Tracecap配置文件說明
~/bitblaze/temu-1.0/tracecap/ini/main.ini
==================================================
; Main configuration file for tracecap
[general]
; Set to 'yes' if you want to start logginginstructions to the trace file
; only after some tainted data has been received by the process
;如果設置爲yes,則會在有tainted數據開始接收時纔開始往trace文件中記錄數據
trace_only_after_first_taint= yes
; Set to 'yes' if you want to generate afile that contains all functions
; being called by the traced process, instead of a trace file
; Because no trace file is written, this is usually fast
;如果設置位yes,則會往trace文件中記錄由trace進程調用的外部函數?
log_external_calls =no
; When set to 'yes' the operands that areboth read and written are split
; into two separate operands in the instruction.
; Also, the value of the operands that are written is taken after the
; instruction has executed, rather than before
; 如果設置爲yes,則讀和寫的操作將會被分成兩部分指令操作?
write_ops_at_insn_end= no
; Set to 'yes' if you want a memorysnapshot of the process to be taken
; when the trace is stopped
save_state_at_trace_stop= no
[tracing]
; Set to 'no' if you want to disable taintpropagation on memory lookups
; with a tainted index
;???????????????????????
tracing_table_lookup= yes
; Set to 'yes' if you want to write onlytainted instructions into the
; trace file
; 如果設置爲yes,則只會往trace文件中記錄與taint數據相關的指令
tracing_tainted_only= no
; Set to 'yes' if you want to includekernel instructions into the
; trace file. By default only user-level instructions are included
;如果設置爲yes,則會往trace文件中記錄內核相關的指令
tracing_kernel = no
; Set to 'yes if you want to include kernelinstructions that access
; user memory into the trace
;如果設置爲yes,則會往trace文件中記錄與跟蹤進程相關內核操作的指令
tracing_kernel_partial= no
; Set to 'yes' if you want to includetainted kernel instructions
; into the trace
;如果設置爲yes,則會往trace文件中記錄與taint數據相關的內核的指令
tracing_kernel_tainted= no
[network]
; Set to 'yes' if you want received dnspackets not to be tainted
ignore_dns = no
; Filter options are used to taint only asubset of the data received
; over the network, rather than all data
; Transport protocol. Has to be 'tcp' or'udp'
filter_transport =
; Source port. Needs filter_transport to beset
filter_sport =
; Destination port. Needs filter_transportto be set
filter_dport =
; Source address
filter_saddr =
; Destination address
filter_daddr =
[function hooks]
;file to use for hook configuration
plugin_ini =/etc/bitblaze/tracecap/hook_plugin.ini
; directory containing hook files
plugin_directory =/fill/in/path/to/temu/shared/hooks/hook_plugins
=========================================================================
TEMU操作步驟
(1)sudo su 提取root權限,進入temu目錄(cd ~/bitblaze/temu-1.0)
(2)配置tracecap文件~/bitblaze/temu-1.0/tracecap/ini/main.ini:
trace_only_after_first_taint= yes
tracing_table_lookup= no
tracing_tainted_only= yes
(1)啓動temu,裝載guest os
./tracecap/temu -monitor stdio /home/zqc/WM_OS/windows.img
(3)加載tracecap插件
load_plugin /home/zqc/bitblaze/temu-1.0/tracecap/tracecap.so
(4)允許模擬或者仿真
enable_emulation
(6)(可選)taint_nic 1
(7)設置需要trace的進程以及trace結果存放的文件路徑:
a.以PID的形式trace進程
- 在temu的Guest OS(xp)中加載需要分析的目標程序(雙擊exe文件)
· 列出當前xp系統下的進程信息(如PID): guest_ps
- 以PID的形式trace進程(foo.exe),後面跟trace結果存放路徑和文件:
trace PID"/home/zqc/foo.trace"
b.以進程名的形式
· (qemu)tracebyname foo.exe "/home/zqc/bitblaze/transfiles/foo2.trace"
執行結果提示:waiting for process foo tostart
· 在temu的Guest OS(xp)中加載需要分析的目標程序(雙擊exe文件),啓動進程後終端顯示:
--------------------------------------------------------------------------
(qemu)PID: 948 CR3: 0x069c3000
Tracingfoo.exe
Timeof first tainted data: 1400895138.412101
--------------------------------------------------------------------------
說明trace進程正在進行記錄
(8)(可選)
設置開始trace的地址:
tc_address 0x401000
或者設置trace的起始和結束地址
tc_address_start 0x00401000(main的起始地址) 1
tc_address_stop 0x00401097(main的結束地址) 1
(9)給Guest OS中的進程傳送數據
taint_sendkey 5 1001 //給guest os中的進程發送出入變量5
taint_sendkey ret 1001 //給guest os中的進程發送回車鍵
或者通過網絡傳送數據,步驟如下:
a.在ubuntu開端口12345用於重定向輸出文件到緩存:
nc -l 12345 < INPUT
b.在guest os 中執行如下批處理,用於讀取ubuntu系統下12345端口下的數據並重定向到dic.txt文件中,然後把dic.txt文件中的數據重定向輸入到foo.exe中:
@echo
nc 10.0.2.2 12345 >string.txt
call C:\test.exe <string.txt
(10)結束trace
trace_stop
執行結果顯示如下:
-------------------------------------------------
(qemu) trace_stop
Stop tracing process 948
Number of instructions decoded: 454171
Number of operands decoded: 1089976
Number of instructions written to trace: 75
Number of tainted instructions written totrace: 75
Processing time: 123.412 U: 121.936 S:1.476
Generating file:/home/zqc/bitblaze/transfiles/foo1.trace.functions
-----------------------------------------------------------
(11)卸載trace插件
unload_plugin
trace結束,在指定目錄”/home/zqc/”下會有foo.trace foo.trace.functions和foo.trace.netlog三個文件
=========================================================================