<div dir="ltr">thanks first, <br>the code i want to get is the java functions(the higher-level information) that handle special data or something that related with these functions.(like asm,but can be used to locate related functions).<br><br></div><div class="gmail_extra"><br><div class="gmail_quote">2015-04-23 12:45 GMT-04:00 Brendan Dolan-Gavitt <span dir="ltr"><<a href="mailto:brendandg@gatech.edu" target="_blank">brendandg@gatech.edu</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I'm not sure I understand your question. The assembly instructions being executed are the code.<div><br></div><div>If you want higher-level information, like what library that code is in, or what the process name is, this is typically done using memory analysis (for example, tools like Volatility). If you can get the configuration right for the osi_linux plugin, you can also get information about what libraries are loaded and where they are from that interface.</div><div><br></div><div>What information are you trying to get?</div><span class="HOEnZb"><font color="#888888"><div><br></div><div>-Brendan </div></font></span></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Apr 22, 2015 at 11:23 PM, xiaojuan Li <span dir="ltr"><<a href="mailto:xiaotan6666@gmail.com" target="_blank">xiaotan6666@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div>excuse me, one more question:<br></div><div>taint(use pandalog to write in name.plog which can be extract by tainted_instr) can get the asid-pc record,i want to find operating code further and replay with "-d in_asm -D asmlog.txt" and get the log like this:<br></div>************************************************************************<br>IN: <br>0xb52dbbee: 4605 mov r5, r0<br>0xb52dbbf0: 2800 cmp r0, #0<br>0xb52dbbf2: f040 8172 bne.w 0xb52dbeda<br><br>----------------<br>IN: <br>0xb52dbbf6: 462b mov r3, r5<br>0xb52dbbf8: 4620 mov r0, r4<br>0xb52dbbfa: 2101 movs r1, #1<br>0xb52dbbfc: aa06 add r2, sp, #24<br>0xb52dbbfe: f7fa f898 bl 0xffffffffb52d5d32<br><br>----------------<br>IN: <br>0xb52d5d32: b5f7 push {r0, r1, r2, r4, r5, r6, r7, lr}<br>0xb52d5d34: 4606 mov r6, r0<br>0xb52d5d36: 4617 mov r7, r2<br>0xb52d5d38: 6800 ldr r0, [r0, #0]<br>0xb52d5d3a: aa01 add r2, sp, #4<br>0xb52d5d3c: 460d mov r5, r1<br>0xb52d5d3e: f7ff fecf bl 0xffffffffb52d5ae0<br>*******************************************************************<br></div><div>it just the instructions underlying, but how can i use these to locate the code that what i want?<br><br></div><div>sorry to be a askhole, i just a new learner... <br></div><div>And thanks for your patience!!<br></div></div><div class="gmail_extra"><br><div class="gmail_quote"><span>2015-04-10 21:24 GMT-04:00 Brendan Dolan-Gavitt <span dir="ltr"><<a href="mailto:brendandg@gatech.edu" target="_blank">brendandg@gatech.edu</a>></span>:<br></span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span><div dir="ltr">Once you have used PANDA's taint system to identify the portions of the code that process the data you're interested in, you will still have to analyze that code do understand how it works. One way to do that might be to use the scissors plugin to extract out the portion of the trace that contains the code you're interested in, and then replay it with QEMU's "-d in_asm -D asmlog.txt" options to get the disassembly for that code.<div><br></div><div>Alternatively, you could take a memory snapshot at some point when the code you want to analyze is in memory (using something like the pmemsave plugin in PANDA), then use Volatility to analyze that memory image to extract out the binary, which you could look at in IDA or something similar.</div><div><br></div><div>Basically – disassemble the code that handles the data you're interested in and find out how it works. Exactly what that means will depend on what you're hoping to accomplish.</div><span><font color="#888888"><div><br></div><div>-Brendan</div></font></span></div></span><div><div><div class="gmail_extra"><br><div class="gmail_quote"><span>On Fri, Apr 10, 2015 at 9:07 PM, xiaojuan Li <span dir="ltr"><<a href="mailto:xiaotan6666@gmail.com" target="_blank">xiaotan6666@gmail.com</a>></span> wrote:<br></span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span><div dir="ltr">Hi,<div>Thanks for your job first.</div><div>I am a little confused about the result of the tainted.how can I get enough information about the processing code from the binary? use the gdb?</div><div>Thanks!</div></div></span><div class="gmail_extra"><div><div><br><div class="gmail_quote"><span>2015-04-10 12:05 GMT+08:00 xiaojuan Li <span dir="ltr"><<a href="mailto:xiaotan6666@gmail.com" target="_blank">xiaotan6666@gmail.com</a>></span>:<br></span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span><div dir="ltr">Thanks for your guys great work!<br><div>and I will try.</div></div></span><div class="gmail_extra"><div><div><br><div class="gmail_quote"><span>2015-04-10 11:42 GMT+08:00 Brendan Dolan-Gavitt <span dir="ltr"><<a href="mailto:brendandg@gatech.edu" target="_blank">brendandg@gatech.edu</a>></span>:<br></span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span><div dir="ltr">Hi,<div><br></div><div>Tim has just updated the tainted_instructions tutorial so that it reflects how things work now. Could you look through that tutorial and see if it helps with your problem?</div><div><br></div><div><a href="https://github.com/moyix/panda/blob/master/docs/tainted_instructions.md" target="_blank">https://github.com/moyix/panda/blob/master/docs/tainted_instructions.md</a><br></div><div><br></div><div>Note that you will probably need to do a "git pull" and rebuild (make clean ; ./build.sh) in order to make sure everything works as it says in the tutorial.</div><span><font color="#888888"><div><br></div><div>-Brendan</div></font></span></div></span><div><div><div class="gmail_extra"><br><div class="gmail_quote"><span>On Thu, Apr 9, 2015 at 9:30 AM, xiaojuan Li <span dir="ltr"><<a href="mailto:xiaotan6666@gmail.com" target="_blank">xiaotan6666@gmail.com</a>></span> wrote:<br></span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><span>Now that the panda <a href="http://taint.md" target="_blank">taint.md</a> is not fresh,can you guys give me some help?<div>I use the replay plugin,here is my command and the result.</div></span><div><img src="cid:ii_i8a74py01_14c9e5c03434d79a" height="431" width="472"><br><img src="cid:ii_i8a74pyl2_14c9e5c03434d79a" height="363" width="472"><br><img src="cid:ii_i8a74pz03_14c9e5c03434d79a" height="442" width="472"><br><img src="cid:ii_i8a74pzc4_14c9e5c03434d79a" height="429" width="472"><br><br></div><span><div>the content of pk_search_strings.txt is :"sdt"</div><div><br></div><div>I am confused here:in the paper— Repeatable reverse with panda:</div></span><div>:<img src="cid:ii_i8a6iohl0_14c9e4c502ee48e7" height="220" width="436"></div><span><div>it is clear that:if I use the stringsearch and taint plugin,when it matches, the taint label will be put and then taint action will start.but when I use it, it seems wrong(the picture showed before):no taint action execute,and i am confused about the tstringsearch's result.</div><div>how can i use it to analysis?</div><div>Thanks a lot!</div><div> </div></span></div><div class="gmail_extra"><div><div><br><div class="gmail_quote"><span>2015-04-08 10:14 GMT+08:00 xiaojuan Li <span dir="ltr"><<a href="mailto:xiaotan6666@gmail.com" target="_blank">xiaotan6666@gmail.com</a>></span>:<br></span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span><div dir="ltr">I get the replay file by running runandroid script. and i use qemu-system-arm command just to do some replay work.<div>I may not understand you at all in this emal.do you mean that i should gdb the original program rather than the record file?</div><div>Thansk</div></div></span><div class="gmail_extra"><div><div><br><div class="gmail_quote"><span>2015-04-08 9:52 GMT+08:00 Brendan Dolan-Gavitt <span dir="ltr"><<a href="mailto:brendandg@gatech.edu" target="_blank">brendandg@gatech.edu</a>></span>:<br></span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span><div dir="ltr">Hmm. gdb should normally stop when you get a segfault.<div><br></div><div>Are you by any chance running PANDA using the runandroid script? If so, you will need to instead invoke PANDA manually, i.e.:</div><div><br></div><div>gdb --args arm-softmmu/qemu-system-arm [...]</div><div><br></div><div>And then once it crashes, type "bt" at the gdb prompt to get a backtrace.</div><span><font color="#888888"><div><br></div><div>-Brendan</div></font></span></div></span><div><div><div class="gmail_extra"><br><div class="gmail_quote"><span>On Tue, Apr 7, 2015 at 9:47 PM, xiaojuan Li <span dir="ltr"><<a href="mailto:xiaotan6666@gmail.com" target="_blank">xiaotan6666@gmail.com</a>></span> wrote:<br></span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">when gdb,it shows:<br><img src="cid:ii_i882pvfb3_14c96b5a1df3c8fd" height="93" width="472"><div><span>and then i see the log:it shows segfault:<br></span><img src="cid:ii_i882o5k12_14c96b46a91b20b2" height="305" width="472"></div><div><br><br></div></div><div class="gmail_extra"><div><div><br><div class="gmail_quote"><span>2015-04-08 9:03 GMT+08:00 xiaojuan Li <span dir="ltr"><<a href="mailto:xiaotan6666@gmail.com" target="_blank">xiaotan6666@gmail.com</a>></span>:<br></span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span><div dir="ltr">maybe i am wrong.<div> i use the command line:"taint2:label_mode=binary,query_outgoing_network=1"and I found that when i use taint2, after it loads panda_taint2.so,it shows:"taint2:instructed not to inline taint ops .success".</div></div></span><div class="gmail_extra"><div><div><br><div class="gmail_quote"><span>2015-04-08 8:54 GMT+08:00 xiaojuan Li <span dir="ltr"><<a href="mailto:xiaotan6666@gmail.com" target="_blank">xiaotan6666@gmail.com</a>></span>:<br></span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><span>ok.<div>1.I want to use taint plugin to get information about some functions(of course, it is closed-source),so I think I can stringsearch potential data and then taint them and next I can locate the functions which solves these data.</div><div><br></div><div>2.the command line I used is : <span style="font-size:14px">stringsearch:name=***;</span><span style="font-size:14px">taint2:tainted_instructions=1.</span></div><div><br></div></span><div>thanks</div><div><span style="font-size:14px"><br></span></div></div><div class="gmail_extra"><div><div><br><div class="gmail_quote"><span>2015-04-08 8:40 GMT+08:00 Brendan Dolan-Gavitt <span dir="ltr"><<a href="mailto:brendandg@gatech.edu" target="_blank">brendandg@gatech.edu</a>></span>:<br></span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><span>Could you provide:<div><br></div><div>1. What information you're trying to get</div><div>2. The command line you're using to run PANDA with the taint2 plugin</div><div><br></div><div>?</div><div><br></div></span><span><div>Right now I believe taint2 does not produce very much output by default. Instead you use the -pandalog <filename> command line option, and taint2 will write its results there in pandalog format; you can then read them using pandalog_reader (see panda/pandalog_reader.c for details on that tool).</div></span><span><font color="#888888"><div><br></div><div>-Brendan</div></font></span></div><div><div><div class="gmail_extra"><br><div class="gmail_quote"><span>On Tue, Apr 7, 2015 at 8:32 PM, xiaojuan Li <span dir="ltr"><<a href="mailto:xiaotan6666@gmail.com" target="_blank">xiaotan6666@gmail.com</a>></span> wrote:<br></span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span><div dir="ltr">when I tried taint2,it showed the same error with taint1, the olny difference is that taint2 has no segfault error,just uninit taint plugin.</div></span><div class="gmail_extra"><div><div><br><div class="gmail_quote"><span>2015-04-08 8:28 GMT+08:00 Brendan Dolan-Gavitt <span dir="ltr"><<a href="mailto:brendandg@gatech.edu" target="_blank">brendandg@gatech.edu</a>></span>:<br></span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><span>Could you be a little more descriptive about how it failed? Segfault? Error message? Incorrect output?<div><br></div></span><div>-Brendan</div></div><div class="gmail_extra"><br><div class="gmail_quote"><span><div><div>On Tue, Apr 7, 2015 at 8:27 PM, xiaojuan Li <span dir="ltr"><<a href="mailto:xiaotan6666@gmail.com" target="_blank">xiaotan6666@gmail.com</a>></span> wrote:<br></div></div></span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div><span><div dir="ltr">i tried taint2 too,it failed.</div></span><div class="gmail_extra"><div><div><br><div class="gmail_quote"><span>2015-04-07 5:20 GMT+08:00 Leek, Timothy - 0559 - MITLL <span dir="ltr"><<a href="mailto:tleek@ll.mit.edu" target="_blank">tleek@ll.mit.edu</a>></span>:<br></span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word;color:rgb(0,0,0);font-size:14px;font-family:Calibri,sans-serif"><span><div><div><div>Also note that the “taint” plugin is somewhat defunct. “taint2” is the one we are actively using and developing.</div><div><div>--</div><div>Tim Leek</div><div>Technical Staff</div><div>Cyber System Assessments</div><div>MIT Lincoln Laboratory</div><div><a href="tel:781-981-2975" value="+17819812975" target="_blank">781-981-2975</a></div><div><br></div></div></div></div><div><br></div></span><span><span><div style="font-family:Calibri;font-size:11pt;text-align:left;color:black;BORDER-BOTTOM:medium none;BORDER-LEFT:medium none;PADDING-BOTTOM:0in;PADDING-LEFT:0in;PADDING-RIGHT:0in;BORDER-TOP:#b5c4df 1pt solid;BORDER-RIGHT:medium none;PADDING-TOP:3pt"><span style="font-weight:bold">From: </span> Brendan Dolan-Gavitt <<a href="mailto:brendandg@gatech.edu" target="_blank">brendandg@gatech.edu</a>><br><span style="font-weight:bold">Date: </span> Monday, April 6, 2015 at 5:18 PM<br><span style="font-weight:bold">To: </span> xiaojuan Li <<a href="mailto:xiaotan6666@gmail.com" target="_blank">xiaotan6666@gmail.com</a>><br><span style="font-weight:bold">Cc: </span> "<a href="mailto:panda-users@mit.edu" target="_blank">panda-users@mit.edu</a>" <<a href="mailto:panda-users@mit.edu" target="_blank">panda-users@mit.edu</a>><br><span style="font-weight:bold">Subject: </span> Re: [panda-users] taint segmentation fault<br></div></span><div><div><div><br></div><div><div><span>
Could you run that under gdb and provide us with a backtrace when it crashes?
<div><br></div></span><div>-Brendan<span><br><br>
On Sunday, April 5, 2015, xiaojuan Li <<a href="mailto:xiaotan6666@gmail.com" target="_blank">xiaotan6666@gmail.com</a>> wrote:<br></span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi,
<span><div>excuse me,i have a question about taint plugin:(stringsearch:name=***;taint:tainted_instructions=1)</div><div>when I started it showed success:</div><div><br></div></span><div><img src="cid:ii_i859ltl20_14c8c9637c6b2646" height="166" width="454"></div><div><br></div><div><span>but when it finished search,it showd "uninit taint plugin segementation fault"<br></span><img src="cid:ii_i859ltlx1_14c8c9637c6b2646" height="132" width="454"><span><br>
<br clear="all"><div>how can I fix it?</div><div>Thanks a lot!</div></span>
-- <br><div><div dir="ltr">wait and hope~~</div></div></div></div></blockquote></div></div></div></div></div></span></div>
</blockquote></div><br><br clear="all"><div><br></div></div></div><span><font color="#888888">-- <br><div><div dir="ltr">wait and hope~~</div></div>
</font></span></div>
<br></div></div><div><div>_______________________________________________<br>
panda-users mailing list<br>
<a href="mailto:panda-users@mit.edu" target="_blank">panda-users@mit.edu</a><br>
<a href="http://mailman.mit.edu/mailman/listinfo/panda-users" target="_blank">http://mailman.mit.edu/mailman/listinfo/panda-users</a><br>
<br></div></div></blockquote></div><br></div>
</blockquote></div><br><br clear="all"><div><br></div></div></div><span><font color="#888888">-- <br><div><div dir="ltr">wait and hope~~</div></div>
</font></span></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br><br clear="all"><div><br></div></div></div><span><font color="#888888">-- <br><div><div dir="ltr">wait and hope~~</div></div>
</font></span></div>
</blockquote></div><br><br clear="all"><div><br></div></div></div><span><font color="#888888">-- <br><div><div dir="ltr">wait and hope~~</div></div>
</font></span></div>
</blockquote></div><br><br clear="all"><div><br></div></div></div><span><font color="#888888">-- <br><div><div dir="ltr">wait and hope~~</div></div>
</font></span></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br><br clear="all"><div><br></div></div></div><span><font color="#888888">-- <br><div><div dir="ltr">wait and hope~~</div></div>
</font></span></div>
</blockquote></div><br><br clear="all"><div><br></div></div></div><span><font color="#888888">-- <br><div><div dir="ltr">wait and hope~~</div></div>
</font></span></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br><br clear="all"><div><br></div></div></div><span><font color="#888888">-- <br><div><div dir="ltr">wait and hope~~</div></div>
</font></span></div>
</blockquote></div><br><br clear="all"><span><font color="#888888"><div><br></div></font></span></div></div><span><font color="#888888"><span><font color="#888888">-- <br><div><div dir="ltr">wait and hope~~</div></div>
</font></span></font></span></div><span><font color="#888888">
</font></span></blockquote></div><span><font color="#888888"><br></font></span></div><span><font color="#888888">
</font></span></div></div></blockquote></div><span><font color="#888888"><br><br clear="all"><br>-- <br><div><div dir="ltr">wait and hope~~</div></div>
</font></span></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature"><div dir="ltr">wait and hope~~</div></div>
</div>