Can't get the trace file of notepad.exe using taint_file
134 views
Skip to first unread message
guangcheng liang
May 25, 2012, 3:49:24 AM5/25/12
to bitblaz...@googlegroups.com
Hi,
--
Good luck,
When I use the instruction "taint_file" I encounter many problem. Few days ago, I realized I needed to create two disks in my guest OS, and I have done this. Now a new problem comes to me that I still can't get "first tainted data" message. The commands I have used as follows:
(qemu) load_plugin tracecap/tracecap.so
Could not find INI file: /etc/bitblaze/tracecap/main.ini
Use the command 'load_config <filename> to provide it.
Cannot determine file system type
Cannot determine file system type
Cannot determine file system type
tracecap/tracecap.so is loaded successfully!
(qemu) load_config tracecap/main.ini
general/trace_only_after_first_taint is enabled.
general/log_external_calls is disabled.
general/write_ops_at_insn_end is disabled.
general/save_state_at_trace_stop is disabled.
tracing/tracing_table_lookup is enabled.
tracing/tracing_tainted_only is disabled.
tracing/tracing_kernel is disabled.
tracing/tracing_kernel_tainted is disabled.
tracing/tracing_kernel_partial is disabled.
network/ignore_dns is disabled.
Enabled: 0x00 Proto: 0x00 Sport: 0 Dport: 0 Src: 0.0.0.0 Dst: 0.0.0.0
Loading plugin options from: /etc/bitblaze/tracecap/hook_plugin.ini
Loading plugins from: /fill/in/path/to/temu/shared/hooks/hook_plugins
(qemu) enable_emulation
Emulation is now enabled
(qemu) taint_file "0914.txt" 1 6543
Tainting disk 1 file 0914.txt
Tainted file 0914.txt
5525a:4[6543]
(qemu) tracebyname "notepad.exe" /tmp/note_1.trace
Waiting for process notepad.exe to start
(qemu) PID: 936 CR3: 0x06837000
Tracing notepad.exe
(qemu) disable_emulation
Emulation is now disabled
(qemu) trace_stop
Stop tracing process 936
Number of instructions decoded: 27027596
Number of operands decoded: 68342879
Number of instructions written to trace: 0
Number of tainted instructions written to trace: 0
Processing time: 2348.71 U: 2308.67 S: 40.0385
Generating file: /tmp/note_1.trace.functions
Thanks very much for your attention. I really need your help, thanks!
Good luck,
Guangcheng Liang
赵磊
May 25, 2012, 4:08:51 AM5/25/12
to bitblaz...@googlegroups.com
To me, no error is observed. Try again.
BTW, you could first start the notepad program, and then use the open command to open the tainted file.
BTW, you could first start the notepad program, and then use the open command to open the tainted file.
2012/5/25 guangcheng liang <guangch...@gmail.com>
DucBH
Jun 6, 2012, 1:26:17 AM6/6/12
to bitblaz...@googlegroups.com
Hi,
I encountered the same problem but I only know a work around. In the case of Linux guest OS, I found a fix of a bug of tracecap that prevents it to record tainted instructions when a program reads an 1-byte file. However, I cannot fix the problem when the guest OS is Windows.
Using Windows as the guest OS, I had to use a target file that is bigger than 737 bytes in order to record tainted instructions. I do not know the reason why 737 bytes is the smallest file size which tracecap can record tainted instructions.
By the way, I conducted a research on applying concolic testing generating test cases for real-world binary programs, Acrobat Reader and Notepad, using BitBlaze. In the research, I addressed some limitations of BitBlaze I encountered. You can download my paper "A Case Study of the Application of Dynamic Symbolic Execution to Real-World Binary Programs" from http://pswlab.kaist.ac.kr/publications/2012/kcse2012_Duc.pdf
Hope this help.
Sanjay Rawat
Jun 6, 2012, 5:52:49 AM6/6/12
to bitblaz...@googlegroups.com
Hi Duc,
thanks for sharing the info regarding your paper. I read it and found useful. from the experimental results that are mentioned in the paper, it appears that with bitblaze, we really need to be patient and should have powerful systems wherein bitblaze runs. however, i still fails to understand the goal of the experiments. You did not mention that how many paths you could execute w.r.t coverage. I mean when we want to generate test cases, we want to have a goal in terms of % of coverage or reaching to particular point in the program etc.
regards--
Regards
-Sanjay
** Security Feature != Secure Feature **
--MH
thanks for sharing the info regarding your paper. I read it and found useful. from the experimental results that are mentioned in the paper, it appears that with bitblaze, we really need to be patient and should have powerful systems wherein bitblaze runs. however, i still fails to understand the goal of the experiments. You did not mention that how many paths you could execute w.r.t coverage. I mean when we want to generate test cases, we want to have a goal in terms of % of coverage or reaching to particular point in the program etc.
regards
Regards
-Sanjay
** Security Feature != Secure Feature **
--MH
Bui Hoang Duc 부이황득
Jun 6, 2012, 7:25:22 AM6/6/12
to bitblaz...@googlegroups.com
Hi,
The first goal of the experiments in this paper is actually to make an evaluation if I can generate test cases for real-world binary programs using dynamic symbolic execution (DSE), so called concolic testing. By this goal, we successfully applied DSE technique to generate test cases. You can see I describe how to generate new test cases by negating path conditions of a run of the target program.
Basically, the paper provides preliminary results, I did not calculate coverage metrics such as instruction coverage and path coverage. Also, I did not rerun the program with the generated inputs to see if the program crashes or not.
I hope that people will find the paper useful and make advances on this existing work.
Best regards,
Duc
Reply all
Reply to author
Forward
0 new messages