[panda-users] taint segmentation fault

xiaojuan Li xiaotan6666 at gmail.com
Thu Apr 23 21:19:17 EDT 2015 

the thing is:after taint we can get the tainted data flow,assuming it wrote
in the name.plog, then extract the .plog using tainted_instr, how can i get
useful information from the flowing(such as which high-level func handle
it)?
like IL in .NET, we can decompile to get c# source code.
Thanks

2015-04-23 19:49 GMT-04:00 xiaojuan Li <xiaotan6666 at gmail.com>:

> thanks first,
> the code i want to get is the java functions(the higher-level information)
> that handle special data or something that related with these
> functions.(like asm,but can be used to locate related functions).
>
>
> 2015-04-23 12:45 GMT-04:00 Brendan Dolan-Gavitt <brendandg at gatech.edu>:
>
> I'm not sure I understand your question. The assembly instructions being
>> executed are the code.
>>
>> If you want higher-level information, like what library that code is in,
>> or what the process name is, this is typically done using memory analysis
>> (for example, tools like Volatility). If you can get the configuration
>> right for the osi_linux plugin, you can also get information about what
>> libraries are loaded and where they are from that interface.
>>
>> What information are you trying to get?
>>
>> -Brendan
>>
>> On Wed, Apr 22, 2015 at 11:23 PM, xiaojuan Li <xiaotan6666 at gmail.com>
>> wrote:
>>
>>> excuse me, one more question:
>>> taint(use pandalog to write in name.plog which can be extract by
>>> tainted_instr) can get the asid-pc record,i want to find operating code
>>> further and replay with "-d in_asm -D asmlog.txt" and get the log like this:
>>> ************************************************************************
>>> IN:
>>> 0xb52dbbee:  4605       mov    r5, r0
>>> 0xb52dbbf0:  2800       cmp    r0, #0
>>> 0xb52dbbf2:  f040 8172  bne.w    0xb52dbeda
>>>
>>> ----------------
>>> IN:
>>> 0xb52dbbf6:  462b       mov    r3, r5
>>> 0xb52dbbf8:  4620       mov    r0, r4
>>> 0xb52dbbfa:  2101       movs    r1, #1
>>> 0xb52dbbfc:  aa06       add    r2, sp, #24
>>> 0xb52dbbfe:  f7fa f898  bl    0xffffffffb52d5d32
>>>
>>> ----------------
>>> IN:
>>> 0xb52d5d32:  b5f7       push    {r0, r1, r2, r4, r5, r6, r7, lr}
>>> 0xb52d5d34:  4606       mov    r6, r0
>>> 0xb52d5d36:  4617       mov    r7, r2
>>> 0xb52d5d38:  6800       ldr    r0, [r0, #0]
>>> 0xb52d5d3a:  aa01       add    r2, sp, #4
>>> 0xb52d5d3c:  460d       mov    r5, r1
>>> 0xb52d5d3e:  f7ff fecf  bl    0xffffffffb52d5ae0
>>> *******************************************************************
>>> it just the instructions underlying, but how can i use these to locate
>>> the code that what i want?
>>>
>>> sorry to be a askhole, i just a new learner...
>>> And thanks for your patience!!
>>>
>>> 2015-04-10 21:24 GMT-04:00 Brendan Dolan-Gavitt <brendandg at gatech.edu>:
>>>
>>>> Once you have used PANDA's taint system to identify the portions of the
>>>> code that process the data you're interested in, you will still have to
>>>> analyze that code do understand how it works. One way to do that might be
>>>> to use the scissors plugin to extract out the portion of the trace that
>>>> contains the code you're interested in, and then replay it with QEMU's "-d
>>>> in_asm -D asmlog.txt" options to get the disassembly for that code.
>>>>
>>>> Alternatively, you could take a memory snapshot at some point when the
>>>> code you want to analyze is in memory (using something like the pmemsave
>>>> plugin in PANDA), then use Volatility to analyze that memory image to
>>>> extract out the binary, which you could look at in IDA or something similar.
>>>>
>>>> Basically – disassemble the code that handles the data you're
>>>> interested in and find out how it works. Exactly what that means will
>>>> depend on what you're hoping to accomplish.
>>>>
>>>> -Brendan
>>>>
>>>> On Fri, Apr 10, 2015 at 9:07 PM, xiaojuan Li <xiaotan6666 at gmail.com>
>>>> wrote:
>>>>
>>>>> Hi,
>>>>> Thanks for your job first.
>>>>> I am a little confused about the result of the tainted.how can I get
>>>>> enough information about the processing code from the binary? use the gdb?
>>>>> Thanks!
>>>>>
>>>>> 2015-04-10 12:05 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>
>>>>>> Thanks for your guys great work!
>>>>>> and I will try.
>>>>>>
>>>>>> 2015-04-10 11:42 GMT+08:00 Brendan Dolan-Gavitt <brendandg at gatech.edu
>>>>>> >:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> Tim has just updated the tainted_instructions tutorial so that it
>>>>>>> reflects how things work now. Could you look through that tutorial and see
>>>>>>> if it helps with your problem?
>>>>>>>
>>>>>>>
>>>>>>> https://github.com/moyix/panda/blob/master/docs/tainted_instructions.md
>>>>>>>
>>>>>>> Note that you will probably need to do a "git pull" and rebuild
>>>>>>> (make clean ; ./build.sh) in order to make sure everything works as it says
>>>>>>> in the tutorial.
>>>>>>>
>>>>>>> -Brendan
>>>>>>>
>>>>>>> On Thu, Apr 9, 2015 at 9:30 AM, xiaojuan Li <xiaotan6666 at gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Now that the panda taint.md is not fresh,can you guys give me some
>>>>>>>> help?
>>>>>>>> I use the replay plugin,here is my command and the result.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>>>>>>>> the content of pk_search_strings.txt is :"sdt"
>>>>>>>>
>>>>>>>> I am confused here:in the paper— Repeatable reverse with panda:
>>>>>>>> :
>>>>>>>> it is clear that:if I use the stringsearch and taint plugin,when it
>>>>>>>> matches, the taint label will be put and then taint action will start.but
>>>>>>>> when I use it, it seems wrong(the picture showed before):no taint action
>>>>>>>> execute,and i am confused about the tstringsearch's result.
>>>>>>>> how can i use it to analysis?
>>>>>>>> Thanks a lot!
>>>>>>>>>>>>>>>>
>>>>>>>> 2015-04-08 10:14 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>>>>
>>>>>>>>> I get the replay file by running runandroid script. and i use
>>>>>>>>> qemu-system-arm command just to do some replay work.
>>>>>>>>> I may not understand you at all in this emal.do you mean that i
>>>>>>>>> should gdb the original program rather than the record file?
>>>>>>>>> Thansk
>>>>>>>>>
>>>>>>>>> 2015-04-08 9:52 GMT+08:00 Brendan Dolan-Gavitt <
>>>>>>>>> brendandg at gatech.edu>:
>>>>>>>>>
>>>>>>>>>> Hmm. gdb should normally stop when you get a segfault.
>>>>>>>>>>
>>>>>>>>>> Are you by any chance running PANDA using the runandroid script?
>>>>>>>>>> If so, you will need to instead invoke PANDA manually, i.e.:
>>>>>>>>>>
>>>>>>>>>> gdb --args arm-softmmu/qemu-system-arm [...]
>>>>>>>>>>
>>>>>>>>>> And then once it crashes, type "bt" at the gdb prompt to get a
>>>>>>>>>> backtrace.
>>>>>>>>>>
>>>>>>>>>> -Brendan
>>>>>>>>>>
>>>>>>>>>> On Tue, Apr 7, 2015 at 9:47 PM, xiaojuan Li <
>>>>>>>>>> xiaotan6666 at gmail.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> when gdb,it shows:
>>>>>>>>>>> and then i see the log:it shows segfault:
>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>> 2015-04-08 9:03 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>>>>>>>
>>>>>>>>>>>> maybe  i am wrong.
>>>>>>>>>>>>  i use the command
>>>>>>>>>>>> line:"taint2:label_mode=binary,query_outgoing_network=1"and I found that
>>>>>>>>>>>> when i use taint2, after it loads panda_taint2.so,it
>>>>>>>>>>>> shows:"taint2:instructed not to inline taint ops .success".
>>>>>>>>>>>>
>>>>>>>>>>>> 2015-04-08 8:54 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>>>>>>>>
>>>>>>>>>>>>> ok.
>>>>>>>>>>>>> 1.I want to use taint plugin to get information about some
>>>>>>>>>>>>> functions(of course, it is closed-source),so I think I can stringsearch
>>>>>>>>>>>>> potential data and then taint them and next I can locate the functions
>>>>>>>>>>>>> which solves these data.
>>>>>>>>>>>>>
>>>>>>>>>>>>> 2.the command line I used is : stringsearch:name=***;
>>>>>>>>>>>>> taint2:tainted_instructions=1.
>>>>>>>>>>>>>
>>>>>>>>>>>>> thanks
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> 2015-04-08 8:40 GMT+08:00 Brendan Dolan-Gavitt <
>>>>>>>>>>>>> brendandg at gatech.edu>:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Could you provide:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> 1. What information you're trying to get
>>>>>>>>>>>>>> 2. The command line you're using to run PANDA with the taint2
>>>>>>>>>>>>>> plugin
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Right now I believe taint2 does not produce very much output
>>>>>>>>>>>>>> by default. Instead you use the -pandalog <filename> command line option,
>>>>>>>>>>>>>> and taint2 will write its results there in pandalog format; you can then
>>>>>>>>>>>>>> read them using pandalog_reader (see panda/pandalog_reader.c for details on
>>>>>>>>>>>>>> that tool).
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> -Brendan
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Tue, Apr 7, 2015 at 8:32 PM, xiaojuan Li <
>>>>>>>>>>>>>> xiaotan6666 at gmail.com> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> when I tried taint2,it showed the same error with taint1,
>>>>>>>>>>>>>>> the olny difference is that taint2 has no segfault error,just uninit taint
>>>>>>>>>>>>>>> plugin.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> 2015-04-08 8:28 GMT+08:00 Brendan Dolan-Gavitt <
>>>>>>>>>>>>>>> brendandg at gatech.edu>:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Could you be a little more descriptive about how it failed?
>>>>>>>>>>>>>>>> Segfault? Error message? Incorrect output?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> -Brendan
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On Tue, Apr 7, 2015 at 8:27 PM, xiaojuan Li <
>>>>>>>>>>>>>>>> xiaotan6666 at gmail.com> wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> i tried taint2 too,it failed.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> 2015-04-07 5:20 GMT+08:00 Leek, Timothy - 0559 - MITLL <
>>>>>>>>>>>>>>>>> tleek at ll.mit.edu>:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Also note that the “taint” plugin is somewhat defunct.
>>>>>>>>>>>>>>>>>>  “taint2” is the one we are actively using and developing.
>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>> Tim Leek
>>>>>>>>>>>>>>>>>> Technical Staff
>>>>>>>>>>>>>>>>>> Cyber System Assessments
>>>>>>>>>>>>>>>>>> MIT Lincoln Laboratory
>>>>>>>>>>>>>>>>>> 781-981-2975
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> From: Brendan Dolan-Gavitt <brendandg at gatech.edu>
>>>>>>>>>>>>>>>>>> Date: Monday, April 6, 2015 at 5:18 PM
>>>>>>>>>>>>>>>>>> To: xiaojuan Li <xiaotan6666 at gmail.com>
>>>>>>>>>>>>>>>>>> Cc: "panda-users at mit.edu" <panda-users at mit.edu>
>>>>>>>>>>>>>>>>>> Subject: Re: [panda-users] taint segmentation fault
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Could you run that under gdb and provide us with a
>>>>>>>>>>>>>>>>>> backtrace when it crashes?
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> -Brendan
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> On Sunday, April 5, 2015, xiaojuan Li <
>>>>>>>>>>>>>>>>>> xiaotan6666 at gmail.com> wrote:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>> excuse me,i have a question about taint
>>>>>>>>>>>>>>>>>>> plugin:(stringsearch:name=***;taint:tainted_instructions=1)
>>>>>>>>>>>>>>>>>>> when I started it showed success:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> but when it finished search,it showd "uninit taint
>>>>>>>>>>>>>>>>>>> plugin segementation fault"
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> how can I fix it?
>>>>>>>>>>>>>>>>>>> Thanks a lot!
>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>>>>> panda-users mailing list
>>>>>>>>>>>>>>>>> panda-users at mit.edu
>>>>>>>>>>>>>>>>> http://mailman.mit.edu/mailman/listinfo/panda-users
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> wait and hope~~
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> wait and hope~~
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> wait and hope~~
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> wait and hope~~
>>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> wait and hope~~
>>>
>>
>>
>
>
> --
> wait and hope~~
>



-- 
wait and hope~~
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/panda-users/attachments/20150423/1c2a8645/attachment-0001.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gdb1-2.png
Type: image/png
Size: 13244 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150423/1c2a8645/attachment-0008.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qqtaint1.png
Type: image/png
Size: 25300 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150423/1c2a8645/attachment-0009.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted2.png
Type: image/png
Size: 118621 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150423/1c2a8645/attachment-0010.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted1.png
Type: image/png
Size: 99277 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150423/1c2a8645/attachment-0011.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted3.png
Type: image/png
Size: 106030 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150423/1c2a8645/attachment-0012.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gdb2.png
Type: image/png
Size: 194887 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150423/1c2a8645/attachment-0013.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted4.png
Type: image/png
Size: 90587 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150423/1c2a8645/attachment-0014.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tainted1.jpg
Type: image/jpeg
Size: 63070 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150423/1c2a8645/attachment-0001.jpg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qqtaint2.png
Type: image/png
Size: 12246 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150423/1c2a8645/attachment-0015.png

More information about the panda-users mailing list