I should also point out that Android 5.0 switched from Dalvik to the
Android Runtime.
When an app is installed now, the Dalvik bytecode is compiled to native
ARM, MIPS, or x86 code.
I haven't looked into this process much. PANDA has trouble with Android
5 because of the graphical effects rendering.
In my experience, the Android emulator has similar issues unless using
the host GPU for OpenGL acceleration is enabled.
On 04/24/2015 04:23 PM, Joshua Hodosh wrote:
> That's correct. The last time I looked at DroidScope, it could
> introspect on Dalvik in Android 2.3, running on a 32-bit host.
> The DroidScope code we included as the linux_vmi plugin doesn't have
> Dalvik-layer introspection enabled, since it's 1) obsolete, and 2)
> requires a 32-bit executable. The process, thread, module, and symbol
> tracking are still enabled, but won't help with Java/Dalvik code.
>
> Android 2.x's interpreter had a function that was run on each opcode,
> so DroidScope's symbol-parsing was enough to bootstrap a
> Dalvik-instruction callback point. The interpreter in 4.0 was
> rewritten for performance, and doesn't have an analogous function, as
> far as I know.
>
> I know DroidScope has documentation about Android 4.3, but there
> doesn't seem to be any code for it. There haven't been any commits to
> it for over two years.
>
> --
> Josh
>
> On 04/24/2015 12:37 AM, Brendan Dolan-Gavitt wrote:
>> The low-level code you see in Android is generally the result of just
>> in time compilation. The DroidScope paper [1] discusses some ways to
>> determine what the high-level code corresponds to the low-level code,
>> but I don't know if that has made it into PANDA – Josh may know more.
>>
>> -Brendan
>>
>> [1] https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final107.pdf
>>
>> On Thu, Apr 23, 2015 at 9:19 PM, xiaojuan Li <xiaotan6666 at gmail.com
>> <mailto:xiaotan6666 at gmail.com>> wrote:
>>
>> the thing is:after taint we can get the tainted data
>> flow,assuming it wrote in the name.plog, then extract the .plog
>> using tainted_instr, how can i get useful information from the
>> flowing(such as which high-level func handle it)?
>> like IL in .NET, we can decompile to get c# source code.
>> Thanks
>>
>> 2015-04-23 19:49 GMT-04:00 xiaojuan Li <xiaotan6666 at gmail.com
>> <mailto:xiaotan6666 at gmail.com>>:
>>
>> thanks first,
>> the code i want to get is the java functions(the higher-level
>> information) that handle special data or something that
>> related with these functions.(like asm,but can be used to
>> locate related functions).
>>
>>
>> 2015-04-23 12:45 GMT-04:00 Brendan Dolan-Gavitt
>> <brendandg at gatech.edu <mailto:brendandg at gatech.edu>>:
>>
>> I'm not sure I understand your question. The assembly
>> instructions being executed are the code.
>>
>> If you want higher-level information, like what library
>> that code is in, or what the process name is, this is
>> typically done using memory analysis (for example, tools
>> like Volatility). If you can get the configuration right
>> for the osi_linux plugin, you can also get information
>> about what libraries are loaded and where they are from
>> that interface.
>>
>> What information are you trying to get?
>>
>> -Brendan
>>
>> On Wed, Apr 22, 2015 at 11:23 PM, xiaojuan Li
>> <xiaotan6666 at gmail.com <mailto:xiaotan6666 at gmail.com>> wrote:
>>
>> excuse me, one more question:
>> taint(use pandalog to write in name.plog which can be
>> extract by tainted_instr) can get the asid-pc
>> record,i want to find operating code further and
>> replay with "-d in_asm -D asmlog.txt" and get the log
>> like this:
>> ************************************************************************
>> IN:
>> 0xb52dbbee: 4605 mov r5, r0
>> 0xb52dbbf0: 2800 cmp r0, #0
>> 0xb52dbbf2: f040 8172 bne.w 0xb52dbeda
>>
>> ----------------
>> IN:
>> 0xb52dbbf6: 462b mov r3, r5
>> 0xb52dbbf8: 4620 mov r0, r4
>> 0xb52dbbfa: 2101 movs r1, #1
>> 0xb52dbbfc: aa06 add r2, sp, #24
>> 0xb52dbbfe: f7fa f898 bl 0xffffffffb52d5d32
>>
>> ----------------
>> IN:
>> 0xb52d5d32: b5f7 push {r0, r1, r2, r4, r5,
>> r6, r7, lr}
>> 0xb52d5d34: 4606 mov r6, r0
>> 0xb52d5d36: 4617 mov r7, r2
>> 0xb52d5d38: 6800 ldr r0, [r0, #0]
>> 0xb52d5d3a: aa01 add r2, sp, #4
>> 0xb52d5d3c: 460d mov r5, r1
>> 0xb52d5d3e: f7ff fecf bl 0xffffffffb52d5ae0
>> *******************************************************************
>> it just the instructions underlying, but how can i
>> use these to locate the code that what i want?
>>
>> sorry to be a askhole, i just a new learner...
>> And thanks for your patience!!
>>
>> 2015-04-10 21:24 GMT-04:00 Brendan Dolan-Gavitt
>> <brendandg at gatech.edu <mailto:brendandg at gatech.edu>>:
>>
>> Once you have used PANDA's taint system to
>> identify the portions of the code that process
>> the data you're interested in, you will still
>> have to analyze that code do understand how it
>> works. One way to do that might be to use the
>> scissors plugin to extract out the portion of the
>> trace that contains the code you're interested
>> in, and then replay it with QEMU's "-d in_asm -D
>> asmlog.txt" options to get the disassembly for
>> that code.
>>
>> Alternatively, you could take a memory snapshot
>> at some point when the code you want to analyze
>> is in memory (using something like the pmemsave
>> plugin in PANDA), then use Volatility to analyze
>> that memory image to extract out the binary,
>> which you could look at in IDA or something similar.
>>
>> Basically – disassemble the code that handles the
>> data you're interested in and find out how it
>> works. Exactly what that means will depend on
>> what you're hoping to accomplish.
>>
>> -Brendan
>>
>> On Fri, Apr 10, 2015 at 9:07 PM, xiaojuan Li
>> <xiaotan6666 at gmail.com
>> <mailto:xiaotan6666 at gmail.com>> wrote:
>>
>> Hi,
>> Thanks for your job first.
>> I am a little confused about the result of
>> the tainted.how can I get enough information
>> about the processing code from the binary?
>> use the gdb?
>> Thanks!
>>
>> 2015-04-10 12:05 GMT+08:00 xiaojuan Li
>> <xiaotan6666 at gmail.com
>> <mailto:xiaotan6666 at gmail.com>>:
>>
>> Thanks for your guys great work!
>> and I will try.
>>
>> 2015-04-10 11:42 GMT+08:00 Brendan
>> Dolan-Gavitt <brendandg at gatech.edu
>> <mailto:brendandg at gatech.edu>>:
>>
>> Hi,
>>
>> Tim has just updated the
>> tainted_instructions tutorial so that
>> it reflects how things work now.
>> Could you look through that tutorial
>> and see if it helps with your problem?
>>
>> https://github.com/moyix/panda/blob/master/docs/tainted_instructions.md
>>
>> Note that you will probably need to
>> do a "git pull" and rebuild (make
>> clean ; ./build.sh) in order to make
>> sure everything works as it says in
>> the tutorial.
>>
>> -Brendan
>>
>> On Thu, Apr 9, 2015 at 9:30 AM,
>> xiaojuan Li <xiaotan6666 at gmail.com
>> <mailto:xiaotan6666 at gmail.com>> wrote:
>>
>> Now that the panda taint.md
>> <http://taint.md> is not
>> fresh,can you guys give me some
>> help?
>> I use the replay plugin,here is
>> my command and the result.
>>
>>
>>
>>
>>
>> the content of
>> pk_search_strings.txt is :"sdt"
>>
>> I am confused here:in the paper—
>> Repeatable reverse with panda:
>> :
>> it is clear that:if I use the
>> stringsearch and taint
>> plugin,when it matches, the taint
>> label will be put and then taint
>> action will start.but when I use
>> it, it seems wrong(the picture
>> showed before):no taint action
>> execute,and i am confused about
>> the tstringsearch's result.
>> how can i use it to analysis?
>> Thanks a lot!
>>
>>
>> 2015-04-08 10:14 GMT+08:00
>> xiaojuan Li
>> <xiaotan6666 at gmail.com
>> <mailto:xiaotan6666 at gmail.com>>:
>>
>> I get the replay file by
>> running runandroid script.
>> and i use qemu-system-arm
>> command just to do some
>> replay work.
>> I may not understand you at
>> all in this emal.do you mean
>> that i should gdb the
>> original program rather than
>> the record file?
>> Thansk
>>
>> 2015-04-08 9:52 GMT+08:00
>> Brendan Dolan-Gavitt
>> <brendandg at gatech.edu
>> <mailto:brendandg at gatech.edu>>:
>>
>> Hmm. gdb should normally
>> stop when you get a
>> segfault.
>>
>> Are you by any chance
>> running PANDA using the
>> runandroid script? If so,
>> you will need to instead
>> invoke PANDA manually, i.e.:
>>
>> gdb --args
>> arm-softmmu/qemu-system-arm
>> [...]
>>
>> And then once it crashes,
>> type "bt" at the gdb
>> prompt to get a backtrace.
>>
>> -Brendan
>>
>> On Tue, Apr 7, 2015 at
>> 9:47 PM, xiaojuan Li
>> <xiaotan6666 at gmail.com
>> <mailto:xiaotan6666 at gmail.com>>
>> wrote:
>>
>> when gdb,it shows:
>> and then i see the
>> log:it shows segfault:
>>
>>
>>
>> 2015-04-08 9:03
>> GMT+08:00 xiaojuan Li
>> <xiaotan6666 at gmail.com <mailto:xiaotan6666 at gmail.com>>:
>>
>> maybe i am wrong.
>> i use the
>> command
>> line:"taint2:label_mode=binary,query_outgoing_network=1"and
>> I found that when
>> i use taint2,
>> after it loads
>> panda_taint2.so,it shows:"taint2:instructed
>> not to inline
>> taint ops .success".
>>
>> 2015-04-08 8:54
>> GMT+08:00
>> xiaojuan Li
>> <xiaotan6666 at gmail.com
>> <mailto:xiaotan6666 at gmail.com>>:
>>
>> ok.
>> 1.I want to
>> use taint
>> plugin to get
>> information
>> about some
>> functions(of
>> course, it is
>> closed-source),so
>> I think I can
>> stringsearch
>> potential
>> data and then
>> taint them
>> and next I
>> can locate
>> the functions
>> which solves
>> these data.
>>
>> 2.the command
>> line I used
>> is
>> : stringsearch:name=***;taint2:tainted_instructions=1.
>>
>> thanks
>>
>>
>> 2015-04-08
>> 8:40
>> GMT+08:00
>> Brendan
>> Dolan-Gavitt
>> <brendandg at gatech.edu
>> <mailto:brendandg at gatech.edu>>:
>>
>> Could you
>> provide:
>>
>> 1. What
>> information
>> you're
>> trying to get
>> 2. The
>> command
>> line
>> you're
>> using to
>> run PANDA
>> with the
>> taint2 plugin
>>
>> ?
>>
>> Right now
>> I believe
>> taint2
>> does not
>> produce
>> very much
>> output by
>> default.
>> Instead
>> you use
>> the
>> -pandalog
>> <filename> command
>> line
>> option,
>> and
>> taint2
>> will
>> write its
>> results
>> there in
>> pandalog
>> format;
>> you can
>> then read
>> them
>> using
>> pandalog_reader
>> (see
>> panda/pandalog_reader.c
>> for
>> details
>> on that
>> tool).
>>
>> -Brendan
>>
>> On Tue,
>> Apr 7,
>> 2015 at
>> 8:32 PM,
>> xiaojuan
>> Li
>> <xiaotan6666 at gmail.com
>> <mailto:xiaotan6666 at gmail.com>>
>> wrote:
>>
>> when
>> I
>> tried
>> taint2,it
>> showed the
>> same
>> error
>> with
>> taint1,
>> the
>> olny
>> difference
>> is
>> that
>> taint2 has
>> no
>> segfault
>> error,just
>> uninit taint
>> plugin.
>>
>> 2015-04-08
>> 8:28
>> GMT+08:00
>> Brendan
>> Dolan-Gavitt
>> <brendandg at gatech.edu
>> <mailto:brendandg at gatech.edu>>:
>>
>> Could
>> you
>> be a
>> little
>> more
>> descriptive
>> about
>> how
>> it failed?
>> Segfault?
>> Error
>> message?
>> Incorrect
>> output?
>>
>>
>> -Brendan
>>
>> On Tue,
>> Apr
>> 7, 2015
>> at 8:27
>> PM,
>> xiaojuan
>> Li <xiaotan6666 at gmail.com
>> <mailto:xiaotan6666 at gmail.com>>
>> wrote:
>>
>> i tried
>> taint2
>> too,it
>> failed.
>>
>> 2015-04-07
>> 5:20
>> GMT+08:00
>> Leek,
>> Timothy
>> - 0559
>> - MITLL
>> <tleek at ll.mit.edu
>> <mailto:tleek at ll.mit.edu>>:
>>
>> Also
>> note
>> that
>> the
>> “taint”
>> plugin
>> is
>> somewhat
>> defunct.
>> “taint2”
>> is
>> the
>> one
>> we
>> are
>> actively
>> using
>> and
>> developing.
>> --
>> Tim
>> Leek
>> Technical
>> Staff
>> Cyber
>> System
>> Assessments
>> MIT
>> Lincoln
>> Laboratory
>> 781-981-2975
>> <tel:781-981-2975>
>>
>>
>> From:
>> Brendan
>> Dolan-Gavitt
>> <brendandg at gatech.edu
>> <mailto:brendandg at gatech.edu>>
>> Date:
>> Monday,
>> April
>> 6,
>> 2015
>> at
>> 5:18
>> PM
>> To:
>> xiaojuan
>> Li
>> <xiaotan6666 at gmail.com
>> <mailto:xiaotan6666 at gmail.com>>
>> Cc:
>> "panda-users at mit.edu
>> <mailto:panda-users at mit.edu>"
>> <panda-users at mit.edu
>> <mailto:panda-users at mit.edu>>
>> Subject:
>> Re:
>> [panda-users]
>> taint
>> segmentation
>> fault
>>
>> Could
>> you
>> run
>> that
>> under
>> gdb
>> and
>> provide
>> us
>> with
>> a backtrace
>> when
>> it
>> crashes?
>>
>>
>> -Brendan
>>
>> On
>> Sunday,
>> April
>> 5,
>> 2015,
>> xiaojuan
>> Li
>> <xiaotan6666 at gmail.com
>> <mailto:xiaotan6666 at gmail.com>>
>> wrote:
>>
>> Hi,
>>
>> excuse
>> me,i
>> have
>> a question
>> about
>> taint
>> plugin:(stringsearch:name=***;taint:tainted_instructions=1)
>> when
>> I started
>> it
>> showed
>> success:
>>
>>
>> but
>> when
>> it
>> finished
>> search,it
>> showd
>> "uninit
>> taint
>> plugin
>> segementation
>> fault"
>>
>>
>> how
>> can
>> I fix
>> it?
>> Thanks
>> a lot!
>> --
>>
>> wait
>> and
>> hope~~
>>
>>
>>
>>
>> --
>>
>> wait
>> and
>> hope~~
>>
>> _______________________________________________
>> panda-users
>> mailing
>> list
>> panda-users at mit.edu
>> <mailto:panda-users at mit.edu>
>> http://mailman.mit.edu/mailman/listinfo/panda-users
>>
>>
>>
>>
>>
>> --
>> wait
>> and
>> hope~~
>>
>>
>>
>>
>>
>> --
>> wait and hope~~
>>
>>
>>
>>
>> --
>> wait and hope~~
>>
>>
>>
>>
>> --
>> wait and hope~~
>>
>>
>>
>>
>>
>> --
>> wait and hope~~
>>
>>
>>
>>
>> --
>> wait and hope~~
>>
>>
>>
>>
>>
>> --
>> wait and hope~~
>>
>>
>>
>>
>> --
>> wait and hope~~
>>
>>
>>
>>
>>
>> --
>> wait and hope~~
>>
>>
>>
>>
>>
>> --
>> wait and hope~~
>>
>>
>>
>>
>> --
>> wait and hope~~
>>
>>
>>
>>
>> _______________________________________________
>> panda-users mailing list
>> panda-users at mit.edu
>> http://mailman.mit.edu/mailman/listinfo/panda-users
>
>
>
> _______________________________________________
> panda-users mailing list
> panda-users at mit.edu
> http://mailman.mit.edu/mailman/listinfo/panda-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/panda-users/attachments/20150424/3500d543/attachment-0001.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 99277 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150424/3500d543/attachment-0008.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 118621 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150424/3500d543/attachment-0009.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 106030 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150424/3500d543/attachment-0010.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 90587 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150424/3500d543/attachment-0011.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 63070 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150424/3500d543/attachment-0001.jpg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 13244 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150424/3500d543/attachment-0012.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 194887 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150424/3500d543/attachment-0013.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 25300 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150424/3500d543/attachment-0014.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 12246 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150424/3500d543/attachment-0015.png