[panda-users] pandalog to tap points + asid/threaded equivalence question.

Mann, Laura L [US] (MS) laura.mann at ngc.com
Tue Apr 7 13:30:28 EDT 2020 

Hello Mr Plummer,

The "instr" you ask about is an instruction count, not an opcode.
An ASID (Address Space ID) is definitely not the equivalent of the threaded type.  An ASID is a poor-man's way to distinguish threads, for when OSI support is not available.  It appears tainted_instr always uses the ASID in an attempt to note when a thread changes, whereas some other plugins can now use information from OSI to do a better job at that.
Yeah, I'd really like to see plog_reader.py output addresses in hex too!
Afraid I have to bow out on the rest of your question - need someone with more knowledge than me.

L. L. Mann

-----Original Message-----
From: panda-users-bounces at mit.edu <panda-users-bounces at mit.edu> On Behalf Of panda-users-request at mit.edu
Sent: Tuesday, April 7, 2020 12:00 PM
To: panda-users at mit.edu
Subject: EXT :panda-users Digest, Vol 54, Issue 1

Send panda-users mailing list submissions to
	panda-users at mit.edu

To subscribe or unsubscribe via the World Wide Web, visit
	http://mailman.mit.edu/mailman/listinfo/panda-users
or, via email, send a message with subject or body 'help' to
	panda-users-request at mit.edu

You can reach the person managing the list at
	panda-users-owner at mit.edu

When replying, please edit your Subject line so it is more specific than "Re: Contents of panda-users digest..."


Today's Topics:

   1. pandalog to tap points + asid/threaded equivalence	question.
      (Marty E. Plummer)


----------------------------------------------------------------------

Message: 1
Date: Mon, 6 Apr 2020 10:40:22 -0500
From: "Marty E. Plummer" <hanetzer at startmail.com>
Subject: [panda-users] pandalog to tap points + asid/threaded
	equivalence	question.
To: panda-users at mit.edu
Message-ID: <20200406154022.rbnaet7urlcmxrcp at proprietary-killer>
Content-Type: text/plain; charset=us-ascii

Hello all.

First off, very interesting tool here. Hopefully I can get some more use out of it in the future.

I've recorded a process which generates an rsa private key at runtime, and uses that to decrypt some data to produce an aes key. Using stringsearch, tstringsearch and tainted_instr to produce a pandalog which I believe contains what I need (unigrams and find_drm.py seem to not contain the right info as none of the reads it reports are not the right read size for the rsa decrypted data), but I'm unsure how to transform it into a usable format. A snippet of the pandalog passed through plog_reader.py looks like this (numbers translated to hex for readability; possible improvement here?):

===
[{
  "pc": "0x8284ae13",
  "asid": "0x4241b000",
  "instr": "0x20d63c0"
},
{
  "pc": "0x8284ae13",
  "taintedInstr": {
    "callStack": {
      "addr": [
        "0x82a67a36", 
        "0x82a7dfd3", 
        "0x82a74036", 
        "0x8b849df1", 
        "0x8b842779", 
        "0x8b843cf7", 
        "0x82849047", 
        "0x8b79720c", 
        "0x8b7973cb", 
        "0x82849047", 
        "0x82a1f9d5", 
        "0x82a208bc", 
        "0x8284f87a"
      ]
    }, 
    "taintQuery": [
      {
        "tcn": 0, 
        "uniqueLabelSet": {
          "ptr": "0x7f285f0d7030", 
          "label": [
            10
          ]
        }, 
        "ptr": "0x7f285f0d7030", 
        "offset": 0
      }
    ]
  },
  "instr": "0x20d63c0" # is this an instruction count or an opcode?
}
]
===

So here, I'd like to end up with a tap point similar to this:
===
taintedInstr.callStack.addr[0] pc asid asid0 <kernelmode?>
0x82a67a36 0x8284ae13 0x4241b000 0 <not sure> ===

Does not seem to record kernelmode true/false. Also, are asid types
1:1 equivalent to threaded? As prior attacks at this with stringsearch gave me threaded style output like this:
===
10098418 100974f5 (processID=0x0000058c, threadID=0x0000059c, isKernelMode=false)  1
82843f25 8284ae13 (processID=0x00000000, threadID=0x00000000, isKernelMode=true)  2 ===

and I've been using type 2/threaded tap points with textprinter, not sure how to proceed from here. Or if you guys happen to know a better way of doing this I'm all ears.

Regards,
Marty


------------------------------

_______________________________________________
panda-users mailing list
panda-users at mit.edu
http://mailman.mit.edu/mailman/listinfo/panda-users


End of panda-users Digest, Vol 54, Issue 1
******************************************

More information about the panda-users mailing list