Which is the right taint tracing commands input order?

[Zhang Mike]

bh2010@bh2010:~/Desktop/bitblaze$ sudo ./temu-1.0/tracecap/temu -snapshot -monitor stdio ./vm/winxpsp3.img -usb -usbdevice tablet -m 1024 -no-kqemu -localtime -smb ~/Public/

(qemu) load_plugin  ./temu-1.0/tracecap/tracecap.so

...

(qemu) enable_emulation

...

(qemu) tracebyname notepad.exe "notepad.exe.trace"

Waiting for process notepad.exe to start

(qemu) taint_file "/test.txt" 0 185

...

then I double click on the c:\test.txt file,

(qemu) PID: 412 CR3: 0x36776000

Tracing notepad.exe

trace_stop

disable_emulation

unload_plugin

I also tried execute the notepad.exe first, then use File->Open to load the c:\test.txt file.

But the temu2010 always said that "Number of tainted instructions written to trace: 0".

I would like there's one can give me a guid to tell me which operation order can make it work. All the discussions I can find in the internet on taint trace are talking about the syntax for taint_file command which cannot answer my this question.

I will be appreciated your helps, thanks!

Best wishes,

[Mike Zhang]

Is there any one can give me a help?

Thanks!

[Mike Zhang]

Is there anyone can help me???

:(

On Wednesday, May 22, 2013 2:35:04 PM UTC+8, Mike Zhang wrote:

[Aravind Prakash]

Mike,

Before you begin, you must edit the ini/main.ini file to indicate your trace preference. Alternately, you can make a copy of ini/main.ini, edit it and load it separately using 'load_plugin'. 

Next, you may want to stick to what you already have, i.e., 'load_plugin', 'tracebyname', 'enable_emulation', 'taint_file'. 

Once you are done with execution. 

You could 'stop', 'disable_emulation', 'trace_stop' and 'unload_plugin'. 

If you have your preferences right, you should have the trace file. 

You may also want to checkout DECAF. 

http://code.google.com/p/decaf-platform/wiki/DECAF

Good luck!

-Aravind

--
 
---
You received this message because you are subscribed to the Google Groups "BitBlaze User Discussion group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitblaze-user...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Aravind Prakash]

Mike,

Correction: the config file can be loaded using 'load_config' and not load_plugin. 

-Aravind

[Mike Zhang]

Thanks ap, 

But I'm trying the patched temu(2010), and it seems has no load_config command anymore.

And the following is the execution and command line output info, it seems the config file is loaded automatically when call load_config, the main.ini's content seems is loaded, because the modification in it affect the command line output contents, you can see it below.

Is there anything I forgot?

I would like you have a try to the newest temu, to see if you can give me a help, thanks! 

(qemu) load_plugin  ./temu-1.0/tracecap/tracecap.so

general/trace_only_after_first_taint is enabled.

general/log_external_calls is disabled.

general/write_ops_at_insn_end is disabled.

general/save_state_at_trace_stop is disabled.

tracing/tracing_table_lookup is enabled.

tracing/tracing_tainted_only is disabled.

tracing/tracing_single_thread_only is disabled.

tracing/tracing_kernel is disabled.

tracing/tracing_kernel_tainted is disabled.

tracing/tracing_kernel_partial is disabled.

network/ignore_dns is disabled.

Enabled: 0x00 Proto: 0x00 Sport: 0 Dport: 0 Src: 0.0.0.0 Dst: 0.0.0.0

Loading plugin options from: /home/ubuntu/Downloads/bitblaze/temu-1.0/tracecap/ini/hook_plugin.ini

Loading plugins from: /home/ubuntu/Downloads/bitblaze/temu-1.0/shared/hooks/hook_plugins

Cannot determine file system type

Cannot determine file system type

Cannot determine file system type

./temu-1.0/tracecap/tracecap.so is loaded successfully!

(qemu) enable_emulation

Emulation is now enabled

(qemu) tracebyname notepad.exe "notepad.exe.trace"

PID: 1720 CR3: 0x24583000

(qemu) taint_file "/abc.txt" 0 0

Tainting disk 0 file /abc.txt

Tainted file /abc.txt

2944:1207[764] 

(qemu) trace_stop

Stop tracing process 1720

Number of instructions decoded: 3143257

Number of operands decoded: 7709353

Number of instructions written to trace: 0

Number of tainted instructions written to trace: 0

Processing time: 19.552 U: 19.392 S: 0.16

Generating file: notepad.exe.trace.functions

(qemu) unload_plugin

Emulation is now disabled

./temu-1.0/tracecap/tracecap.so is unloaded!