[panda-users] pandalog to tap points + asid/threaded equivalence question.

Marty E. Plummer hanetzer at startmail.com
Mon Apr 6 11:40:22 EDT 2020 

Hello all.

First off, very interesting tool here. Hopefully I can get some more use
out of it in the future.

I've recorded a process which generates an rsa private key at runtime,
and uses that to decrypt some data to produce an aes key. Using
stringsearch, tstringsearch and tainted_instr to produce a pandalog
which I believe contains what I need (unigrams and find_drm.py seem to
not contain the right info as none of the reads it reports are not the
right read size for the rsa decrypted data), but I'm unsure how to
transform it into a usable format. A snippet of the pandalog passed
through plog_reader.py looks like this (numbers translated to hex for
readability; possible improvement here?):

===
[{
  "pc": "0x8284ae13", 
  "asid": "0x4241b000", 
  "instr": "0x20d63c0"
},
{
  "pc": "0x8284ae13", 
  "taintedInstr": {
    "callStack": {
      "addr": [
        "0x82a67a36", 
        "0x82a7dfd3", 
        "0x82a74036", 
        "0x8b849df1", 
        "0x8b842779", 
        "0x8b843cf7", 
        "0x82849047", 
        "0x8b79720c", 
        "0x8b7973cb", 
        "0x82849047", 
        "0x82a1f9d5", 
        "0x82a208bc", 
        "0x8284f87a"
      ]
    }, 
    "taintQuery": [
      {
        "tcn": 0, 
        "uniqueLabelSet": {
          "ptr": "0x7f285f0d7030", 
          "label": [
            10
          ]
        }, 
        "ptr": "0x7f285f0d7030", 
        "offset": 0
      }
    ]
  }, 
  "instr": "0x20d63c0" # is this an instruction count or an opcode?
}
]
===

So here, I'd like to end up with a tap point similar to this:
===
taintedInstr.callStack.addr[0] pc asid asid0 <kernelmode?>
0x82a67a36 0x8284ae13 0x4241b000 0 <not sure>
===

Does not seem to record kernelmode true/false. Also, are asid types
1:1 equivalent to threaded? As prior attacks at this with stringsearch gave
me threaded style output like this:
===
10098418 100974f5 (processID=0x0000058c, threadID=0x0000059c, isKernelMode=false)  1
82843f25 8284ae13 (processID=0x00000000, threadID=0x00000000, isKernelMode=true)  2
===

and I've been using type 2/threaded tap points with textprinter, not
sure how to proceed from here. Or if you guys happen to know a better
way of doing this I'm all ears.

Regards,
Marty

More information about the panda-users mailing list