search

DissectMalware / XLMMacroDeobfuscator

Extract and Deobfuscate XLM macros (a.k.a Excel 4.0 Macros)
Apache License 2.0
568 stars 115 forks source link

Break infinite loops by limiting the # of iterations of a while loop. #54

Open kirk-sayre-work opened 4 years ago

kirk-sayre-work commented 4 years ago

Current SLoad Excel XLM samples contain several while loops which never terminate during XLMMacroDeobfuscator emulation (ex. https://www.virustotal.com/gui/file/f7c577d377eae268913717937f792cca3f5bf7a802559f146ef5fba45f3f4605/detection). This pull request contains one potential method for handling infinite while loops. It limits the number of iterations that a while loop can take. If the iteration limit is exceeded the loop is exited.

DissectMalware commented 4 years ago

Thank you Kirk, I will check and merge your pr soon.

Regarding breaking the infinite loop, that's an awesome feature. However, I think the reason that the emulator caught in an infinite loop is because some of the feature for implementing aliases are not complete.

I will try to implement those and then add your prevention logic.

kirk-sayre-work commented 4 years ago

Commit fe6eeb4 has the infinite loop fix. Yesterday I made some additional changes to scan intermediate evaluation results and pull out URL IOCs as they are generated (commit 3d7168f). I added the intermediate IOC functionality because I found ~500 Trickbot XLM files for which xlmdeobfudcator does not get a full analysis (they have weird IF() function usage where there are missing END.IF() functions), but I was seeing the download URL being generated as part of the intermediate emulation of the XLM. The intermediate IOC functionality let me dump these download URLs even though the XLM was not fully analyzed. I added this sort of intermediate IOC functionality to ViperMonkey a while back and it has been helpful in picking out IOCs from maldocs with gating or that don't get completely processed.

I also added a handler function for DEFINE.NAME and changed things so that the target cell of a goto is evaluated.

Finally I also added a bunch of janky conditional debug print statements. Those could be safely eliminated.

DissectMalware commented 3 years ago

(apologies for the long overdue)

The real issue in v0.1.5 is the way the code is fetching the next macro. I tried to change it in version-2.0 branch, this should solve the problem; however, it needs more testing.

The code has a loop detection logic that was purposefully disabled for while. I try to add your logic with the current one (if it is different). I think it would be better to merge it with version-2.0 instead of the master.

Do you still see many samples that fall in infinite loops?

doomedraven commented 2 years ago

Small note, this is wrong, the proper link is https://github.com/kevoreilly/CAPEv2/

[CAPE Sandbox](https://github.com/ctxis/CAPE)