; Main configuration file for tracecap


; Set to 'yes' if you want to start logginginstructions to the trace file

;  only after some tainted data has been received by the process


trace_only_after_first_taint= yes

; Set to 'yes' if you want to generate afile that contains all functions

;  being called by the traced process, instead of a trace file

;  Because no trace file is written, this is usually fast


log_external_calls =no

; When set to 'yes' the operands that areboth read and written are split

;  into two separate operands in the instruction.

;  Also, the value of the operands that are written is taken after the

;  instruction has executed, rather than before

;   如果设置为yes,则读和写的操作将会被分成两部分指令操作?

write_ops_at_insn_end= no

; Set to 'yes' if you want a memorysnapshot of the process to be taken

;  when the trace is stopped

save_state_at_trace_stop= no


; Set to 'no' if you want to disable taintpropagation on memory lookups

;  with a tainted index


tracing_table_lookup= yes

; Set to 'yes' if you want to write onlytainted instructions into the

;  trace file

; 如果设置为yes,则只会往trace文件中记录与taint数据相关的指令

tracing_tainted_only= no

; Set to 'yes' if you want to includekernel instructions into the

;  trace file. By default only user-level instructions are included


tracing_kernel = no

; Set to 'yes if you want to include kernelinstructions that access

;  user memory into the trace


tracing_kernel_partial= no

; Set to 'yes' if you want to includetainted kernel instructions

;  into the trace


tracing_kernel_tainted= no


; Set to 'yes' if you want received dnspackets not to be tainted

ignore_dns = no

; Filter options are used to taint only asubset of the data received

;  over the network, rather than all data

; Transport protocol. Has to be 'tcp' or'udp'

filter_transport =

; Source port. Needs filter_transport to beset

filter_sport =

; Destination port. Needs filter_transportto be set

filter_dport =

; Source address

filter_saddr =

; Destination address

filter_daddr =

[function hooks]

;file to use for hook configuration

plugin_ini =/etc/bitblaze/tracecap/hook_plugin.ini

; directory containing hook files

plugin_directory =/fill/in/path/to/temu/shared/hooks/hook_plugins



(1)sudo su 提取root权限,进入temu目录(cd ~/bitblaze/temu-1.0)


(1)启动temu,装载guest os

      ./tracecap/temu -monitor stdio /home/zqc/WM_OS/windows.img


       load_plugin /home/zqc/bitblaze/temu-1.0/tracecap/tracecap.so



(6)(可选)taint_nic 1  



  • 在temu的Guest OS(xp)中加载需要分析的目标程序(双击exe文件)

·        列出当前xp系统下的进程信息(如PID): guest_ps

  • 以PID的形式trace进程(foo.exe),后面跟trace结果存放路径和文件:

                       trace PID"/home/zqc/foo.trace"


·        (qemu)tracebyname foo.exe "/home/zqc/bitblaze/transfiles/foo2.trace" 

执行结果提示:waiting for process foo  tostart

·        在temu的Guest OS(xp)中加载需要分析的目标程序(双击exe文件),启动进程后终端显示:


              (qemu)PID: 948 CR3: 0x069c3000


              Timeof first tainted data: 1400895138.412101






           tc_address 0x401000


   tc_address_start 0x00401000(main的起始地址) 1

   tc_address_stop 0x00401097(main的结束地址) 1

(9)给Guest OS中的进程传送数据

    taint_sendkey 5 1001      //给guest os中的进程发送出入变量5

   taint_sendkey ret 1001    //给guest os中的进程发送回车键



               nc -l 12345 < INPUT

       b.在guest os 中执行如下批处理,用于读取ubuntu系统下12345端口下的数据并重定向到dic.txt文件中,然后把dic.txt文件中的数据重定向输入到foo.exe中:


               nc 12345 >string.txt

               call  C:\test.exe <string.txt





(qemu) trace_stop

Stop tracing process 948

Number of instructions decoded: 454171

Number of operands decoded: 1089976

Number of instructions written to trace: 75

Number of tainted instructions written totrace: 75

Processing time: 123.412 U: 121.936 S:1.476

Generating file:/home/zqc/bitblaze/transfiles/foo1.trace.functions




trace结束,在指定目录”/home/zqc/”下会有foo.trace foo.trace.functions和foo.trace.netlog三个文件


