[panda-users] taint segmentation fault
xiaojuan Li
xiaotan6666 at gmail.com
Fri Apr 24 21:20:39 EDT 2015
thanks first!
sorry, i made a mistake: the low-level code i mean before is the log file
produced by qemu's -d command when replay, and it is the assembly code(i
mean it is the qemu's log about replay,how can i get the tainted_instr
ops?).the .plog file produced by pandalog is just the result of
tainted_instr.(asid and pc value)
as for linux_vmi plugin and DroidScope i should learn further.
2015-04-24 16:23 GMT-04:00 Joshua Hodosh <josh.hodosh at ll.mit.edu>:
> That's correct. The last time I looked at DroidScope, it could introspect
> on Dalvik in Android 2.3, running on a 32-bit host.
> The DroidScope code we included as the linux_vmi plugin doesn't have
> Dalvik-layer introspection enabled, since it's 1) obsolete, and 2) requires
> a 32-bit executable. The process, thread, module, and symbol tracking are
> still enabled, but won't help with Java/Dalvik code.
>
> Android 2.x's interpreter had a function that was run on each opcode, so
> DroidScope's symbol-parsing was enough to bootstrap a Dalvik-instruction
> callback point. The interpreter in 4.0 was rewritten for performance, and
> doesn't have an analogous function, as far as I know.
>
> I know DroidScope has documentation about Android 4.3, but there doesn't
> seem to be any code for it. There haven't been any commits to it for over
> two years.
>
> --
> Josh
>
>
> On 04/24/2015 12:37 AM, Brendan Dolan-Gavitt wrote:
>
> The low-level code you see in Android is generally the result of just in
> time compilation. The DroidScope paper [1] discusses some ways to determine
> what the high-level code corresponds to the low-level code, but I don't
> know if that has made it into PANDA – Josh may know more.
>
> -Brendan
>
> [1]
> https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final107.pdf
>
> On Thu, Apr 23, 2015 at 9:19 PM, xiaojuan Li <xiaotan6666 at gmail.com>
> wrote:
>
>> the thing is:after taint we can get the tainted data flow,assuming it
>> wrote in the name.plog, then extract the .plog using tainted_instr, how can
>> i get useful information from the flowing(such as which high-level func
>> handle it)?
>> like IL in .NET, we can decompile to get c# source code.
>> Thanks
>>
>> 2015-04-23 19:49 GMT-04:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>
>> thanks first,
>>> the code i want to get is the java functions(the higher-level
>>> information) that handle special data or something that related with these
>>> functions.(like asm,but can be used to locate related functions).
>>>
>>>
>>> 2015-04-23 12:45 GMT-04:00 Brendan Dolan-Gavitt <brendandg at gatech.edu>:
>>>
>>> I'm not sure I understand your question. The assembly instructions
>>>> being executed are the code.
>>>>
>>>> If you want higher-level information, like what library that code is
>>>> in, or what the process name is, this is typically done using memory
>>>> analysis (for example, tools like Volatility). If you can get the
>>>> configuration right for the osi_linux plugin, you can also get information
>>>> about what libraries are loaded and where they are from that interface.
>>>>
>>>> What information are you trying to get?
>>>>
>>>> -Brendan
>>>>
>>>> On Wed, Apr 22, 2015 at 11:23 PM, xiaojuan Li <xiaotan6666 at gmail.com>
>>>> wrote:
>>>>
>>>>> excuse me, one more question:
>>>>> taint(use pandalog to write in name.plog which can be extract by
>>>>> tainted_instr) can get the asid-pc record,i want to find operating code
>>>>> further and replay with "-d in_asm -D asmlog.txt" and get the log like this:
>>>>>
>>>>> ************************************************************************
>>>>> IN:
>>>>> 0xb52dbbee: 4605 mov r5, r0
>>>>> 0xb52dbbf0: 2800 cmp r0, #0
>>>>> 0xb52dbbf2: f040 8172 bne.w 0xb52dbeda
>>>>>
>>>>> ----------------
>>>>> IN:
>>>>> 0xb52dbbf6: 462b mov r3, r5
>>>>> 0xb52dbbf8: 4620 mov r0, r4
>>>>> 0xb52dbbfa: 2101 movs r1, #1
>>>>> 0xb52dbbfc: aa06 add r2, sp, #24
>>>>> 0xb52dbbfe: f7fa f898 bl 0xffffffffb52d5d32
>>>>>
>>>>> ----------------
>>>>> IN:
>>>>> 0xb52d5d32: b5f7 push {r0, r1, r2, r4, r5, r6, r7, lr}
>>>>> 0xb52d5d34: 4606 mov r6, r0
>>>>> 0xb52d5d36: 4617 mov r7, r2
>>>>> 0xb52d5d38: 6800 ldr r0, [r0, #0]
>>>>> 0xb52d5d3a: aa01 add r2, sp, #4
>>>>> 0xb52d5d3c: 460d mov r5, r1
>>>>> 0xb52d5d3e: f7ff fecf bl 0xffffffffb52d5ae0
>>>>> *******************************************************************
>>>>> it just the instructions underlying, but how can i use these to
>>>>> locate the code that what i want?
>>>>>
>>>>> sorry to be a askhole, i just a new learner...
>>>>> And thanks for your patience!!
>>>>>
>>>>> 2015-04-10 21:24 GMT-04:00 Brendan Dolan-Gavitt <brendandg at gatech.edu>
>>>>> :
>>>>>
>>>>>> Once you have used PANDA's taint system to identify the portions of
>>>>>> the code that process the data you're interested in, you will still have to
>>>>>> analyze that code do understand how it works. One way to do that might be
>>>>>> to use the scissors plugin to extract out the portion of the trace that
>>>>>> contains the code you're interested in, and then replay it with QEMU's "-d
>>>>>> in_asm -D asmlog.txt" options to get the disassembly for that code.
>>>>>>
>>>>>> Alternatively, you could take a memory snapshot at some point when
>>>>>> the code you want to analyze is in memory (using something like the
>>>>>> pmemsave plugin in PANDA), then use Volatility to analyze that memory image
>>>>>> to extract out the binary, which you could look at in IDA or something
>>>>>> similar.
>>>>>>
>>>>>> Basically – disassemble the code that handles the data you're
>>>>>> interested in and find out how it works. Exactly what that means will
>>>>>> depend on what you're hoping to accomplish.
>>>>>>
>>>>>> -Brendan
>>>>>>
>>>>>> On Fri, Apr 10, 2015 at 9:07 PM, xiaojuan Li <xiaotan6666 at gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>> Thanks for your job first.
>>>>>>> I am a little confused about the result of the tainted.how can I get
>>>>>>> enough information about the processing code from the binary? use the gdb?
>>>>>>> Thanks!
>>>>>>>
>>>>>>> 2015-04-10 12:05 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>>>
>>>>>>>> Thanks for your guys great work!
>>>>>>>> and I will try.
>>>>>>>>
>>>>>>>> 2015-04-10 11:42 GMT+08:00 Brendan Dolan-Gavitt <
>>>>>>>> brendandg at gatech.edu>:
>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> Tim has just updated the tainted_instructions tutorial so that
>>>>>>>>> it reflects how things work now. Could you look through that tutorial and
>>>>>>>>> see if it helps with your problem?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> https://github.com/moyix/panda/blob/master/docs/tainted_instructions.md
>>>>>>>>>
>>>>>>>>> Note that you will probably need to do a "git pull" and rebuild
>>>>>>>>> (make clean ; ./build.sh) in order to make sure everything works as it says
>>>>>>>>> in the tutorial.
>>>>>>>>>
>>>>>>>>> -Brendan
>>>>>>>>>
>>>>>>>>> On Thu, Apr 9, 2015 at 9:30 AM, xiaojuan Li <xiaotan6666 at gmail.com
>>>>>>>>> > wrote:
>>>>>>>>>
>>>>>>>>>> Now that the panda taint.md is not fresh,can you guys give me
>>>>>>>>>> some help?
>>>>>>>>>> I use the replay plugin,here is my command and the result.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> the content of pk_search_strings.txt is :"sdt"
>>>>>>>>>>
>>>>>>>>>> I am confused here:in the paper— Repeatable reverse with panda:
>>>>>>>>>> :
>>>>>>>>>> it is clear that:if I use the stringsearch and taint
>>>>>>>>>> plugin,when it matches, the taint label will be put and then taint action
>>>>>>>>>> will start.but when I use it, it seems wrong(the picture showed before):no
>>>>>>>>>> taint action execute,and i am confused about the tstringsearch's result.
>>>>>>>>>> how can i use it to analysis?
>>>>>>>>>> Thanks a lot!
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> 2015-04-08 10:14 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>>>>>>
>>>>>>>>>>> I get the replay file by running runandroid script. and i use
>>>>>>>>>>> qemu-system-arm command just to do some replay work.
>>>>>>>>>>> I may not understand you at all in this emal.do you mean that i
>>>>>>>>>>> should gdb the original program rather than the record file?
>>>>>>>>>>> Thansk
>>>>>>>>>>>
>>>>>>>>>>> 2015-04-08 9:52 GMT+08:00 Brendan Dolan-Gavitt <
>>>>>>>>>>> brendandg at gatech.edu>:
>>>>>>>>>>>
>>>>>>>>>>>> Hmm. gdb should normally stop when you get a segfault.
>>>>>>>>>>>>
>>>>>>>>>>>> Are you by any chance running PANDA using the runandroid
>>>>>>>>>>>> script? If so, you will need to instead invoke PANDA manually, i.e.:
>>>>>>>>>>>>
>>>>>>>>>>>> gdb --args arm-softmmu/qemu-system-arm [...]
>>>>>>>>>>>>
>>>>>>>>>>>> And then once it crashes, type "bt" at the gdb prompt to get
>>>>>>>>>>>> a backtrace.
>>>>>>>>>>>>
>>>>>>>>>>>> -Brendan
>>>>>>>>>>>>
>>>>>>>>>>>> On Tue, Apr 7, 2015 at 9:47 PM, xiaojuan Li <
>>>>>>>>>>>> xiaotan6666 at gmail.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> when gdb,it shows:
>>>>>>>>>>>>> and then i see the log:it shows segfault:
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> 2015-04-08 9:03 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> maybe i am wrong.
>>>>>>>>>>>>>> i use the command
>>>>>>>>>>>>>> line:"taint2:label_mode=binary,query_outgoing_network=1"and I found that
>>>>>>>>>>>>>> when i use taint2, after it loads panda_taint2.so,it
>>>>>>>>>>>>>> shows:"taint2:instructed not to inline taint ops .success".
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> 2015-04-08 8:54 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>
>>>>>>>>>>>>>> :
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ok.
>>>>>>>>>>>>>>> 1.I want to use taint plugin to get information about some
>>>>>>>>>>>>>>> functions(of course, it is closed-source),so I think I can stringsearch
>>>>>>>>>>>>>>> potential data and then taint them and next I can locate the functions
>>>>>>>>>>>>>>> which solves these data.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> 2.the command line I used is : stringsearch:name=***;
>>>>>>>>>>>>>>> taint2:tainted_instructions=1.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> thanks
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> 2015-04-08 8:40 GMT+08:00 Brendan Dolan-Gavitt <
>>>>>>>>>>>>>>> brendandg at gatech.edu>:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Could you provide:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> 1. What information you're trying to get
>>>>>>>>>>>>>>>> 2. The command line you're using to run PANDA with the
>>>>>>>>>>>>>>>> taint2 plugin
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> ?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Right now I believe taint2 does not produce very much
>>>>>>>>>>>>>>>> output by default. Instead you use the -pandalog <filename> command line
>>>>>>>>>>>>>>>> option, and taint2 will write its results there in pandalog format; you can
>>>>>>>>>>>>>>>> then read them using pandalog_reader (see panda/pandalog_reader.c for
>>>>>>>>>>>>>>>> details on that tool).
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> -Brendan
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On Tue, Apr 7, 2015 at 8:32 PM, xiaojuan Li <
>>>>>>>>>>>>>>>> xiaotan6666 at gmail.com> wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> when I tried taint2,it showed the same error with taint1,
>>>>>>>>>>>>>>>>> the olny difference is that taint2 has no segfault error,just uninit taint
>>>>>>>>>>>>>>>>> plugin.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> 2015-04-08 8:28 GMT+08:00 Brendan Dolan-Gavitt <
>>>>>>>>>>>>>>>>> brendandg at gatech.edu>:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Could you be a little more descriptive about how it
>>>>>>>>>>>>>>>>>> failed? Segfault? Error message? Incorrect output?
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> -Brendan
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> On Tue, Apr 7, 2015 at 8:27 PM, xiaojuan Li <
>>>>>>>>>>>>>>>>>> xiaotan6666 at gmail.com> wrote:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> i tried taint2 too,it failed.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> 2015-04-07 5:20 GMT+08:00 Leek, Timothy - 0559 - MITLL <
>>>>>>>>>>>>>>>>>>> tleek at ll.mit.edu>:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Also note that the “taint” plugin is somewhat
>>>>>>>>>>>>>>>>>>>> defunct. “taint2” is the one we are actively using and developing.
>>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>>> Tim Leek
>>>>>>>>>>>>>>>>>>>> Technical Staff
>>>>>>>>>>>>>>>>>>>> Cyber System Assessments
>>>>>>>>>>>>>>>>>>>> MIT Lincoln Laboratory
>>>>>>>>>>>>>>>>>>>> 781-981-2975
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> From: Brendan Dolan-Gavitt <brendandg at gatech.edu>
>>>>>>>>>>>>>>>>>>>> Date: Monday, April 6, 2015 at 5:18 PM
>>>>>>>>>>>>>>>>>>>> To: xiaojuan Li <xiaotan6666 at gmail.com>
>>>>>>>>>>>>>>>>>>>> Cc: "panda-users at mit.edu" <panda-users at mit.edu>
>>>>>>>>>>>>>>>>>>>> Subject: Re: [panda-users] taint segmentation fault
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Could you run that under gdb and provide us with a
>>>>>>>>>>>>>>>>>>>> backtrace when it crashes?
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> -Brendan
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> On Sunday, April 5, 2015, xiaojuan Li <
>>>>>>>>>>>>>>>>>>>> xiaotan6666 at gmail.com> wrote:
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>>> excuse me,i have a question about taint
>>>>>>>>>>>>>>>>>>>>> plugin:(stringsearch:name=***;taint:tainted_instructions=1)
>>>>>>>>>>>>>>>>>>>>> when I started it showed success:
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> but when it finished search,it showd "uninit taint
>>>>>>>>>>>>>>>>>>>>> plugin segementation fault"
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> how can I fix it?
>>>>>>>>>>>>>>>>>>>>> Thanks a lot!
>>>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>>>>>>> panda-users mailing list
>>>>>>>>>>>>>>>>>>> panda-users at mit.edu
>>>>>>>>>>>>>>>>>>> http://mailman.mit.edu/mailman/listinfo/panda-users
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> wait and hope~~
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> wait and hope~~
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> wait and hope~~
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> wait and hope~~
>>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> wait and hope~~
>>>
>>
>>
>>
>> --
>> wait and hope~~
>>
>
>
>
> _______________________________________________
> panda-users mailing listpanda-users at mit.eduhttp://mailman.mit.edu/mailman/listinfo/panda-users
>
>
>
> _______________________________________________
> panda-users mailing list
> panda-users at mit.edu
> http://mailman.mit.edu/mailman/listinfo/panda-users
>
>
--
wait and hope~~
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/panda-users/attachments/20150424/93c392bd/attachment-0001.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 118621 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150424/93c392bd/attachment-0008.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 106030 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150424/93c392bd/attachment-0009.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 194887 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150424/93c392bd/attachment-0010.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 12246 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150424/93c392bd/attachment-0011.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 63070 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150424/93c392bd/attachment-0001.jpg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 90587 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150424/93c392bd/attachment-0012.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 99277 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150424/93c392bd/attachment-0013.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 13244 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150424/93c392bd/attachment-0014.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 25300 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150424/93c392bd/attachment-0015.png
More information about the panda-users
mailing list