Gregory's Server@q3k I wonder if it would detect Intel PT tracing. Could make a lighthouse trace from that and throw it in your favorite RE tool. Wonder if stock QEMU user-mode (I know there are lots of older forks with trace functionality) with its new plugin feature can do execution traces. Maybe Qiling could do it but I dunno if its loader emulation would handle ifuncs.
|
4 comments
@q3k Ahha! Here it is. Looks like it supports qemu-user too. :3 https://github.com/qemu/qemu/blob/master/contrib/plugins/execlog.c @q3k Eh I got execlog qemu plugin working but to get qemu-user to work with sshd forking I’d need to use binfmt and do everything in an arm64 vm. And the logging is just to stderr not a nice binary trace file and I don’t feel like improving it. It does log instruction, memory access, and register changes tho. And I’m not sure if binfmt qemu-user needs static qemu which doesn’t support plugins so that would be more h4x. @jevinskie @q3k Fairly sure it's not. I actually did a fair bit of my analysis with PT and it does still redirect RSA_public_decrypt etc with it present. I think the detection of debugging tools is fairly simplistic. It didn't even seem to detect gdb reliably. |
@q3k Or Pin with SideChannelMarvels Tracer - instruction and memory access logging.
https://github.com/SideChannelMarvels/Tracer/tree/master/TracerPIN