Giters

decaf-project / DECAF

DECAF (short for Dynamic Executable Code Analysis Framework) is a binary analysis platform based on QEMU. This is also the home of the DroidScope dynamic Android malware analysis platform. DroidScope is now an extension to DECAF.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Tracecap is not logging taint instructions, trace reader not working

T0m-Ph opened this issue · comments

commented

Hi !

I'm currently trying to log tainted instructions using tracecap plugin. I followed this document to proceed: https://github.com/decaf-project/DECAF/blob/master/decaf/plugins/tracecap/USAGE

Here is the command i use to launch the VM:
./DECAF/decaf/i386-softmmu/qemu-system-i386 -monitor stdio -m 4096 -netdev user,id=mynet,hostfwd=tcp::10080-:80 -device rtl8139,netdev=mynet /opt/images/windows.img

Whether I use the "taint_nic" (with a program that reads data from the net, here apache server) command or the "taint_sendkey" command (with a program that reads data input by user on command line), there is 0 tainted instruction written to the trace file.

Also, before performing any taint operation, I make sure to enable tainting using the command "enable_tainting"

Finally, I noticed that one command specified in the USAGE doc enable_emulation, is not present in the list of commands associated to this plugin: https://github.com/decaf-project/DECAF/blob/master/decaf/plugins/tracecap/plugin_cmds.h.

How can I proceed to get the tainted instructions reported on the trace file ?

Also, when trying to compile the trace_reader, I encounter 2 problems, while I'm following instructions provided here https://github.com/decaf-project/DECAF/blob/master/decaf/plugins/tracecap/trace_reader/INSTALL:

  • First is that there is no configure file
  • Second, when compiling with the provided makefile I encounter the following errors:
libdasm.o: In function 'get_operand':
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:320: undefined reference to 'MODE_CHECK_ADDR'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:464: undefined reference to 'FETCH8'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:470: undefined reference to 'FETCH16'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:473: undefined reference to 'FETCH32'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:504: undefined reference to 'MODE_CHECK_OPERAND'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:509: undefined reference to 'FETCH8'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:518: undefined reference to 'FETCH32'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:519: undefined reference to 'FETCH16'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:523: undefined reference to 'FETCH16'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:533: undefined reference to 'MODE_CHECK_OPERAND'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:537: undefined reference to 'FETCH32'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:537: undefined reference to 'FETCH16'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:538: undefined reference to 'FETCH16'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:550: undefined reference to 'FETCH8'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:555: undefined reference to 'FETCH32'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:555: undefined reference to 'FETCH16'
libdasm.o: In function 'get_operand_string':
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:602: undefined reference to 'MODE_CHECK_OPERAND'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:676: undefined reference to 'MODE_CHECK_ADDR'
libdasm.o: In function 'get_mnemonic_string':
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:1068: undefined reference to 'MODE_CHECK_OPERAND'
/opt/DECAF/decaf/plugins/tracecap/trace_reader/libdasm.c:1088: undefined reference to 'MODE_CHECK_OPERAND'
collect2: error: ld returned 1 exit status
Makefile:16: recipe for target 'trace_reader_cpp' failed
make: *** [trace_reader_cpp] Error 1
commented
commented

Hi,

Regarding your first question, I tested the tracecap plugin, it works on my machine. Here are the steps and results:

  • launch VM: ./i386-softmmu/qemu-system-i386 -m 1024 ~/images/lubuntu14.qcow -monitor stdio.
  • load_plugin ./plugin/tracecap/tracecap.so
  • enable_tainting
  • tracebyname PROCNAME "tmp.trace", replace the PROCNAME with the one to be tested.
  • start the test binary
  • taint_sendkey 1

Here are some statistics after the test:

  • Number of instructions decoded: 104703
  • Number of operands decoded: 239432
  • Number of instructions written to trace: 104680
  • Number of tainted instructions written to trace: 80

Please try the instructions above, if it's still not working, please provide the instructions you use during the process.

Zhenxiao

commented

Hi Zhenxiao,

I tried the same commands as you did and wasn't successful. Here is what I did:

  • launch VM ./DECAF/decaf/i386-softmmu/qemu-system-i386 -monitor stdio -m 1024 /opt/images/windows.img
  • load_plugin DECAF/decaf/plugins/tracecap/tracecap.so
  • enable_tainting
  • tracebyname a.exe "tmp.trace"
  • start a.exe on the VM
  • taint_sendkey 1

After the test, I have the following:

Number of instructions decoded: 485444
Number of operands decoded: 1127172
Number of instructions written to trace: 485349
Number of tainted instructions written to trace: 0
Processing time: 7.41773 U: 6.85705 S: 0.560679

As you can see, no tainted instruction is written to the trace

commented

Hi,

Just to make sure, does your a.exe take user input and further propagate it? I use taint_sendkey 1 because my test binary takes a number from input and does some calculation on it.

I will test it on windows image.

Zhenxiao

commented

Hi,

Yes the program does some operations on the user input. It is designed to be a buffer overflow. Here is the source code used:

#include <stdio.h>
#include <string.h>

int func1(char * input) {
    char buffer[4];
    strcpy(buffer, input);
}

void main(void) {
    char buffer[16];
    scanf("%s", buffer);
    func1(buffer);
}

Thank you!

commented

Good afternoon @enlighten5 . Do you have any update on this issue?
Thanks!

commented

Hi,

I think it's because the pointer tainting is not enabled. I set it to be on by default so I did not reproduce your result.
To enable pointer tainting, run taint_pointers on on in the qemu console.
I tried your test program and here are some numbers before and after pointer tainting is enabled.

  • taint_pointer enabled:
    Stop tracing process 228
    Number of instructions decoded: 288525
    Number of operands decoded: 682218
    Number of instructions written to trace: 288440
    Number of tainted instructions written to trace: 68
  • taint_pointer disabled:
    Number of instructions decoded: 288525
    Number of operands decoded: 682218
    Number of instructions written to trace: 288440
    Number of tainted instructions written to trace: 0

Please try taint_pointers on on to enable pointer tainting and let me know if there is any further problem.
Zhenxiao

commented

Hi @enlighten5 ,

I did enable the pointer tainting, but still couldn't get any tainted instruction written to the trace even though there is a buffer overflow and the program crashes. However thanks to the tainted_bytes command I noticed that i have some bytes that are tainted.

Regards,

commented
commented

Hi !

First of all sorry for this (very) late reply.
Thanks for your help @hengyin ! However for the sake of simplicity, as well as compatibility with other tasks I pursue, I will switch to a ubuntu VM.

Thanks again!