<div dir="ltr"><div><div>1. the command i use is :<br></div>./qemu-system-arm 0m 512 -replay api414-4-20 -M android_arm -kernel /dev/null -android -panda "stringsearch:name=test;tstringsearch;tainted_instr" <br></div>2.the output is:<br>Adding PANDA arg stringsearch:name=test.<br>adding /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_stringsearch.so to panda_plugin_files 0<br>adding /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_tstringsearch.so to panda_plugin_files 1<br>adding /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_tainted_instr.so to panda_plugin_files 2<br>emulator: registered 'boot-properties' qemud service<br>emulator: Adding boot property: 'dalvik.vm.heapsize' = '48m'<br>emulator: Adding boot property: 'qemu.sf.fake_camera' = 'both'<br>emulator: Adding boot property: 'qemu.hw.mainkeys' = '0'<br>loading /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_stringsearch.so<br>Initializing plugin stringsearch<br>panda_require: callstack_instr<br>loading /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_callstack_instr.so<br>Initializing plugin callstack_instr<br>Success<br>stringsearch: added string of length 14 to search set<br>Success<br>loading /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_tstringsearch.so<br>Initializing tstringsearch<br>panda_require: stringsearch<br>panda_load_plugin: /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_stringsearch.so already loaded<br>panda_require: taint2<br>loading /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_taint2.so<br>Initializing taint plugin<br>taint2: Instructed not to inline taint ops.<br>panda_require: callstack_instr<br>panda_load_plugin: /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_callstack_instr.so already loaded<br>Success<br>Success<br>loading /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_tainted_instr.so<br>panda_require: taint2<br>panda_load_plugin: /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_taint2.so already loaded<br>panda_require: callstack_instr<br>panda_load_plugin: /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_callstack_instr.so already loaded<br>Success<br>goldfish_add_device: goldfish_device_bus, base ff001000 1000, irq 1 1<br>goldfish_device_bus: ff001000 30<br>goldfish_add_device: goldfish_int, base ff000000 1000, irq 0 0<br>goldfish_int: ff000000 38<br>goldfish_add_device: goldfish_timer, base ff003000 1000, irq 3 1<br>goldfish_timer: ff003000 40<br>goldfish_add_device: goldfish_rtc, base ff010000 1000, irq 10 1<br>goldfish_rtc: ff010000 48<br>goldfish_add_device: goldfish_tty, base ff002000 1000, irq 4 1<br>goldfish_tty: ff002000 50<br>android_arm_init serial 1 0<br>android_arm_init serial 2 0<br>android_arm_init serial 3 0<br>goldfish_add_device: smc91x, base ff011000 1000, irq 11 1<br>goldfish_add_device: goldfish_fb, base ff012000 1000, irq 12 1<br>goldfish_fb: ff012000 68<br>Using tmpfile for SD card: /tmp/android-shentanli/emulator-P6kmpf<br>goldfish_add_device: goldfish_mmc, base ff005000 1000, irq 13 1<br>goldfish_mmc: ff005000 70<br>goldfish_add_device: goldfish_memlog, base ff006000 1000, irq 0 0<br>goldfish_memlog: ff006000 78<br>goldfish_add_device: goldfish-battery, base ff013000 1000, irq 14 1<br>goldfish-battery: ff013000 80<br>goldfish_add_device: goldfish_events, base ff014000 1000, irq 15 1<br>goldfish_events: ff014000 88<br>Using event IRQ<br>Invalid system partition size for non-QCOW image: 0emulator: geometry says there are 0 blocks<br><br>emulator: Dev size of /tmp/android-shentanli/emulator-jxC2Uf is 0<br><br>Invalid data partition size for non-QCOW image: 0emulator: Dev size 0x0 came from argument<br><br>emulator: geometry says there are 0 blocks<br><br>emulator: Dev size of /tmp/android-shentanli/emulator-2FZLqg is 0<br><br>emulator: Dev size 0x0 came from argument<br><br>emulator: geometry says there are 0 blocks<br><br>emulator: Dev size of /tmp/android-shentanli/emulator-lyszWg is 0<br><br>goldfish_add_device: goldfish_nand, base ff015000 1000, irq 16 1<br>goldfish_nand: ff015000 90<br>goldfish_add_device: qemu_pipe, base ff016000 2000, irq 17 1<br>qemu_pipe: ff016000 98<br>emulator: control console listening on port 5554, ADB on port 5555<br>emulator: can't connect to ADB server: Connection refused<br>emulator: Realistic sensor emulation is not available, since the remote controller is not accessible:<br> Connection refused<br>loading snapshot<br>emulator: Adding boot property: 'dalvik.vm.heapsize' = '48m'<br>emulator: Adding boot property: 'qemu.sf.fake_camera' = 'both'<br>emulator: Adding boot property: 'qemu.hw.mainkeys' = '0'<br>Unknown savevm section or instance 'goldfish_tty' 1<br>... done.<br><br>Logging all cpu states<br>CPU #0:<br>R00=00000000 R01=c049bcb8 R02=00000000 R03=00000000<br>R04=c0480000 R05=c04b9948 R06=c048fd34 R07=c047b374<br>R08=c0a05100 R09=410fc090 R10=00000000 R11=00000000<br>R12=c049bcb8 R13=c0481fb0 R14=c000e3f4 R15=c00158c8<br>PSR=60000093 -ZC- A svc32<br>opening nondet log for read : /home/shentanli/pandanew/scripts/api414-4-20-rr-nondet.log<br>api414-4-20: 81316759 ( 1.04%) instrs. 7.52 sec. 0.61 GB ram.<br>api414-4-20: 156342747 ( 2.00%) instrs. 15.90 sec. 0.69 GB ram.<br>api414-4-20: 234368551 ( 3.00%) instrs. 24.93 sec. 0.76 GB ram.<br>api414-4-20: 312493247 ( 4.00%) instrs. 35.45 sec. 0.83 GB ram.<br>api414-4-20: 390616091 ( 5.00%) instrs. 43.97 sec. 0.87 GB ram.<br>api414-4-20: 468738195 ( 6.00%) instrs. 49.32 sec. 0.90 GB ram.<br>api414-4-20: 547631582 ( 7.01%) instrs. 54.12 sec. 0.93 GB ram.<br>api414-4-20: 624983872 ( 8.00%) instrs. 57.67 sec. 0.94 GB ram.<br>api414-4-20: 703122355 ( 9.00%) instrs. 60.94 sec. 0.94 GB ram.<br>api414-4-20: 783198179 ( 10.03%) instrs. 64.60 sec. 0.95 GB ram.<br>READ Match of str 0 at: instr_count=812336749 : 72a7562e b6cb2e02 0d36c000<br>tstringsearch: thestring = [passwordisqemu]<br>tstringsearch: 70 61 73 73 77 6f 72 64 69 73 71 65 6d 75 <br>tstringsearch: string in memory @ 0xa70d6212<br>enabling taint at instr count 812336749<br>taint2: __taint_enable_taint<br>taint2: Creating byte-level taint processor<br>taint2: Allocating large fast_shad (8589934592 bytes) @ 0x10000000000.<br>taint2: Hugetlb failed. Trying without.<br>taint2: Allocating large fast_shad (8589934592 bytes) @ 0x20000000000.<br>taint2: Hugetlb failed. Trying without.<br>taint2: Allocating large fast_shad (8589934592 bytes) @ 0x30000000000.<br>taint2: Hugetlb failed. Trying without.<br>taint2: Allocating large fast_shad (8589934592 bytes) @ 0x40000000000.<br>taint2: Hugetlb failed. Trying without.<br>taint2: Allocating large fast_shad (8589934592 bytes) @ 0x50000000000.<br>taint2: Hugetlb failed. Trying without.<br>taint2: Allocating large fast_shad (8589934592 bytes) @ 0x60000000000.<br>taint2: Hugetlb failed. Trying without.<br>taint2: Allocating large fast_shad (8589934592 bytes) @ 0x70000000000.<br>taint2: Hugetlb failed. Trying without.<br>taint2: Allocating large fast_shad (8589934592 bytes) @ 0x80000000000.<br>taint2: Hugetlb failed. Trying without.<br>taint2: Allocating large fast_shad (8589934592 bytes) @ 0x90000000000.<br>taint2: Hugetlb failed. Trying without.<br>Cannot allocate memory<br>taint2: Allocating small fast_shad (12800000 bytes) using malloc @ 7f8b608d0010.<br>taint2: Allocating small fast_shad (256 bytes) using malloc @ 16be2a70.<br>taint2: Allocating small fast_shad (1024 bytes) using malloc @ 171c3540.<br>taint2: Allocating small fast_shad (867840 bytes) using malloc @ 1720ddd0.<br>taint2: Linking taint ops from /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_taint2_ops.bc<br>taint2: Done initializing taint transformation.<br>taint2: Done processing helper functions for taint.<br>taint2: Done verifying module. Running...<br><br>****************************************************************************<br>applying taint labels to search string of length 14 @ p=0xa70d6212<br>******************************************************************************<br>Segmentation fault<br><br></div><div class="gmail_extra"><br><div class="gmail_quote">2015-04-20 22:42 GMT-04:00 Brendan Dolan-Gavitt <span dir="ltr"><<a href="mailto:brendandg@gatech.edu" target="_blank">brendandg@gatech.edu</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I am currently running your taint replay, and it is (so far) working<br>
fine. Here is the (slightly abbreviated) output I get:<br>
<br>
api414-4-20: 783198179 ( 10.03%) instrs. 218.26 sec. 0.96 GB ram.<br>
READ Match of str 0 at: instr_count=812336749 : 72a7562e b6cb2e02 0d36c000<br>
tstringsearch: thestring = [passwordisqemu]<br>
tstringsearch: 70 61 73 73 77 6f 72 64 69 73 71 65 6d 75<br>
tstringsearch: string in memory @ 0xa70d6212<br>
enabling taint at instr count 812336749<br>
taint2: __taint_enable_taint<br>
taint2: Creating byte-level taint processor<br>
taint2: Allocating large fast_shad (8589934592 bytes).<br>
taint2: Hugetlb failed. Trying without.<br>
taint2: Allocating small fast_shad (12800000 bytes) using malloc @ 7fdd165c6010.<br>
taint2: Allocating small fast_shad (256 bytes) using malloc @ 7fdd0bec21a0.<br>
taint2: Allocating small fast_shad (1024 bytes) using malloc @ 7fdcfc49ddc0.<br>
taint2: Allocating small fast_shad (867840 bytes) using malloc @ 7fdcfc4e7db0.<br>
taint2: Linking taint ops from<br>
/scratch/git/pandroid/qemu/arm-softmmu/panda_plugins/panda_taint2_ops.bc<br>
taint2: Done initializing taint transformation.<br>
taint2: Done processing helper functions for taint.<br>
taint2: Done verifying module. Running...<br>
<br>
****************************************************************************<br>
applying taint labels to search string of length 14 @ p=0xa70d6212<br>
******************************************************************************<br>
READ Match of str 0 at: instr_count=812336765 : 72a7562e b6cb2a2a 0d36c000<br>
tstringsearch: thestring = [passwordisqemu]<br>
tstringsearch: 70 61 73 73 77 6f 72 64 69 73 71 65 6d 75<br>
tstringsearch: string in memory @ 0xa70d6212<br>
<br>
****************************************************************************<br>
applying taint labels to search string of length 14 @ p=0xa70d6212<br>
******************************************************************************<br>
READ Match of str 0 at: instr_count=812337316 : 72a7562e b6cb2e4a 0d36c000<br>
tstringsearch: thestring = [passwordisqemu]<br>
tstringsearch: 70 61 73 73 77 6f 72 64 69 73 71 65 6d 75<br>
tstringsearch: string in memory @ 0xa70d6212<br>
<br>
****************************************************************************<br>
applying taint labels to search string of length 14 @ p=0xa70d6212<br>
******************************************************************************<br>
READ Match of str 0 at: instr_count=812337331 : 72a7562e b6cb2a2a 0d36c000<br>
tstringsearch: thestring = [passwordisqemu]<br>
tstringsearch: 70 61 73 73 77 6f 72 64 69 73 71 65 6d 75<br>
tstringsearch: string in memory @ 0xa70d6212<br>
<br>
****************************************************************************<br>
applying taint labels to search string of length 14 @ p=0xa70d6212<br>
******************************************************************************<br>
api414-4-20: 859399601 ( 11.00%) instrs. 658.13 sec. 3.27 GB ram.<br>
api414-4-20: 937474512 ( 12.00%) instrs. 1017.48 sec. 4.70 GB ram.<br>
api414-4-20: 1015597970 ( 13.00%) instrs. 1265.76 sec. 5.58 GB ram.<br>
<br>
My command line to replay was:<br>
<br>
arm-softmmu/qemu-system-arm -m 512 -replay api414-4-20 -M android_arm<br>
-cpu cortex-a9 -android -kernel /dev/null -pandalog api.log -panda<br>
'stringsearch:name=api;tstringsearch;tainted_instr'<br>
<br>
>From the screenshot you posted earlier, it looks like yours had<br>
already failed by this point. If you are still getting a segfault with<br>
this replay, could you post:<br>
<br>
1. The full command line you are using (as text, not a screenshot)<br>
2. The full output from PANDA up to the point where the segfault<br>
happens (as text, not a screenshot)<br>
<span class="HOEnZb"><font color="#888888"><br>
-Brendan<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
On Mon, Apr 20, 2015 at 7:57 PM, xiaojuan Li <<a href="mailto:xiaotan6666@gmail.com">xiaotan6666@gmail.com</a>> wrote:<br>
> i know you are busy.<br>
> I just get stuck in this taint step but have no idea no fix it...(use core<br>
> dump to find where it segfault )<br>
> here is the 512M version:<br>
> <a href="http://pan.baidu.com/s/1mgopzIg" target="_blank">http://pan.baidu.com/s/1mgopzIg</a><br>
> the content of search string .txt is "passwordisqemu"<br>
> thanks!<br>
><br>
> 2015-04-20 11:32 GMT-04:00 Brendan Dolan-Gavitt <<a href="mailto:brendandg@gatech.edu">brendandg@gatech.edu</a>>:<br>
><br>
>> I will try to reproduce from those instructions in the next couple days.<br>
>> Sorry for the delay! Did you post the .rr of the recording with 512M<br>
>> somewhere? I only saw the 2G one.<br>
>><br>
>> Thanks,<br>
>> Brendan<br>
>><br>
>> On Mon, Apr 20, 2015 at 8:07 AM, xiaojuan Li <<a href="mailto:xiaotan6666@gmail.com">xiaotan6666@gmail.com</a>><br>
>> wrote:<br>
>>><br>
>>> about the taint segfault, if you cannot download that .rr i upload<br>
>>> before, you can follow the step to reproduce:<br>
>>> 1)use android studio to create avd, choose api21 target android 5.0.1 use<br>
>>> the default size;you can get the cache-img,sdcard.img,data.img and<br>
>>> system.img and then copy kernel-qemu & rmdisk.img from sdk/systemimg;<br>
>>> 2)use pandaCovert.py to convert them and get the<br>
>>> (cache,data,system)-pandroid.qcow2 as well as kernel and initramfs;<br>
>>> 3)use runpandroid.py(-m 512) to boot emulator;telnet and begin_record<br>
>>> 4)run an app and input a string : end_record;<br>
>>> 5)use qemu-system-arm to replay(-m 512) with the panda<br>
>>> plugins:stringsearch,tstringsearch;tainted_instr.(the search string .txt is<br>
>>> the string you input)<br>
>>><br>
>>> do you guys get the segfault ?<br>
>>> how can i fix it?<br>
>>> Thanks a lot!<br>
>>><br>
>>> 2015-04-20 17:51 GMT+08:00 xiaojuan Li <<a href="mailto:xiaotan6666@gmail.com">xiaotan6666@gmail.com</a>>:<br>
>>>><br>
>>>> excuse me, i have noticed that the ida_taint plugin:"win7 only but othre<br>
>>>> os could be easily added".<br>
>>>> i have installed ida pro in my system(debian),modified the ida_taint.bat<br>
>>>> with my ida path,when i use it :./ida_taint.bat name.json qemu-system-arm<br>
>>>> it failed. it seems not available in linux, is it?<br>
>>>> Thanks a lot!<br>
>>>><br>
>>>><br>
>>>> 2015-04-10 21:24 GMT-04:00 Brendan Dolan-Gavitt <<a href="mailto:brendandg@gatech.edu">brendandg@gatech.edu</a>>:<br>
>>>><br>
>>>>> Once you have used PANDA's taint system to identify the portions of the<br>
>>>>> code that process the data you're interested in, you will still have to<br>
>>>>> analyze that code do understand how it works. One way to do that might be to<br>
>>>>> use the scissors plugin to extract out the portion of the trace that<br>
>>>>> contains the code you're interested in, and then replay it with QEMU's "-d<br>
>>>>> in_asm -D asmlog.txt" options to get the disassembly for that code.<br>
>>>>><br>
>>>>> Alternatively, you could take a memory snapshot at some point when the<br>
>>>>> code you want to analyze is in memory (using something like the pmemsave<br>
>>>>> plugin in PANDA), then use Volatility to analyze that memory image to<br>
>>>>> extract out the binary, which you could look at in IDA or something similar.<br>
>>>>><br>
>>>>> Basically – disassemble the code that handles the data you're<br>
>>>>> interested in and find out how it works. Exactly what that means will depend<br>
>>>>> on what you're hoping to accomplish.<br>
>>>>><br>
>>>>> -Brendan<br>
>>>>><br>
>>>>> On Fri, Apr 10, 2015 at 9:07 PM, xiaojuan Li <<a href="mailto:xiaotan6666@gmail.com">xiaotan6666@gmail.com</a>><br>
>>>>> wrote:<br>
>>>>>><br>
>>>>>> Hi,<br>
>>>>>> Thanks for your job first.<br>
>>>>>> I am a little confused about the result of the tainted.how can I get<br>
>>>>>> enough information about the processing code from the binary? use the gdb?<br>
>>>>>> Thanks!<br>
>>>>>><br>
>>>>>> 2015-04-10 12:05 GMT+08:00 xiaojuan Li <<a href="mailto:xiaotan6666@gmail.com">xiaotan6666@gmail.com</a>>:<br>
>>>>>>><br>
>>>>>>> Thanks for your guys great work!<br>
>>>>>>> and I will try.<br>
>>>>>>><br>
>>>>>>> 2015-04-10 11:42 GMT+08:00 Brendan Dolan-Gavitt<br>
>>>>>>> <<a href="mailto:brendandg@gatech.edu">brendandg@gatech.edu</a>>:<br>
>>>>>>>><br>
>>>>>>>> Hi,<br>
>>>>>>>><br>
>>>>>>>> Tim has just updated the tainted_instructions tutorial so that it<br>
>>>>>>>> reflects how things work now. Could you look through that tutorial and see<br>
>>>>>>>> if it helps with your problem?<br>
>>>>>>>><br>
>>>>>>>><br>
>>>>>>>> <a href="https://github.com/moyix/panda/blob/master/docs/tainted_instructions.md" target="_blank">https://github.com/moyix/panda/blob/master/docs/tainted_instructions.md</a><br>
>>>>>>>><br>
>>>>>>>> Note that you will probably need to do a "git pull" and rebuild<br>
>>>>>>>> (make clean ; ./build.sh) in order to make sure everything works as it says<br>
>>>>>>>> in the tutorial.<br>
>>>>>>>><br>
>>>>>>>> -Brendan<br>
>>>>>>>><br>
>>>>>>>> On Thu, Apr 9, 2015 at 9:30 AM, xiaojuan Li <<a href="mailto:xiaotan6666@gmail.com">xiaotan6666@gmail.com</a>><br>
>>>>>>>> wrote:<br>
>>>>>>>>><br>
>>>>>>>>> Now that the panda <a href="http://taint.md" target="_blank">taint.md</a> is not fresh,can you guys give me some<br>
>>>>>>>>> help?<br>
>>>>>>>>> I use the replay plugin,here is my command and the result.<br>
>>>>>>>>><br>
>>>>>>>>><br>
>>>>>>>>><br>
>>>>>>>>><br>
>>>>>>>>><br>
</div></div><span class="im HOEnZb">>>>>>>>>> the content of pk_search_strings.txt is :"sdt"<br>
>>>>>>>>><br>
>>>>>>>>> I am confused here:in the paper— Repeatable reverse with panda:<br>
>>>>>>>>> :<br>
</span><span class="im HOEnZb">>>>>>>>>> it is clear that:if I use the stringsearch and taint plugin,when it<br>
>>>>>>>>> matches, the taint label will be put and then taint action will start.but<br>
>>>>>>>>> when I use it, it seems wrong(the picture showed before):no taint action<br>
>>>>>>>>> execute,and i am confused about the tstringsearch's result.<br>
>>>>>>>>> how can i use it to analysis?<br>
>>>>>>>>> Thanks a lot!<br>
>>>>>>>>><br>
>>>>>>>>><br>
>>>>>>>>> 2015-04-08 10:14 GMT+08:00 xiaojuan Li <<a href="mailto:xiaotan6666@gmail.com">xiaotan6666@gmail.com</a>>:<br>
>>>>>>>>>><br>
>>>>>>>>>> I get the replay file by running runandroid script. and i use<br>
>>>>>>>>>> qemu-system-arm command just to do some replay work.<br>
>>>>>>>>>> I may not understand you at all in this emal.do you mean that i<br>
>>>>>>>>>> should gdb the original program rather than the record file?<br>
>>>>>>>>>> Thansk<br>
>>>>>>>>>><br>
>>>>>>>>>> 2015-04-08 9:52 GMT+08:00 Brendan Dolan-Gavitt<br>
>>>>>>>>>> <<a href="mailto:brendandg@gatech.edu">brendandg@gatech.edu</a>>:<br>
>>>>>>>>>>><br>
>>>>>>>>>>> Hmm. gdb should normally stop when you get a segfault.<br>
>>>>>>>>>>><br>
>>>>>>>>>>> Are you by any chance running PANDA using the runandroid script?<br>
>>>>>>>>>>> If so, you will need to instead invoke PANDA manually, i.e.:<br>
>>>>>>>>>>><br>
>>>>>>>>>>> gdb --args arm-softmmu/qemu-system-arm [...]<br>
>>>>>>>>>>><br>
>>>>>>>>>>> And then once it crashes, type "bt" at the gdb prompt to get a<br>
>>>>>>>>>>> backtrace.<br>
>>>>>>>>>>><br>
>>>>>>>>>>> -Brendan<br>
>>>>>>>>>>><br>
>>>>>>>>>>> On Tue, Apr 7, 2015 at 9:47 PM, xiaojuan Li<br>
>>>>>>>>>>> <<a href="mailto:xiaotan6666@gmail.com">xiaotan6666@gmail.com</a>> wrote:<br>
>>>>>>>>>>>><br>
>>>>>>>>>>>> when gdb,it shows:<br>
</span><span class="im HOEnZb">>>>>>>>>>>>> and then i see the log:it shows segfault:<br>
>>>>>>>>>>>><br>
>>>>>>>>>>>><br>
>>>>>>>>>>>><br>
</span><div class="HOEnZb"><div class="h5">>>>>>>>>>>>> 2015-04-08 9:03 GMT+08:00 xiaojuan Li <<a href="mailto:xiaotan6666@gmail.com">xiaotan6666@gmail.com</a>>:<br>
>>>>>>>>>>>>><br>
>>>>>>>>>>>>> maybe i am wrong.<br>
>>>>>>>>>>>>> i use the command<br>
>>>>>>>>>>>>> line:"taint2:label_mode=binary,query_outgoing_network=1"and I found that<br>
>>>>>>>>>>>>> when i use taint2, after it loads panda_taint2.so,it<br>
>>>>>>>>>>>>> shows:"taint2:instructed not to inline taint ops .success".<br>
>>>>>>>>>>>>><br>
>>>>>>>>>>>>> 2015-04-08 8:54 GMT+08:00 xiaojuan Li <<a href="mailto:xiaotan6666@gmail.com">xiaotan6666@gmail.com</a>>:<br>
>>>>>>>>>>>>>><br>
>>>>>>>>>>>>>> ok.<br>
>>>>>>>>>>>>>> 1.I want to use taint plugin to get information about some<br>
>>>>>>>>>>>>>> functions(of course, it is closed-source),so I think I can stringsearch<br>
>>>>>>>>>>>>>> potential data and then taint them and next I can locate the functions which<br>
>>>>>>>>>>>>>> solves these data.<br>
>>>>>>>>>>>>>><br>
>>>>>>>>>>>>>> 2.the command line I used is :<br>
>>>>>>>>>>>>>> stringsearch:name=***;taint2:tainted_instructions=1.<br>
>>>>>>>>>>>>>><br>
>>>>>>>>>>>>>> thanks<br>
>>>>>>>>>>>>>><br>
>>>>>>>>>>>>>><br>
>>>>>>>>>>>>>> 2015-04-08 8:40 GMT+08:00 Brendan Dolan-Gavitt<br>
>>>>>>>>>>>>>> <<a href="mailto:brendandg@gatech.edu">brendandg@gatech.edu</a>>:<br>
>>>>>>>>>>>>>>><br>
>>>>>>>>>>>>>>> Could you provide:<br>
>>>>>>>>>>>>>>><br>
>>>>>>>>>>>>>>> 1. What information you're trying to get<br>
>>>>>>>>>>>>>>> 2. The command line you're using to run PANDA with the taint2<br>
>>>>>>>>>>>>>>> plugin<br>
>>>>>>>>>>>>>>><br>
>>>>>>>>>>>>>>> ?<br>
>>>>>>>>>>>>>>><br>
>>>>>>>>>>>>>>> Right now I believe taint2 does not produce very much output<br>
>>>>>>>>>>>>>>> by default. Instead you use the -pandalog <filename> command line option,<br>
>>>>>>>>>>>>>>> and taint2 will write its results there in pandalog format; you can then<br>
>>>>>>>>>>>>>>> read them using pandalog_reader (see panda/pandalog_reader.c for details on<br>
>>>>>>>>>>>>>>> that tool).<br>
>>>>>>>>>>>>>>><br>
>>>>>>>>>>>>>>> -Brendan<br>
>>>>>>>>>>>>>>><br>
>>>>>>>>>>>>>>> On Tue, Apr 7, 2015 at 8:32 PM, xiaojuan Li<br>
>>>>>>>>>>>>>>> <<a href="mailto:xiaotan6666@gmail.com">xiaotan6666@gmail.com</a>> wrote:<br>
>>>>>>>>>>>>>>>><br>
>>>>>>>>>>>>>>>> when I tried taint2,it showed the same error with taint1,<br>
>>>>>>>>>>>>>>>> the olny difference is that taint2 has no segfault error,just uninit taint<br>
>>>>>>>>>>>>>>>> plugin.<br>
>>>>>>>>>>>>>>>><br>
>>>>>>>>>>>>>>>> 2015-04-08 8:28 GMT+08:00 Brendan Dolan-Gavitt<br>
>>>>>>>>>>>>>>>> <<a href="mailto:brendandg@gatech.edu">brendandg@gatech.edu</a>>:<br>
>>>>>>>>>>>>>>>>><br>
>>>>>>>>>>>>>>>>> Could you be a little more descriptive about how it failed?<br>
>>>>>>>>>>>>>>>>> Segfault? Error message? Incorrect output?<br>
>>>>>>>>>>>>>>>>><br>
>>>>>>>>>>>>>>>>> -Brendan<br>
>>>>>>>>>>>>>>>>><br>
>>>>>>>>>>>>>>>>> On Tue, Apr 7, 2015 at 8:27 PM, xiaojuan Li<br>
>>>>>>>>>>>>>>>>> <<a href="mailto:xiaotan6666@gmail.com">xiaotan6666@gmail.com</a>> wrote:<br>
>>>>>>>>>>>>>>>>>><br>
>>>>>>>>>>>>>>>>>> i tried taint2 too,it failed.<br>
>>>>>>>>>>>>>>>>>><br>
>>>>>>>>>>>>>>>>>> 2015-04-07 5:20 GMT+08:00 Leek, Timothy - 0559 - MITLL<br>
>>>>>>>>>>>>>>>>>> <<a href="mailto:tleek@ll.mit.edu">tleek@ll.mit.edu</a>>:<br>
>>>>>>>>>>>>>>>>>>><br>
>>>>>>>>>>>>>>>>>>> Also note that the “taint” plugin is somewhat defunct.<br>
>>>>>>>>>>>>>>>>>>> “taint2” is the one we are actively using and developing.<br>
>>>>>>>>>>>>>>>>>>> --<br>
>>>>>>>>>>>>>>>>>>> Tim Leek<br>
>>>>>>>>>>>>>>>>>>> Technical Staff<br>
>>>>>>>>>>>>>>>>>>> Cyber System Assessments<br>
>>>>>>>>>>>>>>>>>>> MIT Lincoln Laboratory<br>
>>>>>>>>>>>>>>>>>>> <a href="tel:781-981-2975" value="+17819812975">781-981-2975</a><br>
>>>>>>>>>>>>>>>>>>><br>
>>>>>>>>>>>>>>>>>>><br>
>>>>>>>>>>>>>>>>>>> From: Brendan Dolan-Gavitt <<a href="mailto:brendandg@gatech.edu">brendandg@gatech.edu</a>><br>
>>>>>>>>>>>>>>>>>>> Date: Monday, April 6, 2015 at 5:18 PM<br>
>>>>>>>>>>>>>>>>>>> To: xiaojuan Li <<a href="mailto:xiaotan6666@gmail.com">xiaotan6666@gmail.com</a>><br>
>>>>>>>>>>>>>>>>>>> Cc: "<a href="mailto:panda-users@mit.edu">panda-users@mit.edu</a>" <<a href="mailto:panda-users@mit.edu">panda-users@mit.edu</a>><br>
>>>>>>>>>>>>>>>>>>> Subject: Re: [panda-users] taint segmentation fault<br>
>>>>>>>>>>>>>>>>>>><br>
>>>>>>>>>>>>>>>>>>> Could you run that under gdb and provide us with a<br>
>>>>>>>>>>>>>>>>>>> backtrace when it crashes?<br>
>>>>>>>>>>>>>>>>>>><br>
>>>>>>>>>>>>>>>>>>> -Brendan<br>
>>>>>>>>>>>>>>>>>>><br>
>>>>>>>>>>>>>>>>>>> On Sunday, April 5, 2015, xiaojuan Li<br>
>>>>>>>>>>>>>>>>>>> <<a href="mailto:xiaotan6666@gmail.com">xiaotan6666@gmail.com</a>> wrote:<br>
>>>>>>>>>>>>>>>>>>>><br>
>>>>>>>>>>>>>>>>>>>> Hi,<br>
>>>>>>>>>>>>>>>>>>>> excuse me,i have a question about taint<br>
>>>>>>>>>>>>>>>>>>>> plugin:(stringsearch:name=***;taint:tainted_instructions=1)<br>
>>>>>>>>>>>>>>>>>>>> when I started it showed success:<br>
>>>>>>>>>>>>>>>>>>>><br>
>>>>>>>>>>>>>>>>>>>><br>
</div></div><span class="im HOEnZb">>>>>>>>>>>>>>>>>>>>> but when it finished search,it showd "uninit taint<br>
>>>>>>>>>>>>>>>>>>>> plugin segementation fault"<br>
>>>>>>>>>>>>>>>>>>>><br>
>>>>>>>>>>>>>>>>>>>><br>
</span><div class="HOEnZb"><div class="h5">>>>>>>>>>>>>>>>>>>>> how can I fix it?<br>
>>>>>>>>>>>>>>>>>>>> Thanks a lot!<br>
>>>>>>>>>>>>>>>>>>>> --<br>
>>>>>>>>>>>>>>>>>>>> wait and hope~~<br>
>>>>>>>>>>>>>>>>>><br>
>>>>>>>>>>>>>>>>>><br>
>>>>>>>>>>>>>>>>>><br>
>>>>>>>>>>>>>>>>>><br>
>>>>>>>>>>>>>>>>>> --<br>
>>>>>>>>>>>>>>>>>> wait and hope~~<br>
>>>>>>>>>>>>>>>>>><br>
>>>>>>>>>>>>>>>>>> _______________________________________________<br>
>>>>>>>>>>>>>>>>>> panda-users mailing list<br>
>>>>>>>>>>>>>>>>>> <a href="mailto:panda-users@mit.edu">panda-users@mit.edu</a><br>
>>>>>>>>>>>>>>>>>> <a href="http://mailman.mit.edu/mailman/listinfo/panda-users" target="_blank">http://mailman.mit.edu/mailman/listinfo/panda-users</a><br>
>>>>>>>>>>>>>>>>>><br>
>>>>>>>>>>>>>>>>><br>
>>>>>>>>>>>>>>>><br>
>>>>>>>>>>>>>>>><br>
>>>>>>>>>>>>>>>><br>
>>>>>>>>>>>>>>>> --<br>
>>>>>>>>>>>>>>>> wait and hope~~<br>
>>>>>>>>>>>>>>><br>
>>>>>>>>>>>>>>><br>
>>>>>>>>>>>>>><br>
>>>>>>>>>>>>>><br>
>>>>>>>>>>>>>><br>
>>>>>>>>>>>>>> --<br>
>>>>>>>>>>>>>> wait and hope~~<br>
>>>>>>>>>>>>><br>
>>>>>>>>>>>>><br>
>>>>>>>>>>>>><br>
>>>>>>>>>>>>><br>
>>>>>>>>>>>>> --<br>
>>>>>>>>>>>>> wait and hope~~<br>
>>>>>>>>>>>><br>
>>>>>>>>>>>><br>
>>>>>>>>>>>><br>
>>>>>>>>>>>><br>
>>>>>>>>>>>> --<br>
>>>>>>>>>>>> wait and hope~~<br>
>>>>>>>>>>><br>
>>>>>>>>>>><br>
>>>>>>>>>><br>
>>>>>>>>>><br>
>>>>>>>>>><br>
>>>>>>>>>> --<br>
>>>>>>>>>> wait and hope~~<br>
>>>>>>>>><br>
>>>>>>>>><br>
>>>>>>>>><br>
>>>>>>>>><br>
>>>>>>>>> --<br>
>>>>>>>>> wait and hope~~<br>
>>>>>>>><br>
>>>>>>>><br>
>>>>>>><br>
>>>>>>><br>
>>>>>>><br>
>>>>>>> --<br>
>>>>>>> wait and hope~~<br>
>>>>>><br>
>>>>>><br>
>>>>>><br>
>>>>>><br>
>>>>>> --<br>
>>>>>> wait and hope~~<br>
>>>>><br>
>>>>><br>
>>>><br>
>>>><br>
>>>><br>
>>>> --<br>
>>>> wait and hope~~<br>
>>><br>
>>><br>
>>><br>
>>><br>
>>> --<br>
>>> wait and hope~~<br>
>><br>
>><br>
><br>
><br>
><br>
> --<br>
> wait and hope~~<br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature"><div dir="ltr">wait and hope~~</div></div>
</div>