Open kirk-sayre-work opened 4 years ago
Thank you Kirk, I will check and merge your pr soon.
Regarding breaking the infinite loop, that's an awesome feature. However, I think the reason that the emulator caught in an infinite loop is because some of the feature for implementing aliases are not complete.
I will try to implement those and then add your prevention logic.
Commit fe6eeb4 has the infinite loop fix. Yesterday I made some additional changes to scan intermediate evaluation results and pull out URL IOCs as they are generated (commit 3d7168f). I added the intermediate IOC functionality because I found ~500 Trickbot XLM files for which xlmdeobfudcator does not get a full analysis (they have weird IF() function usage where there are missing END.IF() functions), but I was seeing the download URL being generated as part of the intermediate emulation of the XLM. The intermediate IOC functionality let me dump these download URLs even though the XLM was not fully analyzed. I added this sort of intermediate IOC functionality to ViperMonkey a while back and it has been helpful in picking out IOCs from maldocs with gating or that don't get completely processed.
I also added a handler function for DEFINE.NAME and changed things so that the target cell of a goto is evaluated.
Finally I also added a bunch of janky conditional debug print statements. Those could be safely eliminated.
(apologies for the long overdue)
The real issue in v0.1.5 is the way the code is fetching the next macro. I tried to change it in version-2.0 branch, this should solve the problem; however, it needs more testing.
The code has a loop detection logic that was purposefully disabled for while. I try to add your logic with the current one (if it is different). I think it would be better to merge it with version-2.0 instead of the master.
Do you still see many samples that fall in infinite loops?
Small note, this is wrong, the proper link is https://github.com/kevoreilly/CAPEv2/
[CAPE Sandbox](https://github.com/ctxis/CAPE)
Current SLoad Excel XLM samples contain several while loops which never terminate during XLMMacroDeobfuscator emulation (ex. https://www.virustotal.com/gui/file/f7c577d377eae268913717937f792cca3f5bf7a802559f146ef5fba45f3f4605/detection). This pull request contains one potential method for handling infinite while loops. It limits the number of iterations that a while loop can take. If the iteration limit is exceeded the loop is exited.