[panda-users] Issues with tainting

[Federico "fox" Scrinzi]

Hello,
I am trying to use the taint plugin of PANDA to find which part of a 
program is processing and encrypting my input.
I did some tests using a DES [1] and a SHA1 [2] implementation from 
Github on a Debian VM. I basically recorded the encryption or the 
hashing of two strings and then used the tstringsearch plugin to taint 
those strings and locate the instructions that processed it.

I used the following command:

~/git/panda/qemu/x86_64-softmmu/qemu-system-x86_64 -hda 
debian_squeeze_amd64_standard_panda.qcow2 -m 1024 -net nic,model=e1000 
-net user -redir tcp:2222::22 -replay <REPLAYNAME> -display none -panda 
callstack_instr -panda stringsearch -panda taint:tainted_instructions=1 
-panda tstringsearch

I tried both with taint and taint2 but the result does not change: in 
all my tests I get string matches for my input string but no messages 
about tainting or tainted instructions. Also no output of tainted 
instructions. Because of this issue 
https://github.com/moyix/panda/issues/49 I also tried older version of 
PANDA as well as the current one. I also recorded multiple executions 
but the result is the same.

If you would like to reproduce my experiment I uploaded one of my traces 
about DES encryption on rrshare (http://www.rrshare.org/detail/48/). I 
would expect that the tstringsearch plugin finds the instructions that 
constitute the encryption process when I feed the plaintext or the key 
to it.


Am I missing something? Any help is appreciated.
Thank you very much!


Cheers,
Federico


[1] https://github.com/tarequeh/DES
[2] https://github.com/B-Con/crypto-algorithms