> excuse me,i have a question about taint
>>>>>>>>>>>>>>>>> plugin:(stringsearch:name=***;taint:tainted_instructions=1)
>>>>>>>>>>>>>>>>> when I started it showed success:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> but when it finished search,it showd "uninit taint plugin
>>>>>>>>>>>>>>>>> segementation fault"
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> how can I fix it?
>>>>>>>>>>>>>>>>> Thanks a lot!
>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>>> panda-users mailing list
>>>>>>>>>>>>>>> panda-users at mit.edu
>>>>>>>>>>>>>>> http://mailman.mit.edu/mailman/listinfo/panda-users
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> wait and hope~~
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> wait and hope~~
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> wait and hope~~
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> wait and hope~~
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> wait and hope~~
>>>>
>>>
>>>
>>>
>>> --
>>> wait and hope~~
>>>
>>
>>
>
>
> --
> wait and hope~~
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/panda-users/attachments/20150423/5165ad28/attachment-0001.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qqtaint2.png
Type: image/png
Size: 12246 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150423/5165ad28/attachment-0008.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gdb2.png
Type: image/png
Size: 194887 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150423/5165ad28/attachment-0009.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted2.png
Type: image/png
Size: 118621 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150423/5165ad28/attachment-0010.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gdb1-2.png
Type: image/png
Size: 13244 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150423/5165ad28/attachment-0011.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted4.png
Type: image/png
Size: 90587 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150423/5165ad28/attachment-0012.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qqtaint1.png
Type: image/png
Size: 25300 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150423/5165ad28/attachment-0013.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tainted1.jpg
Type: image/jpeg
Size: 63070 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150423/5165ad28/attachment-0001.jpg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted1.png
Type: image/png
Size: 99277 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150423/5165ad28/attachment-0014.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted3.png
Type: image/png
Size: 106030 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150423/5165ad28/attachment-0015.png
More information about the panda-users
mailing list