<div dir="ltr"><div>i see.<br></div>thansk<br></div><div class="gmail_extra"><br><div class="gmail_quote">2015-04-20 11:55 GMT-04:00 Brendan Dolan-Gavitt <span dir="ltr"><<a href="mailto:brendandg@gatech.edu" target="_blank">brendandg@gatech.edu</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">It currently does not support anything except Windows 7, as the documentation says. It uses the OSI module, so it should be extensible fairly easily to the other operating systems OSI supports, which (thanks to Manolis) includes Linux on x86, but which I think does not include Linux on ARM.<div><br></div><div>In the future, also please create a new thread for new questions, rather than using the old one!</div><span class="HOEnZb"><font color="#888888"><div><br></div><div>-Brendan</div></font></span></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Apr 20, 2015 at 5:51 AM, xiaojuan Li <span dir="ltr"><<a href="mailto:xiaotan6666@gmail.com" target="_blank">xiaotan6666@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div>excuse me, i have noticed that the ida_taint plugin:"win7 only but othre os could be easily added". <br></div>i have installed ida pro in my system(debian),modified the ida_taint.bat with my ida path,when i use it :./ida_taint.bat name.json qemu-system-arm <br></div>it failed. it seems not available in linux, is it?<br></div>Thanks a lot!<br><div><div><div><br></div></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">2015-04-10 21:24 GMT-04:00 Brendan Dolan-Gavitt <span dir="ltr"><<a href="mailto:brendandg@gatech.edu" target="_blank">brendandg@gatech.edu</a>></span>:<div><div><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Once you have used PANDA's taint system to identify the portions of the code that process the data you're interested in, you will still have to analyze that code do understand how it works. One way to do that might be to use the scissors plugin to extract out the portion of the trace that contains the code you're interested in, and then replay it with QEMU's "-d in_asm -D asmlog.txt" options to get the disassembly for that code.<div><br></div><div>Alternatively, you could take a memory snapshot at some point when the code you want to analyze is in memory (using something like the pmemsave plugin in PANDA), then use Volatility to analyze that memory image to extract out the binary, which you could look at in IDA or something similar.</div><div><br></div><div>Basically – disassemble the code that handles the data you're interested in and find out how it works. Exactly what that means will depend on what you're hoping to accomplish.</div><span><font color="#888888"><div><br></div><div>-Brendan</div></font></span></div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Apr 10, 2015 at 9:07 PM, xiaojuan Li <span dir="ltr"><<a href="mailto:xiaotan6666@gmail.com" target="_blank">xiaotan6666@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi,<div>Thanks for your job first.</div><div>I am a little confused about the result of the tainted.how can I get enough information about the processing code from the binary? use the gdb?</div><div>Thanks!</div></div><div class="gmail_extra"><div><div><br><div class="gmail_quote">2015-04-10 12:05 GMT+08:00 xiaojuan Li <span dir="ltr"><<a href="mailto:xiaotan6666@gmail.com" target="_blank">xiaotan6666@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Thanks for your guys great work!<br><div>and I will try.</div></div><div class="gmail_extra"><div><div><br><div class="gmail_quote">2015-04-10 11:42 GMT+08:00 Brendan Dolan-Gavitt <span dir="ltr"><<a href="mailto:brendandg@gatech.edu" target="_blank">brendandg@gatech.edu</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi,<div><br></div><div>Tim has just updated the tainted_instructions tutorial so that it reflects how things work now. Could you look through that tutorial and see if it helps with your problem?</div><div><br></div><div><a href="https://github.com/moyix/panda/blob/master/docs/tainted_instructions.md" target="_blank">https://github.com/moyix/panda/blob/master/docs/tainted_instructions.md</a><br></div><div><br></div><div>Note that you will probably need to do a "git pull" and rebuild (make clean ; ./build.sh) in order to make sure everything works as it says in the tutorial.</div><span><font color="#888888"><div><br></div><div>-Brendan</div></font></span></div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Apr 9, 2015 at 9:30 AM, xiaojuan Li <span dir="ltr"><<a href="mailto:xiaotan6666@gmail.com" target="_blank">xiaotan6666@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Now that the panda <a href="http://taint.md" target="_blank">taint.md</a> is not fresh,can you guys give me some help?<div>I use the replay plugin,here is my command and the result.</div><div><img src="cid:ii_i8a74py01_14c9e5c03434d79a" height="431" width="472"><br><img src="cid:ii_i8a74pyl2_14c9e5c03434d79a" height="363" width="472"><br><img src="cid:ii_i8a74pz03_14c9e5c03434d79a" height="442" width="472"><br><img src="cid:ii_i8a74pzc4_14c9e5c03434d79a" height="429" width="472"><br><br></div><div>the content of pk_search_strings.txt is :"sdt"</div><div><br></div><div>I am confused here:in the paper— Repeatable reverse with panda:</div><div>:<img src="cid:ii_i8a6iohl0_14c9e4c502ee48e7" height="220" width="436"></div><div>it is clear that:if I use the stringsearch and taint plugin,when it matches, the taint label will be put and then taint action will start.but when I use it, it seems wrong(the picture showed before):no taint action execute,and i am confused about the tstringsearch's result.</div><div>how can i use it to analysis?</div><div>Thanks a lot!</div><div> </div></div><div class="gmail_extra"><div><div><br><div class="gmail_quote">2015-04-08 10:14 GMT+08:00 xiaojuan Li <span dir="ltr"><<a href="mailto:xiaotan6666@gmail.com" target="_blank">xiaotan6666@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I get the replay file by running runandroid script. and i use qemu-system-arm command just to do some replay work.<div>I may not understand you at all in this emal.do you mean that i should gdb the original program rather than the record file?</div><div>Thansk</div></div><div class="gmail_extra"><div><div><br><div class="gmail_quote">2015-04-08 9:52 GMT+08:00 Brendan Dolan-Gavitt <span dir="ltr"><<a href="mailto:brendandg@gatech.edu" target="_blank">brendandg@gatech.edu</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hmm. gdb should normally stop when you get a segfault.<div><br></div><div>Are you by any chance running PANDA using the runandroid script? If so, you will need to instead invoke PANDA manually, i.e.:</div><div><br></div><div>gdb --args arm-softmmu/qemu-system-arm [...]</div><div><br></div><div>And then once it crashes, type "bt" at the gdb prompt to get a backtrace.</div><span><font color="#888888"><div><br></div><div>-Brendan</div></font></span></div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Apr 7, 2015 at 9:47 PM, xiaojuan Li <span dir="ltr"><<a href="mailto:xiaotan6666@gmail.com" target="_blank">xiaotan6666@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">when gdb,it shows:<br><img src="cid:ii_i882pvfb3_14c96b5a1df3c8fd" height="93" width="472"><div>and then i see the log:it shows segfault:<br><img src="cid:ii_i882o5k12_14c96b46a91b20b2" height="305" width="472"></div><div><br><br></div></div><div class="gmail_extra"><div><div><br><div class="gmail_quote">2015-04-08 9:03 GMT+08:00 xiaojuan Li <span dir="ltr"><<a href="mailto:xiaotan6666@gmail.com" target="_blank">xiaotan6666@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">maybe i am wrong.<div> i use the command line:"taint2:label_mode=binary,query_outgoing_network=1"and I found that when i use taint2, after it loads panda_taint2.so,it shows:"taint2:instructed not to inline taint ops .success".</div></div><div class="gmail_extra"><div><div><br><div class="gmail_quote">2015-04-08 8:54 GMT+08:00 xiaojuan Li <span dir="ltr"><<a href="mailto:xiaotan6666@gmail.com" target="_blank">xiaotan6666@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">ok.<div>1.I want to use taint plugin to get information about some functions(of course, it is closed-source),so I think I can stringsearch potential data and then taint them and next I can locate the functions which solves these data.</div><div><br></div><div>2.the command line I used is : <span style="font-size:14px">stringsearch:name=***;</span><span style="font-size:14px">taint2:tainted_instructions=1.</span></div><div><br></div><div>thanks</div><div><span style="font-size:14px"><br></span></div></div><div class="gmail_extra"><div><div><br><div class="gmail_quote">2015-04-08 8:40 GMT+08:00 Brendan Dolan-Gavitt <span dir="ltr"><<a href="mailto:brendandg@gatech.edu" target="_blank">brendandg@gatech.edu</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Could you provide:<div><br></div><div>1. What information you're trying to get</div><div>2. The command line you're using to run PANDA with the taint2 plugin</div><div><br></div><div>?</div><div><br></div><div>Right now I believe taint2 does not produce very much output by default. Instead you use the -pandalog <filename> command line option, and taint2 will write its results there in pandalog format; you can then read them using pandalog_reader (see panda/pandalog_reader.c for details on that tool).</div><span><font color="#888888"><div><br></div><div>-Brendan</div></font></span></div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Apr 7, 2015 at 8:32 PM, xiaojuan Li <span dir="ltr"><<a href="mailto:xiaotan6666@gmail.com" target="_blank">xiaotan6666@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">when I tried taint2,it showed the same error with taint1, the olny difference is that taint2 has no segfault error,just uninit taint plugin.</div><div class="gmail_extra"><div><div><br><div class="gmail_quote">2015-04-08 8:28 GMT+08:00 Brendan Dolan-Gavitt <span dir="ltr"><<a href="mailto:brendandg@gatech.edu" target="_blank">brendandg@gatech.edu</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Could you be a little more descriptive about how it failed? Segfault? Error message? Incorrect output?<div><br></div><div>-Brendan</div></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div>On Tue, Apr 7, 2015 at 8:27 PM, xiaojuan Li <span dir="ltr"><<a href="mailto:xiaotan6666@gmail.com" target="_blank">xiaotan6666@gmail.com</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div><div dir="ltr">i tried taint2 too,it failed.</div><div class="gmail_extra"><div><div><br><div class="gmail_quote">2015-04-07 5:20 GMT+08:00 Leek, Timothy - 0559 - MITLL <span dir="ltr"><<a href="mailto:tleek@ll.mit.edu" target="_blank">tleek@ll.mit.edu</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word;color:rgb(0,0,0);font-size:14px;font-family:Calibri,sans-serif"><div><div><div>Also note that the “taint” plugin is somewhat defunct. “taint2” is the one we are actively using and developing.</div><div><div>--</div><div>Tim Leek</div><div>Technical Staff</div><div>Cyber System Assessments</div><div>MIT Lincoln Laboratory</div><div><a href="tel:781-981-2975" value="+17819812975" target="_blank">781-981-2975</a></div><div><br></div></div></div></div><div><br></div><span><div style="font-family:Calibri;font-size:11pt;text-align:left;color:black;BORDER-BOTTOM:medium none;BORDER-LEFT:medium none;PADDING-BOTTOM:0in;PADDING-LEFT:0in;PADDING-RIGHT:0in;BORDER-TOP:#b5c4df 1pt solid;BORDER-RIGHT:medium none;PADDING-TOP:3pt"><span style="font-weight:bold">From: </span> Brendan Dolan-Gavitt <<a href="mailto:brendandg@gatech.edu" target="_blank">brendandg@gatech.edu</a>><br><span style="font-weight:bold">Date: </span> Monday, April 6, 2015 at 5:18 PM<br><span style="font-weight:bold">To: </span> xiaojuan Li <<a href="mailto:xiaotan6666@gmail.com" target="_blank">xiaotan6666@gmail.com</a>><br><span style="font-weight:bold">Cc: </span> "<a href="mailto:panda-users@mit.edu" target="_blank">panda-users@mit.edu</a>" <<a href="mailto:panda-users@mit.edu" target="_blank">panda-users@mit.edu</a>><br><span style="font-weight:bold">Subject: </span> Re: [panda-users] taint segmentation fault<br></div><div><div><div><br></div><div><div>
Could you run that under gdb and provide us with a backtrace when it crashes?
<div><br></div><div>-Brendan<br><br>
On Sunday, April 5, 2015, xiaojuan Li <<a href="mailto:xiaotan6666@gmail.com" target="_blank">xiaotan6666@gmail.com</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi,
<div>excuse me,i have a question about taint plugin:(stringsearch:name=***;taint:tainted_instructions=1)</div><div>when I started it showed success:</div><div><br></div><div><img src="cid:ii_i859ltl20_14c8c9637c6b2646" height="166" width="454"></div><div><br></div><div>but when it finished search,it showd "uninit taint plugin segementation fault"<br><img src="cid:ii_i859ltlx1_14c8c9637c6b2646" height="132" width="454"><br>
<br clear="all"><div>how can I fix it?</div><div>Thanks a lot!</div>
-- <br><div><div dir="ltr">wait and hope~~</div></div></div></div></blockquote></div></div></div></div></div></span></div>
</blockquote></div><br><br clear="all"><div><br></div></div></div><span><font color="#888888">-- <br><div><div dir="ltr">wait and hope~~</div></div>
</font></span></div>
<br></div></div>_______________________________________________<br>
panda-users mailing list<br>
<a href="mailto:panda-users@mit.edu" target="_blank">panda-users@mit.edu</a><br>
<a href="http://mailman.mit.edu/mailman/listinfo/panda-users" target="_blank">http://mailman.mit.edu/mailman/listinfo/panda-users</a><br>
<br></blockquote></div><br></div>
</blockquote></div><br><br clear="all"><div><br></div></div></div><span><font color="#888888">-- <br><div><div dir="ltr">wait and hope~~</div></div>
</font></span></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br><br clear="all"><div><br></div></div></div><span><font color="#888888">-- <br><div><div dir="ltr">wait and hope~~</div></div>
</font></span></div>
</blockquote></div><br><br clear="all"><div><br></div></div></div><span><font color="#888888">-- <br><div><div dir="ltr">wait and hope~~</div></div>
</font></span></div>
</blockquote></div><br><br clear="all"><div><br></div></div></div><span><font color="#888888">-- <br><div><div dir="ltr">wait and hope~~</div></div>
</font></span></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br><br clear="all"><div><br></div></div></div><span><font color="#888888">-- <br><div><div dir="ltr">wait and hope~~</div></div>
</font></span></div>
</blockquote></div><br><br clear="all"><div><br></div></div></div><span><font color="#888888">-- <br><div><div dir="ltr">wait and hope~~</div></div>
</font></span></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br><br clear="all"><div><br></div></div></div><span><font color="#888888">-- <br><div><div dir="ltr">wait and hope~~</div></div>
</font></span></div>
</blockquote></div><br><br clear="all"><div><br></div></div></div><span><font color="#888888">-- <br><div><div dir="ltr">wait and hope~~</div></div>
</font></span></div>
</blockquote></div><br></div>
</div></div></blockquote></div></div></div><span><font color="#888888"><br><br clear="all"><br>-- <br><div><div dir="ltr">wait and hope~~</div></div>
</font></span></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature"><div dir="ltr">wait and hope~~</div></div>
</div>