Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Various issues running malware samples #14

Open
srcr opened this issue Aug 29, 2019 · 3 comments
Open

Various issues running malware samples #14

srcr opened this issue Aug 29, 2019 · 3 comments

Comments

@srcr
Copy link

srcr commented Aug 29, 2019

I have installed binee on my FreeBSD box and as far as I can tell it's running fine I get all the same result from the test files as the demo, but as soon as I start running malware samples most of the time the process halts somewhere down the road.

binee  33/ba/33ba8cd251512f90b7249930aee22d3f47255420a8d41e1326169e0f948cc7d0 
[1] 0x289d78c0: F SetErrorMode(uMode = 0x8001) = 0x0
[1] 0x289da410: F GetVersion() = 0x40000
[1] 0x289d91c0: F GetModuleHandleA(lpModuleName = 'KERNEL32') = 0x0
[1] 0x289d96e0: F GetSystemDirectoryA(lpBuffer = 0xb7fefd34, uSize = 0x104) = 0x13
[1] 0x26c40df0: P wsprintfA(lpstr = 0xb7fefd47, lpcstr = '%s%s.dll') = 0xb7fefd47
[1] 0x26c40e10: P wvsprintfA(lpstr = 0xb7fefd47, lpcstr = '%s%s.dll', arglist = 0xb7fefd2c) = 0xb7fefd2c
[1] 0x289d97a0: F LoadLibraryExA(lpFileName = 'c:\windows\system32\KERNEL32.dll', hFile = 0x0, dwFlags = 0x8) = 0x289b1000
[1] 0x289d6060: F GetProcAddress(hModule = 0x289b1000, lpProcName = 'SetDefaultDllDirectories') = 0x28a343ff
[1] 0x28a343ff:  **SetDefaultDllDirectories**() = 0x28a343ff
interupt 5
interupt 5
interupt 5
interupt 5

This one just keeps throwing interupt5

binee  da/23/da232fa1e63e6f2efb1d9550dad8984798a7d22cbf12150778c45c35f2fa0105
[1] 0x213b7330: P _CorExeMain() = 0xb0010000
[1] 0x21590020: F GetEnvironmentVariableW(lpName = 'COMPlus_Version', lpBuffer = 0x0, nSize = 0x0) = 0x0
[1] 0x21590020: F GetEnvironmentVariableW(lpName = 'COMPlus_InstallRoot', lpBuffer = 0x0, nSize = 0x0) = 0x0
[1] 0x2158ce40: P GetLastError() = 0xb7fefd8c
[1] 0x201039b0: P GetLastError() = 0xb7fefd8c
[1] 0x2158ce40: P GetLastError() = 0xcb
[1] 0x201039b0: P GetLastError() = 0xcb
[1] 0x2158ce40: P GetLastError() = 0xb7fefd8c
[1] 0x201039b0: P GetLastError() = 0xb7fefd8c
[1] 0x2158ce40: P GetLastError() = 0xcb
[1] 0x201039b0: P GetLastError() = 0xcb
[1] 0x215e56e0: F AcquireSRWLockExclusive(SRWLock = 0x213eca34) = 0x213ef004
[1] 0x21590590: F VirtualQuery(lpAddress = 0x213ef000, lpBuffer = 0xb7fefc60, dwLength = 0x1c) = 0x1
[1] 0x2158f160: F VirtualProtect(lpAddress = 0x213ef000, dwSize = 0x74, flNewProtect = 0x4, lpflOldProtect = 0x213edba8) = 0x1
[1] 0x215ecadb: F ReleaseSRWLockExclusive(SRWLock = 0x213eca34) = 0x1
[1] 0x215927a0: F LoadLibraryExA(lpFileName = 'ADVAPI32.dll', hFile = 0x0, dwFlags = 0x0) = 0x21835000
[1] 0x2158f060: F GetProcAddress(hModule = 0x21835000, lpProcName = 'RegOpenKeyExW') = 0x21852ea0
[1] 0x215e56e0: F AcquireSRWLockExclusive(SRWLock = 0x213eca34) = 0x213ef004
[1] 0x2158f160: F VirtualProtect(lpAddress = 0x213ef000, dwSize = 0x74, flNewProtect = 0x0, lpflOldProtect = 0xb7fefca4) = 0x1
[1] 0x215ecadb: F ReleaseSRWLockExclusive(SRWLock = 0x213eca34) = 0x1
[1] 0x21852ea0: F RegOpenKeyExW(hKey = 'HKEY_LOCAL_MACHINE', lpSubKey = 'Software\Microsoft\.NETFramework\Policy\', ulOptions = 0x0, samDesired = 0x20019, phkResult = 0xb7fefd68) = 0x1
[1] 0x21590020: F GetEnvironmentVariableW(lpName = 'COMPlus_DefaultVersion', lpBuffer = 0x0, nSize = 0x0) = 0x0
[1] 0x21590e30: F GetModuleFileNameW(hModule = 0x0, lpFilename = 0xb7fef93c, nSize = 0x104) = 0x52
[1] 0x21596810: F GetFileAttributesW(lpFileName = 'C:\Users\tbrady\da232fa1e63e6f2efb1d9550dad8984798a7d22cbf12150778c45c35f2fa0105.local') = 0x80
[1] 0x21590e30: F GetModuleFileNameW(hModule = 0x0, lpFilename = 0xb7fef288, nSize = 0x104) = 0x52
[1] 0x215968a0: F GetFullPathNameW(lpFileName = 'C:\Users\tbrady\da232fa1e63e6f2efb1d9550dad8984798a7d22cbf12150778c45c35f2fa0105', nBufferLength = 0x104, lpBuffer = 0xb7fef490, lpFilePart = 0xb7fef284) = 0x80
[1] 0x2158ce40: P GetLastError() = 0xb7fef24c
[1] 0x201039b0: P GetLastError() = 0xb7fef24c
[1] 0x2158d050: F GetProcessHeap() = 0x123456
[1] 0x215ea7fa: F HeapAlloc(hHeap = 0x123456, dwFlags = 0x0, dwBytes = 0x48010b72) = 0xa0000730
[1] 0x2158ce40: P GetLastError() = 0xa0000730
[1] 0x201039b0: P GetLastError() = 0xa0000730
[1] 0x21590020: F GetEnvironmentVariableW(lpName = 'COMPlus_CLRLoadLogDir', lpBuffer = 0x0, nSize = 0x0) = 0x0
[1] 0x21852ea0: F RegOpenKeyExW(hKey = 'HKEY_LOCAL_MACHINE', lpSubKey = 'Software\Microsoft\.NETFramework', ulOptions = 0x0, samDesired = 0x20019, phkResult = 0xb7feec38) = 0x1
[1] 0x2158ce40: P GetLastError() = 0xb7fef000
[1] 0x201039b0: P GetLastError() = 0xb7fef000
[1] 0x215ea7fa: F HeapAlloc(hHeap = 0x123456, dwFlags = 0x0, dwBytes = 0x2) = 0xe80112b2
[1] 0x2158ce40: P GetLastError() = 0xe80112b2
[1] 0x201039b0: P GetLastError() = 0xe80112b2
Invalid Write: address = 0xe80112b2, size = 0x2, value = 0x0

This one stops after an Invalid Write

my mock folder is as follows

ls -b os/win10_32/windows/system32
advapi32.dll            cryptsp.dll             mscoree.dll             powrprof.dll            shlwapi.dll             version.dll
apisetschema.dll        gdi32.dll               msvbvm60.dll            profapi.dll             ucrtbase_clr0400.dll    win32u.dll
bcryptprimitives.dll    gdi32full.dll           msvcp_win.dll           psapi.dll               ucrtbase.dll            windows.storage.dll
cfgmgr32.dll            iphlpapi.dll            msvcrt.dll              rpcrt4.dll              umpdc.dll               wininet.dll
combase.dll             kernel.appcore.dll      mswsock.dll             sechost.dll             user32.dll              winmm.dll
comctl32.dll            kernel32.dll            ntdll.dll               secur32.dll             userenv.dll             winmmbase.dll
comdlg32.dll            kernelbase.dll          ole32.dll               shcore.dll              uxtheme.dll             ws2_32.dll
crypt32.dll             mpr.dll                 oleaut32.dll            shell32.dll             vcruntime140.dll
@kgwinnup
Copy link
Contributor

Generally malware will not execute until termination, our goal is to emulate as much as we can until we can no longer mock out the OS properly. The end goal is to mock out the OS as close as possible and as much as possible which allows malware to emulate for as long as possible giving us a decent understanding of whats going on, or at least more than we would get via static analysis, but in more "constant" time.

Our pipeline will stop the malware when any one of 3 events occur: 1) timeout 6 seconds, 2) process calls TerminateProcess, Exit, etc... or 3) reach the limits of the mock os and emulation. The above samples are examples of 3 in this case.

However, at least the first sample 33ba8cd251512f90b7249930aee22d3f47255420a8d41e1326169e0f948cc7d0 was hitting a function we have not implemented yet ([1] 0x28a343ff: **SetDefaultDllDirectories**() = 0x28a343ff). The ** indicate the function has neither a partial hook or full hook within binee. I have pushed an implementation for this function which is basically a NOP with a successful return, because we don't need this function to run exactly as it does on Windows. The output I now get is below:

go build && ./binee ~/malware/33ba8cd251512f90b7249930aee22d3f47255420a8d41e1326169e0f948cc7d0
[1] 0x22200d30: F SetErrorMode(uMode = 0x8001) = 0x0
[1] 0x22203600: F GetVersion() = 0x40000
[1] 0x22201720: F GetModuleHandleA(lpModuleName = 'KERNEL32') = 0x0
[1] 0x222001a0: F GetSystemDirectoryA(lpBuffer = 0xb7fefd34, uSize = 0x104) = 0x13
[1] 0x26397ca0: P wsprintfA(lpstr = 0xb7fefd47, lpcstr = '%s%s.dll') = 0xb7fefd47
[1] 0x26397cc0: P wvsprintfA(lpstr = 0xb7fefd47, lpcstr = '%s%s.dll', arglist = 0xb7fefd2c) = 0xb7fefd2c
[1] 0x222027b0: F LoadLibraryExA(lpFileName = 'c:\windows\system32\KERNEL32.dll', hFile = 0x0, dwFlags = 0x8) = 0x221da000
[1] 0x221fe670: F GetProcAddress(hModule = 0x221da000, lpProcName = 'SetDefaultDllDirectories') = 0x2225dc5f
[1] 0x2225dc5f: F SetDefaultDllDirectories(DirectoryFlags = 0xc00) = 0x1
[1] 0x222001a0: F GetSystemDirectoryA(lpBuffer = 0xb7fefd44, uSize = 0x104) = 0x13
[1] 0x26397ca0: P wsprintfA(lpstr = 0xb7fefd57, lpcstr = '%s%s.dll') = 0xb7fefd57
[1] 0x26397cc0: P wvsprintfA(lpstr = 0xb7fefd57, lpcstr = '%s%s.dll', arglist = 0xb7fefd3c) = 0xb7fefd3c
[1] 0x222027b0: F LoadLibraryExA(lpFileName = 'c:\windows\system32\UXTHEME.dll', hFile = 0x0, dwFlags = 0x8) = 0x0
[1] 0x221fee00: P lstrlenA(lpString = 'UXTHEME') = 0x0
[1] 0x22582b40: P lstrlenA(lpString = 'UXTHEME') = 0x0
[1] 0x222001a0: F GetSystemDirectoryA(lpBuffer = 0xb7fefd44, uSize = 0x104) = 0x13
[1] 0x26397ca0: P wsprintfA(lpstr = 0xb7fefd57, lpcstr = '%s%s.dll') = 0xb7fefd57
[1] 0x26397cc0: P wvsprintfA(lpstr = 0xb7fefd57, lpcstr = '%s%s.dll', arglist = 0xb7fefd3c) = 0xb7fefd3c
[1] 0x222027b0: F LoadLibraryExA(lpFileName = 'c:\windows\system32\USERENV.dll', hFile = 0x0, dwFlags = 0x8) = 0x2b91a000
[1] 0x221fee00: P lstrlenA(lpString = 'USERENV') = 0x2b91a000
[1] 0x22582b40: P lstrlenA(lpString = 'USERENV') = 0x2b91a000
[1] 0x222001a0: F GetSystemDirectoryA(lpBuffer = 0xb7fefd44, uSize = 0x104) = 0x13
[1] 0x26397ca0: P wsprintfA(lpstr = 0xb7fefd57, lpcstr = '%s%s.dll') = 0xb7fefd57
[1] 0x26397cc0: P wvsprintfA(lpstr = 0xb7fefd57, lpcstr = '%s%s.dll', arglist = 0xb7fefd3c) = 0xb7fefd3c
[1] 0x222027b0: F LoadLibraryExA(lpFileName = 'c:\windows\system32\SETUPAPI.dll', hFile = 0x0, dwFlags = 0x8) = 0x2b9cb000
[1] 0x221fee00: P lstrlenA(lpString = 'SETUPAPI') = 0x2b9cb000
[1] 0x22582b40: P lstrlenA(lpString = 'SETUPAPI') = 0x2b9cb000
[1] 0x222001a0: F GetSystemDirectoryA(lpBuffer = 0xb7fefd44, uSize = 0x104) = 0x13
[1] 0x26397ca0: P wsprintfA(lpstr = 0xb7fefd57, lpcstr = '%s%s.dll') = 0xb7fefd57
[1] 0x26397cc0: P wvsprintfA(lpstr = 0xb7fefd57, lpcstr = '%s%s.dll', arglist = 0xb7fefd3c) = 0xb7fefd3c
[1] 0x222027b0: F LoadLibraryExA(lpFileName = 'c:\windows\system32\APPHELP.dll', hFile = 0x0, dwFlags = 0x8) = 0x0
[1] 0x221fee00: P lstrlenA(lpString = 'APPHELP') = 0x0
[1] 0x22582b40: P lstrlenA(lpString = 'APPHELP') = 0x0
[1] 0x222001a0: F GetSystemDirectoryA(lpBuffer = 0xb7fefd44, uSize = 0x104) = 0x13
[1] 0x26397ca0: P wsprintfA(lpstr = 0xb7fefd57, lpcstr = '%s%s.dll') = 0xb7fefd57
[1] 0x26397cc0: P wvsprintfA(lpstr = 0xb7fefd57, lpcstr = '%s%s.dll', arglist = 0xb7fefd3c) = 0xb7fefd3c
[1] 0x222027b0: F LoadLibraryExA(lpFileName = 'c:\windows\system32\PROPSYS.dll', hFile = 0x0, dwFlags = 0x8) = 0x0
[1] 0x221fee00: P lstrlenA(lpString = 'PROPSYS') = 0x0
[1] 0x22582b40: P lstrlenA(lpString = 'PROPSYS') = 0x0
[1] 0x222001a0: F GetSystemDirectoryA(lpBuffer = 0xb7fefd44, uSize = 0x104) = 0x13
[1] 0x26397ca0: P wsprintfA(lpstr = 0xb7fefd57, lpcstr = '%s%s.dll') = 0xb7fefd57
[1] 0x26397cc0: P wvsprintfA(lpstr = 0xb7fefd57, lpcstr = '%s%s.dll', arglist = 0xb7fefd3c) = 0xb7fefd3c
[1] 0x222027b0: F LoadLibraryExA(lpFileName = 'c:\windows\system32\DWMAPI.dll', hFile = 0x0, dwFlags = 0x8) = 0x0
[1] 0x221fee00: P lstrlenA(lpString = 'DWMAPI') = 0x0
[1] 0x22582b40: P lstrlenA(lpString = 'DWMAPI') = 0x0
[1] 0x222001a0: F GetSystemDirectoryA(lpBuffer = 0xb7fefd44, uSize = 0x104) = 0x13
[1] 0x26397ca0: P wsprintfA(lpstr = 0xb7fefd57, lpcstr = '%s%s.dll') = 0xb7fefd57
[1] 0x26397cc0: P wvsprintfA(lpstr = 0xb7fefd57, lpcstr = '%s%s.dll', arglist = 0xb7fefd3c) = 0xb7fefd3c
[1] 0x222027b0: F LoadLibraryExA(lpFileName = 'c:\windows\system32\CRYPTBASE.dll', hFile = 0x0, dwFlags = 0x8) = 0x2c5f2000
[1] 0x221fee00: P lstrlenA(lpString = 'CRYPTBASE') = 0x2c5f2000
[1] 0x22582b40: P lstrlenA(lpString = 'CRYPTBASE') = 0x2c5f2000
[1] 0x222001a0: F GetSystemDirectoryA(lpBuffer = 0xb7fefd44, uSize = 0x104) = 0x13
[1] 0x26397ca0: P wsprintfA(lpstr = 0xb7fefd57, lpcstr = '%s%s.dll') = 0xb7fefd57
[1] 0x26397cc0: P wvsprintfA(lpstr = 0xb7fefd57, lpcstr = '%s%s.dll', arglist = 0xb7fefd3c) = 0xb7fefd3c
[1] 0x222027b0: F LoadLibraryExA(lpFileName = 'c:\windows\system32\OLEACC.dll', hFile = 0x0, dwFlags = 0x8) = 0x2c61c000
[1] 0x221fee00: P lstrlenA(lpString = 'OLEACC') = 0x2c61c000
[1] 0x22582b40: P lstrlenA(lpString = 'OLEACC') = 0x2c61c000
[1] 0x222001a0: F GetSystemDirectoryA(lpBuffer = 0xb7fefd44, uSize = 0x104) = 0x13
[1] 0x26397ca0: P wsprintfA(lpstr = 0xb7fefd57, lpcstr = '%s%s.dll') = 0xb7fefd57
[1] 0x26397cc0: P wvsprintfA(lpstr = 0xb7fefd57, lpcstr = '%s%s.dll', arglist = 0xb7fefd3c) = 0xb7fefd3c
[1] 0x222027b0: F LoadLibraryExA(lpFileName = 'c:\windows\system32\CLBCATQ.dll', hFile = 0x0, dwFlags = 0x8) = 0x0
[1] 0x221fee00: P lstrlenA(lpString = 'CLBCATQ') = 0x0
[1] 0x22582b40: P lstrlenA(lpString = 'CLBCATQ') = 0x0
[1] 0x22201720: F GetModuleHandleA(lpModuleName = 'VERSION') = 0x0
[1] 0x222001a0: F GetSystemDirectoryA(lpBuffer = 0xb7fefd34, uSize = 0x104) = 0x13
[1] 0x26397ca0: P wsprintfA(lpstr = 0xb7fefd47, lpcstr = '%s%s.dll') = 0xb7fefd47
[1] 0x26397cc0: P wvsprintfA(lpstr = 0xb7fefd47, lpcstr = '%s%s.dll', arglist = 0xb7fefd2c) = 0xb7fefd2c
[1] 0x222027b0: F LoadLibraryExA(lpFileName = 'c:\windows\system32\VERSION.dll', hFile = 0x0, dwFlags = 0x8) = 0x2c7d6000
[1] 0x221fe670: F GetProcAddress(hModule = 0x2c7d6000, lpProcName = 'GetFileVersionInfoA') = 0x2c7d74c0
[1] 0x22201720: F GetModuleHandleA(lpModuleName = 'SHFOLDER') = 0x0
[1] 0x222001a0: F GetSystemDirectoryA(lpBuffer = 0xb7fefd34, uSize = 0x104) = 0x13
[1] 0x26397ca0: P wsprintfA(lpstr = 0xb7fefd47, lpcstr = '%s%s.dll') = 0xb7fefd47
[1] 0x26397cc0: P wvsprintfA(lpstr = 0xb7fefd47, lpcstr = '%s%s.dll', arglist = 0xb7fefd2c) = 0xb7fefd2c
[1] 0x222027b0: F LoadLibraryExA(lpFileName = 'c:\windows\system32\SHFOLDER.dll', hFile = 0x0, dwFlags = 0x8) = 0x2c7f2000
[1] 0x221fe670: F GetProcAddress(hModule = 0x2c7f2000, lpProcName = 'SHGetFolderPathA') = 0x2c7f3350
[1] 0x22201720: F GetModuleHandleA(lpModuleName = 'SHLWAPI') = 0x0
[1] 0x222001a0: F GetSystemDirectoryA(lpBuffer = 0xb7fefd34, uSize = 0x104) = 0x13
[1] 0x26397ca0: P wsprintfA(lpstr = 0xb7fefd47, lpcstr = '%s%s.dll') = 0xb7fefd47
[1] 0x26397cc0: P wvsprintfA(lpstr = 0xb7fefd47, lpcstr = '%s%s.dll', arglist = 0xb7fefd2c) = 0xb7fefd2c
[1] 0x222027b0: F LoadLibraryExA(lpFileName = 'c:\windows\system32\SHLWAPI.dll', hFile = 0x0, dwFlags = 0x8) = 0x2c803000
[1] 0x221fe670: F GetProcAddress(hModule = 0x2c803000, lpProcName = '') = 0x0

@nirosen
Copy link

nirosen commented Sep 7, 2019

hi @kgwinnup ,
I've also bumped into an unimplemented hook:
[1] 0x27e5ae70: DoEnvironmentSubstW() = 0x481378
(using sample 5aa7b931f566f63fd55c5f26402632a108a9539b42b4dba95256d1a0f97f6a10)

is it possible to define all (*) unimplemented functions to return the same success code?
as in:
emu.AddHook("", "SetDefaultDllDirectories", &Hook{
Parameters: []string{"DirectoryFlags"},
Fn: SkipFunctionStdCall(true, 0x1),
})

Thanks,
Nir

@kgwinnup
Copy link
Contributor

they can be defined individually with a NOP like instruction (just returning "success"). I don't want to do that globally, however, because we have partial hooks which do jump into the DLL and continue emulation of the real dll

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@srcr @kgwinnup @nirosen