Tracecap配置文件说明
~/bitblaze/temu-1.0/tracecap/ini/main.ini
==================================================
; Main configuration file for tracecap
[general]
; Set to 'yes' if you want to start logginginstructions to the trace file
; only after some tainted data has been received by the process
;如果设置为yes,则会在有tainted数据开始接收时才开始往trace文件中记录数据
trace_only_after_first_taint= yes
; Set to 'yes' if you want to generate afile that contains all functions
; being called by the traced process, instead of a trace file
; Because no trace file is written, this is usually fast
;如果设置位yes,则会往trace文件中记录由trace进程调用的外部函数?
log_external_calls =no
; When set to 'yes' the operands that areboth read and written are split
; into two separate operands in the instruction.
; Also, the value of the operands that are written is taken after the
; instruction has executed, rather than before
; 如果设置为yes,则读和写的操作将会被分成两部分指令操作?
write_ops_at_insn_end= no
; Set to 'yes' if you want a memorysnapshot of the process to be taken
; when the trace is stopped
save_state_at_trace_stop= no
[tracing]
; Set to 'no' if you want to disable taintpropagation on memory lookups
; with a tainted index
;???????????????????????
tracing_table_lookup= yes
; Set to 'yes' if you want to write onlytainted instructions into the
; trace file
; 如果设置为yes,则只会往trace文件中记录与taint数据相关的指令
tracing_tainted_only= no
; Set to 'yes' if you want to includekernel instructions into the
; trace file. By default only user-level instructions are included
;如果设置为yes,则会往trace文件中记录内核相关的指令
tracing_kernel = no
; Set to 'yes if you want to include kernelinstructions that access
; user memory into the trace
;如果设置为yes,则会往trace文件中记录与跟踪进程相关内核操作的指令
tracing_kernel_partial= no
; Set to 'yes' if you want to includetainted kernel instructions
; into the trace
;如果设置为yes,则会往trace文件中记录与taint数据相关的内核的指令
tracing_kernel_tainted= no
[network]
; Set to 'yes' if you want received dnspackets not to be tainted
ignore_dns = no
; Filter options are used to taint only asubset of the data received
; over the network, rather than all data
; Transport protocol. Has to be 'tcp' or'udp'
filter_transport =
; Source port. Needs filter_transport to beset
filter_sport =
; Destination port. Needs filter_transportto be set
filter_dport =
; Source address
filter_saddr =
; Destination address
filter_daddr =
[function hooks]
;file to use for hook configuration
plugin_ini =/etc/bitblaze/tracecap/hook_plugin.ini
; directory containing hook files
plugin_directory =/fill/in/path/to/temu/shared/hooks/hook_plugins
=========================================================================
TEMU操作步骤
(1)sudo su 提取root权限,进入temu目录(cd ~/bitblaze/temu-1.0)
(2)配置tracecap文件~/bitblaze/temu-1.0/tracecap/ini/main.ini:
trace_only_after_first_taint= yes
tracing_table_lookup= no
tracing_tainted_only= yes
(1)启动temu,装载guest os
./tracecap/temu -monitor stdio /home/zqc/WM_OS/windows.img
(3)加载tracecap插件
load_plugin /home/zqc/bitblaze/temu-1.0/tracecap/tracecap.so
(4)允许模拟或者仿真
enable_emulation
(6)(可选)taint_nic 1
(7)设置需要trace的进程以及trace结果存放的文件路径:
a.以PID的形式trace进程
- 在temu的Guest OS(xp)中加载需要分析的目标程序(双击exe文件)
· 列出当前xp系统下的进程信息(如PID): guest_ps
- 以PID的形式trace进程(foo.exe),后面跟trace结果存放路径和文件:
trace PID"/home/zqc/foo.trace"
b.以进程名的形式
· (qemu)tracebyname foo.exe "/home/zqc/bitblaze/transfiles/foo2.trace"
执行结果提示:waiting for process foo tostart
· 在temu的Guest OS(xp)中加载需要分析的目标程序(双击exe文件),启动进程后终端显示:
--------------------------------------------------------------------------
(qemu)PID: 948 CR3: 0x069c3000
Tracingfoo.exe
Timeof first tainted data: 1400895138.412101
--------------------------------------------------------------------------
说明trace进程正在进行记录
(8)(可选)
设置开始trace的地址:
tc_address 0x401000
或者设置trace的起始和结束地址
tc_address_start 0x00401000(main的起始地址) 1
tc_address_stop 0x00401097(main的结束地址) 1
(9)给Guest OS中的进程传送数据
taint_sendkey 5 1001 //给guest os中的进程发送出入变量5
taint_sendkey ret 1001 //给guest os中的进程发送回车键
或者通过网络传送数据,步骤如下:
a.在ubuntu开端口12345用于重定向输出文件到缓存:
nc -l 12345 < INPUT
b.在guest os 中执行如下批处理,用于读取ubuntu系统下12345端口下的数据并重定向到dic.txt文件中,然后把dic.txt文件中的数据重定向输入到foo.exe中:
@echo
nc 10.0.2.2 12345 >string.txt
call C:\test.exe <string.txt
(10)结束trace
trace_stop
执行结果显示如下:
-------------------------------------------------
(qemu) trace_stop
Stop tracing process 948
Number of instructions decoded: 454171
Number of operands decoded: 1089976
Number of instructions written to trace: 75
Number of tainted instructions written totrace: 75
Processing time: 123.412 U: 121.936 S:1.476
Generating file:/home/zqc/bitblaze/transfiles/foo1.trace.functions
-----------------------------------------------------------
(11)卸载trace插件
unload_plugin
trace结束,在指定目录”/home/zqc/”下会有foo.trace foo.trace.functions和foo.trace.netlog三个文件
=========================================================================