[panda-users] taint segmentation fault
Brendan Dolan-Gavitt
brendandg at gatech.edu
Fri Apr 24 00:37:03 EDT 2015
The low-level code you see in Android is generally the result of just in
time compilation. The DroidScope paper [1] discusses some ways to determine
what the high-level code corresponds to the low-level code, but I don't
know if that has made it into PANDA – Josh may know more.
-Brendan
[1]
https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final107.pdf
On Thu, Apr 23, 2015 at 9:19 PM, xiaojuan Li <xiaotan6666 at gmail.com> wrote:
> the thing is:after taint we can get the tainted data flow,assuming it
> wrote in the name.plog, then extract the .plog using tainted_instr, how can
> i get useful information from the flowing(such as which high-level func
> handle it)?
> like IL in .NET, we can decompile to get c# source code.
> Thanks
>
> 2015-04-23 19:49 GMT-04:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>
> thanks first,
>> the code i want to get is the java functions(the higher-level
>> information) that handle special data or something that related with these
>> functions.(like asm,but can be used to locate related functions).
>>
>>
>> 2015-04-23 12:45 GMT-04:00 Brendan Dolan-Gavitt <brendandg at gatech.edu>:
>>
>> I'm not sure I understand your question. The assembly instructions being
>>> executed are the code.
>>>
>>> If you want higher-level information, like what library that code is in,
>>> or what the process name is, this is typically done using memory analysis
>>> (for example, tools like Volatility). If you can get the configuration
>>> right for the osi_linux plugin, you can also get information about what
>>> libraries are loaded and where they are from that interface.
>>>
>>> What information are you trying to get?
>>>
>>> -Brendan
>>>
>>> On Wed, Apr 22, 2015 at 11:23 PM, xiaojuan Li <xiaotan6666 at gmail.com>
>>> wrote:
>>>
>>>> excuse me, one more question:
>>>> taint(use pandalog to write in name.plog which can be extract by
>>>> tainted_instr) can get the asid-pc record,i want to find operating code
>>>> further and replay with "-d in_asm -D asmlog.txt" and get the log like this:
>>>> ************************************************************************
>>>> IN:
>>>> 0xb52dbbee: 4605 mov r5, r0
>>>> 0xb52dbbf0: 2800 cmp r0, #0
>>>> 0xb52dbbf2: f040 8172 bne.w 0xb52dbeda
>>>>
>>>> ----------------
>>>> IN:
>>>> 0xb52dbbf6: 462b mov r3, r5
>>>> 0xb52dbbf8: 4620 mov r0, r4
>>>> 0xb52dbbfa: 2101 movs r1, #1
>>>> 0xb52dbbfc: aa06 add r2, sp, #24
>>>> 0xb52dbbfe: f7fa f898 bl 0xffffffffb52d5d32
>>>>
>>>> ----------------
>>>> IN:
>>>> 0xb52d5d32: b5f7 push {r0, r1, r2, r4, r5, r6, r7, lr}
>>>> 0xb52d5d34: 4606 mov r6, r0
>>>> 0xb52d5d36: 4617 mov r7, r2
>>>> 0xb52d5d38: 6800 ldr r0, [r0, #0]
>>>> 0xb52d5d3a: aa01 add r2, sp, #4
>>>> 0xb52d5d3c: 460d mov r5, r1
>>>> 0xb52d5d3e: f7ff fecf bl 0xffffffffb52d5ae0
>>>> *******************************************************************
>>>> it just the instructions underlying, but how can i use these to locate
>>>> the code that what i want?
>>>>
>>>> sorry to be a askhole, i just a new learner...
>>>> And thanks for your patience!!
>>>>
>>>> 2015-04-10 21:24 GMT-04:00 Brendan Dolan-Gavitt <brendandg at gatech.edu>:
>>>>
>>>>> Once you have used PANDA's taint system to identify the portions of
>>>>> the code that process the data you're interested in, you will still have to
>>>>> analyze that code do understand how it works. One way to do that might be
>>>>> to use the scissors plugin to extract out the portion of the trace that
>>>>> contains the code you're interested in, and then replay it with QEMU's "-d
>>>>> in_asm -D asmlog.txt" options to get the disassembly for that code.
>>>>>
>>>>> Alternatively, you could take a memory snapshot at some point when the
>>>>> code you want to analyze is in memory (using something like the pmemsave
>>>>> plugin in PANDA), then use Volatility to analyze that memory image to
>>>>> extract out the binary, which you could look at in IDA or something similar.
>>>>>
>>>>> Basically – disassemble the code that handles the data you're
>>>>> interested in and find out how it works. Exactly what that means will
>>>>> depend on what you're hoping to accomplish.
>>>>>
>>>>> -Brendan
>>>>>
>>>>> On Fri, Apr 10, 2015 at 9:07 PM, xiaojuan Li <xiaotan6666 at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Hi,
>>>>>> Thanks for your job first.
>>>>>> I am a little confused about the result of the tainted.how can I get
>>>>>> enough information about the processing code from the binary? use the gdb?
>>>>>> Thanks!
>>>>>>
>>>>>> 2015-04-10 12:05 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>>
>>>>>>> Thanks for your guys great work!
>>>>>>> and I will try.
>>>>>>>
>>>>>>> 2015-04-10 11:42 GMT+08:00 Brendan Dolan-Gavitt <
>>>>>>> brendandg at gatech.edu>:
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> Tim has just updated the tainted_instructions tutorial so that it
>>>>>>>> reflects how things work now. Could you look through that tutorial and see
>>>>>>>> if it helps with your problem?
>>>>>>>>
>>>>>>>>
>>>>>>>> https://github.com/moyix/panda/blob/master/docs/tainted_instructions.md
>>>>>>>>
>>>>>>>> Note that you will probably need to do a "git pull" and rebuild
>>>>>>>> (make clean ; ./build.sh) in order to make sure everything works as it says
>>>>>>>> in the tutorial.
>>>>>>>>
>>>>>>>> -Brendan
>>>>>>>>
>>>>>>>> On Thu, Apr 9, 2015 at 9:30 AM, xiaojuan Li <xiaotan6666 at gmail.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> Now that the panda taint.md is not fresh,can you guys give me
>>>>>>>>> some help?
>>>>>>>>> I use the replay plugin,here is my command and the result.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> the content of pk_search_strings.txt is :"sdt"
>>>>>>>>>
>>>>>>>>> I am confused here:in the paper— Repeatable reverse with panda:
>>>>>>>>> :
>>>>>>>>> it is clear that:if I use the stringsearch and taint plugin,when
>>>>>>>>> it matches, the taint label will be put and then taint action will
>>>>>>>>> start.but when I use it, it seems wrong(the picture showed before):no taint
>>>>>>>>> action execute,and i am confused about the tstringsearch's result.
>>>>>>>>> how can i use it to analysis?
>>>>>>>>> Thanks a lot!
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> 2015-04-08 10:14 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>>>>>
>>>>>>>>>> I get the replay file by running runandroid script. and i use
>>>>>>>>>> qemu-system-arm command just to do some replay work.
>>>>>>>>>> I may not understand you at all in this emal.do you mean that i
>>>>>>>>>> should gdb the original program rather than the record file?
>>>>>>>>>> Thansk
>>>>>>>>>>
>>>>>>>>>> 2015-04-08 9:52 GMT+08:00 Brendan Dolan-Gavitt <
>>>>>>>>>> brendandg at gatech.edu>:
>>>>>>>>>>
>>>>>>>>>>> Hmm. gdb should normally stop when you get a segfault.
>>>>>>>>>>>
>>>>>>>>>>> Are you by any chance running PANDA using the runandroid script?
>>>>>>>>>>> If so, you will need to instead invoke PANDA manually, i.e.:
>>>>>>>>>>>
>>>>>>>>>>> gdb --args arm-softmmu/qemu-system-arm [...]
>>>>>>>>>>>
>>>>>>>>>>> And then once it crashes, type "bt" at the gdb prompt to get a
>>>>>>>>>>> backtrace.
>>>>>>>>>>>
>>>>>>>>>>> -Brendan
>>>>>>>>>>>
>>>>>>>>>>> On Tue, Apr 7, 2015 at 9:47 PM, xiaojuan Li <
>>>>>>>>>>> xiaotan6666 at gmail.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> when gdb,it shows:
>>>>>>>>>>>> and then i see the log:it shows segfault:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> 2015-04-08 9:03 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>>>>>>>>
>>>>>>>>>>>>> maybe i am wrong.
>>>>>>>>>>>>> i use the command
>>>>>>>>>>>>> line:"taint2:label_mode=binary,query_outgoing_network=1"and I found that
>>>>>>>>>>>>> when i use taint2, after it loads panda_taint2.so,it
>>>>>>>>>>>>> shows:"taint2:instructed not to inline taint ops .success".
>>>>>>>>>>>>>
>>>>>>>>>>>>> 2015-04-08 8:54 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> ok.
>>>>>>>>>>>>>> 1.I want to use taint plugin to get information about some
>>>>>>>>>>>>>> functions(of course, it is closed-source),so I think I can stringsearch
>>>>>>>>>>>>>> potential data and then taint them and next I can locate the functions
>>>>>>>>>>>>>> which solves these data.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> 2.the command line I used is : stringsearch:name=***;
>>>>>>>>>>>>>> taint2:tainted_instructions=1.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> thanks
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> 2015-04-08 8:40 GMT+08:00 Brendan Dolan-Gavitt <
>>>>>>>>>>>>>> brendandg at gatech.edu>:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Could you provide:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> 1. What information you're trying to get
>>>>>>>>>>>>>>> 2. The command line you're using to run PANDA with the
>>>>>>>>>>>>>>> taint2 plugin
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Right now I believe taint2 does not produce very much output
>>>>>>>>>>>>>>> by default. Instead you use the -pandalog <filename> command line option,
>>>>>>>>>>>>>>> and taint2 will write its results there in pandalog format; you can then
>>>>>>>>>>>>>>> read them using pandalog_reader (see panda/pandalog_reader.c for details on
>>>>>>>>>>>>>>> that tool).
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> -Brendan
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Tue, Apr 7, 2015 at 8:32 PM, xiaojuan Li <
>>>>>>>>>>>>>>> xiaotan6666 at gmail.com> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> when I tried taint2,it showed the same error with taint1,
>>>>>>>>>>>>>>>> the olny difference is that taint2 has no segfault error,just uninit taint
>>>>>>>>>>>>>>>> plugin.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> 2015-04-08 8:28 GMT+08:00 Brendan Dolan-Gavitt <
>>>>>>>>>>>>>>>> brendandg at gatech.edu>:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Could you be a little more descriptive about how it
>>>>>>>>>>>>>>>>> failed? Segfault? Error message? Incorrect output?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> -Brendan
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On Tue, Apr 7, 2015 at 8:27 PM, xiaojuan Li <
>>>>>>>>>>>>>>>>> xiaotan6666 at gmail.com> wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> i tried taint2 too,it failed.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> 2015-04-07 5:20 GMT+08:00 Leek, Timothy - 0559 - MITLL <
>>>>>>>>>>>>>>>>>> tleek at ll.mit.edu>:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Also note that the “taint” plugin is somewhat defunct.
>>>>>>>>>>>>>>>>>>> “taint2” is the one we are actively using and developing.
>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>> Tim Leek
>>>>>>>>>>>>>>>>>>> Technical Staff
>>>>>>>>>>>>>>>>>>> Cyber System Assessments
>>>>>>>>>>>>>>>>>>> MIT Lincoln Laboratory
>>>>>>>>>>>>>>>>>>> 781-981-2975
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> From: Brendan Dolan-Gavitt <brendandg at gatech.edu>
>>>>>>>>>>>>>>>>>>> Date: Monday, April 6, 2015 at 5:18 PM
>>>>>>>>>>>>>>>>>>> To: xiaojuan Li <xiaotan6666 at gmail.com>
>>>>>>>>>>>>>>>>>>> Cc: "panda-users at mit.edu" <panda-users at mit.edu>
>>>>>>>>>>>>>>>>>>> Subject: Re: [panda-users] taint segmentation fault
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Could you run that under gdb and provide us with a
>>>>>>>>>>>>>>>>>>> backtrace when it crashes?
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> -Brendan
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> On Sunday, April 5, 2015, xiaojuan Li <
>>>>>>>>>>>>>>>>>>> xiaotan6666 at gmail.com> wrote:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>> excuse me,i have a question about taint
>>>>>>>>>>>>>>>>>>>> plugin:(stringsearch:name=***;taint:tainted_instructions=1)
>>>>>>>>>>>>>>>>>>>> when I started it showed success:
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> but when it finished search,it showd "uninit taint
>>>>>>>>>>>>>>>>>>>> plugin segementation fault"
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> how can I fix it?
>>>>>>>>>>>>>>>>>>>> Thanks a lot!
>>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>>>>>> panda-users mailing list
>>>>>>>>>>>>>>>>>> panda-users at mit.edu
>>>>>>>>>>>>>>>>>> http://mailman.mit.edu/mailman/listinfo/panda-users
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> wait and hope~~
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> wait and hope~~
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> wait and hope~~
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> wait and hope~~
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> wait and hope~~
>>>>
>>>
>>>
>>
>>
>> --
>> wait and hope~~
>>
>
>
>
> --
> wait and hope~~
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/panda-users/attachments/20150424/cd552c7c/attachment-0001.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qqtaint1.png
Type: image/png
Size: 25300 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150424/cd552c7c/attachment-0008.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gdb2.png
Type: image/png
Size: 194887 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150424/cd552c7c/attachment-0009.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gdb1-2.png
Type: image/png
Size: 13244 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150424/cd552c7c/attachment-0010.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qqtaint2.png
Type: image/png
Size: 12246 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150424/cd552c7c/attachment-0011.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted2.png
Type: image/png
Size: 118621 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150424/cd552c7c/attachment-0012.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tainted1.jpg
Type: image/jpeg
Size: 63070 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150424/cd552c7c/attachment-0001.jpg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted3.png
Type: image/png
Size: 106030 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150424/cd552c7c/attachment-0013.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted4.png
Type: image/png
Size: 90587 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150424/cd552c7c/attachment-0014.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted1.png
Type: image/png
Size: 99277 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150424/cd552c7c/attachment-0015.png
More information about the panda-users
mailing list