[panda-users] taint segmentation fault

xiaojuan Li xiaotan6666 at gmail.com
Sat Apr 25 09:18:58 EDT 2015 

excuse me, i want to say that the pmemsave plugin seems have a problem:
using it with "pmemsave addr size file",there needs addr and size infro,
but when run emulator, we do not know the addr as well the size we want.
And the volatility seems doesn't work well.

Thanks

2015-04-10 21:24 GMT-04:00 Brendan Dolan-Gavitt <brendandg at gatech.edu>:

> Once you have used PANDA's taint system to identify the portions of the
> code that process the data you're interested in, you will still have to
> analyze that code do understand how it works. One way to do that might be
> to use the scissors plugin to extract out the portion of the trace that
> contains the code you're interested in, and then replay it with QEMU's "-d
> in_asm -D asmlog.txt" options to get the disassembly for that code.
>
> Alternatively, you could take a memory snapshot at some point when the
> code you want to analyze is in memory (using something like the pmemsave
> plugin in PANDA), then use Volatility to analyze that memory image to
> extract out the binary, which you could look at in IDA or something similar.
>
> Basically – disassemble the code that handles the data you're interested
> in and find out how it works. Exactly what that means will depend on what
> you're hoping to accomplish.
>
> -Brendan
>
> On Fri, Apr 10, 2015 at 9:07 PM, xiaojuan Li <xiaotan6666 at gmail.com>
> wrote:
>
>> Hi,
>> Thanks for your job first.
>> I am a little confused about the result of the tainted.how can I get
>> enough information about the processing code from the binary? use the gdb?
>> Thanks!
>>
>> 2015-04-10 12:05 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>
>>> Thanks for your guys great work!
>>> and I will try.
>>>
>>> 2015-04-10 11:42 GMT+08:00 Brendan Dolan-Gavitt <brendandg at gatech.edu>:
>>>
>>>> Hi,
>>>>
>>>> Tim has just updated the tainted_instructions tutorial so that it
>>>> reflects how things work now. Could you look through that tutorial and see
>>>> if it helps with your problem?
>>>>
>>>> https://github.com/moyix/panda/blob/master/docs/tainted_instructions.md
>>>>
>>>> Note that you will probably need to do a "git pull" and rebuild (make
>>>> clean ; ./build.sh) in order to make sure everything works as it says in
>>>> the tutorial.
>>>>
>>>> -Brendan
>>>>
>>>> On Thu, Apr 9, 2015 at 9:30 AM, xiaojuan Li <xiaotan6666 at gmail.com>
>>>> wrote:
>>>>
>>>>> Now that the panda taint.md is not fresh,can you guys give me some
>>>>> help?
>>>>> I use the replay plugin,here is my command and the result.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>>>>> the content of pk_search_strings.txt is :"sdt"
>>>>>
>>>>> I am confused here:in the paper— Repeatable reverse with panda:
>>>>> :
>>>>> it is clear that:if I use the stringsearch and taint plugin,when it
>>>>> matches, the taint label will be put and then taint action will start.but
>>>>> when I use it, it seems wrong(the picture showed before):no taint action
>>>>> execute,and i am confused about the tstringsearch's result.
>>>>> how can i use it to analysis?
>>>>> Thanks a lot!
>>>>>>>>>>
>>>>> 2015-04-08 10:14 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>
>>>>>> I get the replay file by running runandroid script. and i use
>>>>>> qemu-system-arm command just to do some replay work.
>>>>>> I may not understand you at all in this emal.do you mean that i
>>>>>> should gdb the original program rather than the record file?
>>>>>> Thansk
>>>>>>
>>>>>> 2015-04-08 9:52 GMT+08:00 Brendan Dolan-Gavitt <brendandg at gatech.edu>
>>>>>> :
>>>>>>
>>>>>>> Hmm. gdb should normally stop when you get a segfault.
>>>>>>>
>>>>>>> Are you by any chance running PANDA using the runandroid script? If
>>>>>>> so, you will need to instead invoke PANDA manually, i.e.:
>>>>>>>
>>>>>>> gdb --args arm-softmmu/qemu-system-arm [...]
>>>>>>>
>>>>>>> And then once it crashes, type "bt" at the gdb prompt to get a
>>>>>>> backtrace.
>>>>>>>
>>>>>>> -Brendan
>>>>>>>
>>>>>>> On Tue, Apr 7, 2015 at 9:47 PM, xiaojuan Li <xiaotan6666 at gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> when gdb,it shows:
>>>>>>>> and then i see the log:it shows segfault:
>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>> 2015-04-08 9:03 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>>>>
>>>>>>>>> maybe  i am wrong.
>>>>>>>>>  i use the command
>>>>>>>>> line:"taint2:label_mode=binary,query_outgoing_network=1"and I found that
>>>>>>>>> when i use taint2, after it loads panda_taint2.so,it
>>>>>>>>> shows:"taint2:instructed not to inline taint ops .success".
>>>>>>>>>
>>>>>>>>> 2015-04-08 8:54 GMT+08:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>>>>>>>>>
>>>>>>>>>> ok.
>>>>>>>>>> 1.I want to use taint plugin to get information about some
>>>>>>>>>> functions(of course, it is closed-source),so I think I can stringsearch
>>>>>>>>>> potential data and then taint them and next I can locate the functions
>>>>>>>>>> which solves these data.
>>>>>>>>>>
>>>>>>>>>> 2.the command line I used is : stringsearch:name=***;
>>>>>>>>>> taint2:tainted_instructions=1.
>>>>>>>>>>
>>>>>>>>>> thanks
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> 2015-04-08 8:40 GMT+08:00 Brendan Dolan-Gavitt <
>>>>>>>>>> brendandg at gatech.edu>:
>>>>>>>>>>
>>>>>>>>>>> Could you provide:
>>>>>>>>>>>
>>>>>>>>>>> 1. What information you're trying to get
>>>>>>>>>>> 2. The command line you're using to run PANDA with the taint2
>>>>>>>>>>> plugin
>>>>>>>>>>>
>>>>>>>>>>> ?
>>>>>>>>>>>
>>>>>>>>>>> Right now I believe taint2 does not produce very much output by
>>>>>>>>>>> default. Instead you use the -pandalog <filename> command line option, and
>>>>>>>>>>> taint2 will write its results there in pandalog format; you can then read
>>>>>>>>>>> them using pandalog_reader (see panda/pandalog_reader.c for details on that
>>>>>>>>>>> tool).
>>>>>>>>>>>
>>>>>>>>>>> -Brendan
>>>>>>>>>>>
>>>>>>>>>>> On Tue, Apr 7, 2015 at 8:32 PM, xiaojuan Li <
>>>>>>>>>>> xiaotan6666 at gmail.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> when I tried taint2,it showed the same error with taint1, the
>>>>>>>>>>>> olny difference is that taint2 has no segfault error,just uninit taint
>>>>>>>>>>>> plugin.
>>>>>>>>>>>>
>>>>>>>>>>>> 2015-04-08 8:28 GMT+08:00 Brendan Dolan-Gavitt <
>>>>>>>>>>>> brendandg at gatech.edu>:
>>>>>>>>>>>>
>>>>>>>>>>>>> Could you be a little more descriptive about how it failed?
>>>>>>>>>>>>> Segfault? Error message? Incorrect output?
>>>>>>>>>>>>>
>>>>>>>>>>>>> -Brendan
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Tue, Apr 7, 2015 at 8:27 PM, xiaojuan Li <
>>>>>>>>>>>>> xiaotan6666 at gmail.com> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> i tried taint2 too,it failed.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> 2015-04-07 5:20 GMT+08:00 Leek, Timothy - 0559 - MITLL <
>>>>>>>>>>>>>> tleek at ll.mit.edu>:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Also note that the “taint” plugin is somewhat defunct.
>>>>>>>>>>>>>>>  “taint2” is the one we are actively using and developing.
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> Tim Leek
>>>>>>>>>>>>>>> Technical Staff
>>>>>>>>>>>>>>> Cyber System Assessments
>>>>>>>>>>>>>>> MIT Lincoln Laboratory
>>>>>>>>>>>>>>> 781-981-2975
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> From: Brendan Dolan-Gavitt <brendandg at gatech.edu>
>>>>>>>>>>>>>>> Date: Monday, April 6, 2015 at 5:18 PM
>>>>>>>>>>>>>>> To: xiaojuan Li <xiaotan6666 at gmail.com>
>>>>>>>>>>>>>>> Cc: "panda-users at mit.edu" <panda-users at mit.edu>
>>>>>>>>>>>>>>> Subject: Re: [panda-users] taint segmentation fault
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Could you run that under gdb and provide us with a backtrace
>>>>>>>>>>>>>>> when it crashes?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> -Brendan
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Sunday, April 5, 2015, xiaojuan Li <xiaotan6666 at gmail.com>
>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>> excuse me,i have a question about taint
>>>>>>>>>>>>>>>> plugin:(stringsearch:name=***;taint:tainted_instructions=1)
>>>>>>>>>>>>>>>> when I started it showed success:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> but when it finished search,it showd "uninit taint plugin
>>>>>>>>>>>>>>>> segementation fault"
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> how can I fix it?
>>>>>>>>>>>>>>>> Thanks a lot!
>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>> panda-users mailing list
>>>>>>>>>>>>>> panda-users at mit.edu
>>>>>>>>>>>>>> http://mailman.mit.edu/mailman/listinfo/panda-users
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> wait and hope~~
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> wait and hope~~
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> wait and hope~~
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> wait and hope~~
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> wait and hope~~
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> wait and hope~~
>>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> wait and hope~~
>>>
>>
>>
>>
>> --
>> wait and hope~~
>>
>
>


-- 
wait and hope~~
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/panda-users/attachments/20150425/d73d43ac/attachment-0001.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted1.png
Type: image/png
Size: 99277 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150425/d73d43ac/attachment-0008.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted2.png
Type: image/png
Size: 118621 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150425/d73d43ac/attachment-0009.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tainted1.jpg
Type: image/jpeg
Size: 63070 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150425/d73d43ac/attachment-0001.jpg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gdb2.png
Type: image/png
Size: 194887 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150425/d73d43ac/attachment-0010.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted4.png
Type: image/png
Size: 90587 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150425/d73d43ac/attachment-0011.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtainted3.png
Type: image/png
Size: 106030 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150425/d73d43ac/attachment-0012.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gdb1-2.png
Type: image/png
Size: 13244 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150425/d73d43ac/attachment-0013.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qqtaint2.png
Type: image/png
Size: 12246 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150425/d73d43ac/attachment-0014.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qqtaint1.png
Type: image/png
Size: 25300 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150425/d73d43ac/attachment-0015.png

More information about the panda-users mailing list