dynTaintTracer
a tain tracer based on DynamoRIO, currently ARM only (but might already work with AARCH64 too). I wrote this in Summer 2018 for a few automotive pentest/reversing projects, but what the heck, lets release this to the world as others might find it useful too.
Note the AGPL3 license.
Building dynTaintTracer
- set the environment variable
DYNAMORIO_HOME
to the build directory of DynamoRIO. - type
make
andsudo make install
You must compile on ARM (not Intel!) (and might work on AARCH64)
Running
Use the helper script dynTaintTracer.sh
.
The following options are supported:
--taint-accept taint accept() and recvfrom()
--taint-connect taint connect() sendto()
--taint-sslread taint SSL_read()
--taint-stdin taint stdin
--taint-file taint reads from this file
--workaround work around a bug in dynamorio concerning strex
--report-debug debug output
--report-unknown report unknown instructions
--report-problem report problems
--report-untaint report untainting instructions
--trace-inst report all instructions when there is taint
--trace-bb report all basic blocks when there is taint
--trace-indirect report all indirect call/jmp when there is taint
--outfile where to write the trace output to
e.g.
# dynTaintTracer.sh --taint-file /tmp/foo.txt --outfile /tmp/trace.log --report-untaint -- /target/program -f /tmp/foo.txt
And then?
You can load the results into IDA with the included IDC script dynTaintTracer.idc
.
Just run the script which opens a file select window, select the trace and it
is then applied to the loaded binary.
Caveats
Works fine, but neon instructions are not supported currently.
Future
It is easy to expand to AMD64, i686, etc. - "just" the instructions
have to be added to ops_intel.c
and for AARCH64 to ops_aarch.c
.