That's correct. The last time I looked at DroidScope, it could
introspect on Dalvik in Android 2.3, running on a 32-bit host.
The DroidScope code we included as the linux_vmi plugin doesn't have
Dalvik-layer introspection enabled, since it's 1) obsolete, and 2)
requires a 32-bit executable. The process, thread, module, and symbol
tracking are still enabled, but won't help with Java/Dalvik code.
Android 2.x's interpreter had a function that was run on each opcode, so
DroidScope's symbol-parsing was enough to bootstrap a Dalvik-instruction
callback point. The interpreter in 4.0 was rewritten for performance,
and doesn't have an analogous function, as far as I know.
I know DroidScope has documentation about Android 4.3, but there doesn't
seem to be any code for it. There haven't been any commits to it for
over two years.
--
Josh
On 04/24/2015 12:37 AM, Brendan Dolan-Gavitt wrote:
> The low-level code you see in Android is generally the result of just
> in time compilation. The DroidScope paper [1] discusses some ways to
> determine what the high-level code corresponds to the low-level code,
> but I don't know if that has made it into PANDA – Josh may know more.
>
> -Brendan
>
> [1] https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final107.pdf
>
> On Thu, Apr 23, 2015 at 9:19 PM, xiaojuan Li <xiaotan6666 at gmail.com
> <mailto:xiaotan6666 at gmail.com>> wrote:
>
> the thing is:after taint we can get the tainted data flow,assuming
> it wrote in the name.plog, then extract the .plog using
> tainted_instr, how can i get useful information from the
> flowing(such as which high-level func handle it)?
> like IL in .NET, we can decompile to get c# source code.
> Thanks
>
> 2015-04-23 19:49 GMT-04:00 xiaojuan Li <xiaotan6666 at gmail.com
> <mailto:xiaotan6666 at gmail.com>>:
>
> thanks first,
> the code i want to get is the java functions(the higher-level
> information) that handle special data or something that
> related with these functions.(like asm,but can be used to
> locate related functions).
>
>
> 2015-04-23 12:45 GMT-04:00 Brendan Dolan-Gavitt
> <brendandg at gatech.edu <mailto:brendandg at gatech.edu>>:
>
> I'm not sure I understand your question. The assembly
> instructions being executed are the code.
>
> If you want higher-level information, like what library
> that code is in, or what the process name is, this is
> typically done using memory analysis (for example, tools
> like Volatility). If you can get the configuration right
> for the osi_linux plugin, you can also get information
> about what libraries are loaded and where they are from
> that interface.
>
> What information are you trying to get?
>
> -Brendan
>
> On Wed, Apr 22, 2015 at 11:23 PM, xiaojuan Li
> <xiaotan6666 at gmail.com <mailto:xiaotan6666 at gmail.com>> wrote:
>
> excuse me, one more question:
> taint(use pandalog to write in name.plog which can be
> extract by tainted_instr) can get the asid-pc record,i
> want to find operating code further and replay with
> "-d in_asm -D asmlog.txt" and get the log like this:
> ************************************************************************
> IN:
> 0xb52dbbee: 4605 mov r5, r0
> 0xb52dbbf0: 2800 cmp r0, #0
> 0xb52dbbf2: f040 8172 bne.w 0xb52dbeda
>
> ----------------
> IN:
> 0xb52dbbf6: 462b mov r3, r5
> 0xb52dbbf8: 4620 mov r0, r4
> 0xb52dbbfa: 2101 movs r1, #1
> 0xb52dbbfc: aa06 add r2, sp, #24
> 0xb52dbbfe: f7fa f898 bl 0xffffffffb52d5d32
>
> ----------------
> IN:
> 0xb52d5d32: b5f7 push {r0, r1, r2, r4, r5,
> r6, r7, lr}
> 0xb52d5d34: 4606 mov r6, r0
> 0xb52d5d36: 4617 mov r7, r2
> 0xb52d5d38: 6800 ldr r0, [r0, #0]
> 0xb52d5d3a: aa01 add r2, sp, #4
> 0xb52d5d3c: 460d mov r5, r1
> 0xb52d5d3e: f7ff fecf bl 0xffffffffb52d5ae0
> *******************************************************************
> it just the instructions underlying, but how can i use
> these to locate the code that what i want?
>
> sorry to be a askhole, i just a new learner...
> And thanks for your patience!!
>
> 2015-04-10 21:24 GMT-04:00 Brendan Dolan-Gavitt
> <brendandg at gatech.edu <mailto:brendandg at gatech.edu>>:
>
> Once you have used PANDA's taint system to
> identify the portions of the code that process the
> data you're interested in, you will still have to
> analyze that code do understand how it works. One
> way to do that might be to use the scissors plugin
> to extract out the portion of the trace that
> contains the code you're interested in, and then
> replay it with QEMU's "-d in_asm -D asmlog.txt"
> options to get the disassembly for that code.
>
> Alternatively, you could take a memory snapshot at
> some point when the code you want to analyze is in
> memory (using something like the pmemsave plugin
> in PANDA), then use Volatility to analyze that
> memory image to extract out the binary, which you
> could look at in IDA or something similar.
>
> Basically – disassemble the code that handles the
> data you're interested in and find out how it
> works. Exactly what that means will depend on what
> you're hoping to accomplish.
>
> -Brendan
>
> On Fri, Apr 10, 2015 at 9:07 PM, xiaojuan Li
> <xiaotan6666 at gmail.com
> <mailto:xiaotan6666 at gmail.com>> wrote:
>
> Hi,
> Thanks for your job first.
> I am a little confused about the result of the
> tainted.how can I get enough information about
> the processing code from the binary? use the gdb?
> Thanks!
>
> 2015-04-10 12:05 GMT+08:00 xiaojuan Li
> <xiaotan6666 at gmail.com
> <mailto:xiaotan6666 at gmail.com>>:
>
> Thanks for your guys great work!
> and I will try.
>
> 2015-04-10 11:42 GMT+08:00 Brendan
> Dolan-Gavitt <brendandg at gatech.edu
> <mailto:brendandg at gatech.edu>>:
>
> Hi,
>
> Tim has just updated the
> tainted_instructions tutorial so that
> it reflects how things work now. Could
> you look through that tutorial and see
> if it helps with your problem?
>
> https://github.com/moyix/panda/blob/master/docs/tainted_instructions.md
>
> Note that you will probably need to do
> a "git pull" and rebuild (make clean ;
> ./build.sh) in order to make sure
> everything works as it says in the
> tutorial.
>
> -Brendan
>
> On Thu, Apr 9, 2015 at 9:30 AM,
> xiaojuan Li <xiaotan6666 at gmail.com
> <mailto:xiaotan6666 at gmail.com>> wrote:
>
> Now that the panda taint.md
> <http://taint.md> is not fresh,can
> you guys give me some help?
> I use the replay plugin,here is my
> command and the result.
>
>
>
>
>
> the content of
> pk_search_strings.txt is :"sdt"
>
> I am confused here:in the paper—
> Repeatable reverse with panda:
> :
> it is clear that:if I use the
> stringsearch and taint plugin,when
> it matches, the taint label will
> be put and then taint action will
> start.but when I use it, it seems
> wrong(the picture showed
> before):no taint action
> execute,and i am confused about
> the tstringsearch's result.
> how can i use it to analysis?
> Thanks a lot!
>
>
> 2015-04-08 10:14 GMT+08:00
> xiaojuan Li <xiaotan6666 at gmail.com
> <mailto:xiaotan6666 at gmail.com>>:
>
> I get the replay file by
> running runandroid script. and
> i use qemu-system-arm command
> just to do some replay work.
> I may not understand you at
> all in this emal.do you mean
> that i should gdb the original
> program rather than the record
> file?
> Thansk
>
> 2015-04-08 9:52 GMT+08:00
> Brendan Dolan-Gavitt
> <brendandg at gatech.edu
> <mailto:brendandg at gatech.edu>>:
>
> Hmm. gdb should normally
> stop when you get a segfault.
>
> Are you by any chance
> running PANDA using the
> runandroid script? If so,
> you will need to instead
> invoke PANDA manually, i.e.:
>
> gdb --args
> arm-softmmu/qemu-system-arm [...]
>
> And then once it crashes,
> type "bt" at the gdb
> prompt to get a backtrace.
>
> -Brendan
>
> On Tue, Apr 7, 2015 at
> 9:47 PM, xiaojuan Li
> <xiaotan6666 at gmail.com
> <mailto:xiaotan6666 at gmail.com>>
> wrote:
>
> when gdb,it shows:
> and then i see the
> log:it shows segfault:
>
>
>
> 2015-04-08 9:03
> GMT+08:00 xiaojuan Li
> <xiaotan6666 at gmail.com
> <mailto:xiaotan6666 at gmail.com>>:
>
> maybe i am wrong.
> i use the command
> line:"taint2:label_mode=binary,query_outgoing_network=1"and
> I found that when
> i use taint2,
> after it loads
> panda_taint2.so,it
> shows:"taint2:instructed
> not to inline
> taint ops .success".
>
> 2015-04-08 8:54
> GMT+08:00 xiaojuan
> Li
> <xiaotan6666 at gmail.com
> <mailto:xiaotan6666 at gmail.com>>:
>
> ok.
> 1.I want to
> use taint
> plugin to get
> information
> about some
> functions(of
> course, it is
> closed-source),so
> I think I can
> stringsearch
> potential data
> and then taint
> them and next
> I can locate
> the functions
> which solves
> these data.
>
> 2.the command
> line I used is
> : stringsearch:name=***;taint2:tainted_instructions=1.
>
> thanks
>
>
> 2015-04-08
> 8:40 GMT+08:00
> Brendan
> Dolan-Gavitt
> <brendandg at gatech.edu
> <mailto:brendandg at gatech.edu>>:
>
> Could you
> provide:
>
> 1. What
> information you're
> trying to get
> 2. The
> command
> line
> you're
> using to
> run PANDA
> with the
> taint2 plugin
>
> ?
>
> Right now
> I believe
> taint2
> does not
> produce
> very much
> output by
> default.
> Instead
> you use
> the
> -pandalog
> <filename>
> command
> line
> option,
> and taint2
> will write
> its
> results
> there in
> pandalog
> format;
> you can
> then read
> them using
> pandalog_reader
> (see
> panda/pandalog_reader.c
> for
> details on
> that tool).
>
> -Brendan
>
> On Tue,
> Apr 7,
> 2015 at
> 8:32 PM,
> xiaojuan
> Li
> <xiaotan6666 at gmail.com
> <mailto:xiaotan6666 at gmail.com>>
> wrote:
>
> when I
> tried
> taint2,it
> showed
> the
> same
> error
> with
> taint1, the
> olny
> difference
> is
> that
> taint2
> has no
> segfault
> error,just
> uninit
> taint
> plugin.
>
> 2015-04-08
> 8:28
> GMT+08:00
> Brendan Dolan-Gavitt
> <brendandg at gatech.edu
> <mailto:brendandg at gatech.edu>>:
>
> Could
> you be
> a
> little
> more
> descriptive
> about
> how it
> failed?
> Segfault?
> Error
> message?
> Incorrect
> output?
>
>
> -Brendan
>
> On
> Tue,
> Apr 7,
> 2015
> at
> 8:27
> PM, xiaojuan
> Li
> <xiaotan6666 at gmail.com
> <mailto:xiaotan6666 at gmail.com>>
> wrote:
>
> i tried
> taint2
> too,it
> failed.
>
> 2015-04-07
> 5:20
> GMT+08:00
> Leek,
> Timothy
> - 0559
> - MITLL
> <tleek at ll.mit.edu
> <mailto:tleek at ll.mit.edu>>:
>
> Also
> note
> that
> the
> “taint”
> plugin
> is
> somewhat
> defunct.
> “taint2”
> is
> the
> one
> we
> are
> actively
> using
> and
> developing.
> --
> Tim
> Leek
> Technical
> Staff
> Cyber
> System
> Assessments
> MIT
> Lincoln
> Laboratory
> 781-981-2975
> <tel:781-981-2975>
>
>
> From:
> Brendan
> Dolan-Gavitt
> <brendandg at gatech.edu
> <mailto:brendandg at gatech.edu>>
> Date:
> Monday,
> April
> 6,
> 2015
> at
> 5:18
> PM
> To:
> xiaojuan
> Li
> <xiaotan6666 at gmail.com
> <mailto:xiaotan6666 at gmail.com>>
> Cc:
> "panda-users at mit.edu
> <mailto:panda-users at mit.edu>"
> <panda-users at mit.edu
> <mailto:panda-users at mit.edu>>
> Subject:
> Re:
> [panda-users]
> taint
> segmentation
> fault
>
> Could
> you
> run
> that
> under
> gdb
> and
> provide
> us
> with
> a backtrace
> when
> it
> crashes?
>
>
> -Brendan
>
> On
> Sunday,
> April
> 5,
> 2015,
> xiaojuan
> Li
> <xiaotan6666 at gmail.com
> <mailto:xiaotan6666 at gmail.com>>
> wrote:
>
> Hi,
>
> excuse
> me,i
> have
> a question
> about
> taint
> plugin:(stringsearch:name=***;taint:tainted_instructions=1)
> when
> I started
> it
> showed
> success:
>
>
> but
> when
> it
> finished
> search,it
> showd
> "uninit
> taint
> plugin
> segementation
> fault"
>
>
> how
> can
> I fix
> it?
> Thanks
> a lot!
> --
>
> wait
> and
> hope~~
>
>
>
>
> --
>
> wait
> and
> hope~~
>
> _______________________________________________
> panda-users
> mailing
> list
> panda-users at mit.edu
> <mailto:panda-users at mit.edu>
> http://mailman.mit.edu/mailman/listinfo/panda-users
>
>
>
>
>
> --
> wait
> and hope~~
>
>
>
>
>
> --
> wait and hope~~
>
>
>
>
> --
> wait and hope~~
>
>
>
>
> --
> wait and hope~~
>
>
>
>
>
> --
> wait and hope~~
>
>
>
>
> --
> wait and hope~~
>
>
>
>
>
> --
> wait and hope~~
>
>
>
>
> --
> wait and hope~~
>
>
>
>
>
> --
> wait and hope~~
>
>
>
>
>
> --
> wait and hope~~
>
>
>
>
> --
> wait and hope~~
>
>
>
>
> _______________________________________________
> panda-users mailing list
> panda-users at mit.edu
> http://mailman.mit.edu/mailman/listinfo/panda-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/panda-users/attachments/20150424/47bd601a/attachment-0001.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 99277 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150424/47bd601a/attachment-0008.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 118621 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150424/47bd601a/attachment-0009.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 106030 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150424/47bd601a/attachment-0010.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 90587 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150424/47bd601a/attachment-0011.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 63070 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150424/47bd601a/attachment-0001.jpg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 13244 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150424/47bd601a/attachment-0012.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 194887 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150424/47bd601a/attachment-0013.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 25300 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150424/47bd601a/attachment-0014.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 12246 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150424/47bd601a/attachment-0015.png