Can't get trace file using taint_file

[guangcheng liang]

Hi,

I am using the tracecap in TEMU and encounter a problem.I have successfully get a trace file from a simple exe program using taint_sendkey instructions.But when I try to generate the trace file from ' wps.exe ' which is much smaller than Microsoft Office programe that handle the doc files, I can't get the trace file. My guset OS is xp sp2, I have created a file called "love.doc" in the root directory of C disk in the guest OS.

The instructions I used as follows:

(qemu) load_plugin tracecap/tracecap.so 

Could not find INI file: /etc/bitblaze/tracecap/main.ini

Use the command 'load_config <filename> to provide it.

Cannot determine file system type

Cannot determine file system type

Cannot determine file system type

tracecap/tracecap.so is loaded successfully!

(qemu) load_config tracecap/main.ini

general/trace_only_after_first_taint is enabled.

general/log_external_calls is disabled.

general/write_ops_at_insn_end is disabled.

general/save_state_at_trace_stop is disabled.

tracing/tracing_table_lookup is enabled.

tracing/tracing_tainted_only is disabled.

tracing/tracing_kernel is disabled.

tracing/tracing_kernel_tainted is disabled.

tracing/tracing_kernel_partial is disabled.

network/ignore_dns is disabled.

Enabled: 0x00 Proto: 0x00 Sport: 0 Dport: 0 Src: 0.0.0.0 Dst: 0.0.0.0

Loading plugin options from: /etc/bitblaze/tracecap/hook_plugin.ini

Loading plugins from: /fill/in/path/to/temu/shared/hooks/hook_plugins

(qemu) guest_ps 

0 cr3=0x00000000 <kernel>

196 cr3=0x021f9000 wuauclt.exe

312 cr3=0x05344000 smss.exe

372 cr3=0x03309000 ctfmon.exe

416 cr3=0x05dee000 csrss.exe

476 cr3=0x05ff3000 winlogon.exe

532 cr3=0x061f7000 services.exe

544 cr3=0x062c1000 lsass.exe

728 cr3=0x06691000 svchost.exe

816 cr3=0x06a7f000 svchost.exe

888 cr3=0x06eca000 svchost.exe

992 cr3=0x070e3000 svchost.exe

1044 cr3=0x07929000 svchost.exe

1128 cr3=0x079ee000 spoolsv.exe

1704 cr3=0x01578000 wps.exe

1840 cr3=0x01bd7000 rundll32.exe

1844 cr3=0x006c5000 explorer.exe

1896 cr3=0x006c3000 wscntfy.exe

(qemu) trace 1704 "wps.trace"

PID: 1704 CR3: 0x01578000

(qemu) enable_emulation 

Emulation is now enabled

(qemu) taint_file "love.doc" 0 1001

Tainting disk 0 file love.doc

Tainted file love.doc

138e7:4096[1001] 133ff:4096[1001] 13400:1024[1001] 

(qemu) 

I don't install kqemu, so the guset OS is quite slow. But after about an hour, it didn't show any message.still show the above information.

I don't know what O should do next. Thanks for your help, I really need your help!

--
Good luck,

Guangcheng Liang

[Aravind Prakash]

Once you taint a source and enable emulation, trace is gathered and taint propagates. To stop it, you need to use the commands disable_emulation followed by trace_stop.


Aravind

[guangcheng liang]

Hi Aravind,

Thanks very much for your attention. But I don't know how to check if  taint propagates. When it appears the situation like what I discribed in the last letter, and after 2 hours, I used the trace_stop instruction, but it showed that "Number of instructions written to trace: 0    Number of tainted instructions written to trace: 0 ".

Thanks for any sugguestions.

2012/5/16 Aravind Prakash <prak...@gmail.com>

[Sanjay Rawat]

Hi,
I had the similar (or identical, if i could say) problem in using taint_file option. Aravind gave some hints, but still I could not get any taint information. So, if you are able to get it done by any means, please do post in this group.

thanks
-Sanjay

--
Regards
-Sanjay
** Security Feature != Secure Feature **
                                                     --MH

[Alex Bazhanyuk]

In all my test i using taint_nic and simple script inside temu.

First of all:

nc -l 12345 < input (in one console) input - input data. this script for transmission input data.

Script inside TEMU should be like this:

#!/bin/sh
nc 10.0.0.1 12345 > input
./test_program input

QEMU console:

(qemu) load_plugin /home/ubuntu/bitblaze/temu/trunk/tracecap/tracecap.so

(qemu) enable_emulation
(qemu) taint_nic 1
(qemu) tracebyname test_program "/tmp/test_program.trace"

Now i run that script for get input (from 10.0.0.1 12345) and start test_program.

(qemu) trace_stop

--
Thanks,
Alex

[Sanjay Rawat]

Hi Alex,
Thanks for a clear explanation. IN the view of your answer, I have two questions:
1. Are you suggesting that when you want to taint input from a file, you always do it via "taint_nic" option because you have also observed that "taint_file" option does not work?

2. Your example is very specific to linux environment because you said that you need to run nc within the same machine where TEMU is running and TEMU runs in linux. If so, how will I do taint analysis for a windows application?

thanks
-Sanjay

[Juan Caballero]

There is a netcat for Windows
http://joncraton.org/files/nc111nt.zip
http://joncraton.org/blog/46/netcat-for-windows

Juan

[Alex Bazhanyuk]

http://groups.google.com/group/bitblaze-users/browse_thread/thread/ab0e9bd133123927/4853273b4e14ec45?lnk=gst&q=taint_file#4853273b4e14ec45
http://groups.google.com/group/bitblaze-users/browse_thread/thread/1a8b40cb46444e5e/a2e1c40c1cc852d4?lnk=gst&q=virvdova+taint_file#a2e1c40c1cc852d4
http://groups.google.com/group/bitblaze-users/browse_thread/thread/7696cb19b5b957f8/95b8b4b621b3163e?lnk=gst&q=Bazhanyuk#95b8b4b621b3163e

--
Thanks,
Alex