MemZipLoader won't load

59e5aaf4 commented 3 years ago

Hi, and THANK YOU VERY MUCH for that plugin, I also get annoyed by McAfee whenever reversing binaries, and popping a full VM just to unpack generic malware is annoying.

I downloaded the archive and ran the following script:

Expand-Archive .\BinaryPackage.zip                                           
cp .\BinaryPackage\MemoryLoader.dll 'C:\Program Files\IDA Pro 7.5\'          
cp .\BinaryPackage\MemoryLoader64.dll 'C:\Program Files\IDA Pro 7.5\'        
cp .\BinaryPackage\MemZipLoader.dll 'C:\Program Files\IDA Pro 7.5\loaders\'  
cp .\BinaryPackage\MemZipLoader64.dll 'C:\Program Files\IDA Pro 7.5\loaders\'
cp .\BinaryPackage\UrlLoader.dll 'C:\Program Files\IDA Pro 7.5\loaders\'     
cp .\BinaryPackage\UrlLoader64.dll 'C:\Program Files\IDA Pro 7.5\loaders\'

Integrity check:

gci -r 'C:\Program Files\IDA Pro 7.5\' | ? Name -IMatch "(Memory|URL|MemZip)Loader(64|).dll" | % {Get-FileHash $_.fullname} | select hash, path

PS C:\tmp> gci -r 'C:\Program Files\IDA Pro 7.5\' | ? Name -IMatch "(Memory|URL|MemZip)Loader(64|).dll" | % {Get-FileHash $_.fullname} | select hash, path

Hash                                                             Path
----                                                             ----
4DEC6D0FA09EABBC2358BEDC8B4E239198D78FAF96F4505846061F6CFA0B2DB3 C:\Program Files\IDA Pro 7.5\MemoryLoader.dll
330A217D92D3C1C39E4431C7ABC48D01C69F379960F6902FE36C9BE3C4F528C6 C:\Program Files\IDA Pro 7.5\MemoryLoader64.dll
786BF93D2500B47D3C3C3590EF9ED2AA40AEC2F2B39CC2939DE09B4E70C806A0 C:\Program Files\IDA Pro 7.5\loaders\MemZipLoader.dll
5E3A410ED5D6273C509D091D4D1FE386947E88B58C0A2722A1FF46B9FBD2BA27 C:\Program Files\IDA Pro 7.5\loaders\MemZipLoader64.dll
C45ED73B96C3FE96AB8907D1EBA80512948A697A831A646BC985A2C024E0C2D5 C:\Program Files\IDA Pro 7.5\loaders\UrlLoader.dll
5724D32F520F390DA68D6B61F3C3F49511F54BF2B1C21C9DCE2EA5EA7F508D3B C:\Program Files\IDA Pro 7.5\loaders\UrlLoader64.dll

When loading IDA Pro, I only see the UrlLoader being loaded, the MemZipLoader isn't loaded:

Possible file format: UrlLoader (C:\Program Files\IDA Pro 7.5\loaders\UrlLoader64.dll)
Possible file format: ZIP (C:\Program Files\IDA Pro 7.5\loaders\archldr_zip64.dll)

  bytes   pages size description
--------- ----- ---- --------------------------------------------
  2048000   250 8192 allocating memory for b-tree...
  2048000   250 8192 allocating memory for virtual array...
   262144    32 8192 allocating memory for name pointers...
-----------------------------------------------------------------
  4358144            total memory allocated

I am using IDA Pro 7.5.201028.

I'm willing to provide assistance to diagnose this on request, thanks again.

59e5aaf4 commented 3 years ago

Same with IDA Pro 7.6.210427:

PS C:\tmp> Expand-Archive .\BinaryPackage.zip
PS C:\tmp> cp .\BinaryPackage\MemoryLoader.dll 'C:\Program Files\IDA Pro 7.6\'
PS C:\tmp> cp .\BinaryPackage\MemoryLoader64.dll 'C:\Program Files\IDA Pro 7.6\'
PS C:\tmp> cp .\BinaryPackage\MemZipLoader.dll 'C:\Program Files\IDA Pro 7.6\loaders\'
PS C:\tmp> cp .\BinaryPackage\MemZipLoader64.dll 'C:\Program Files\IDA Pro 7.6\loaders\'
PS C:\tmp> cp .\BinaryPackage\UrlLoader.dll 'C:\Program Files\IDA Pro 7.6\loaders\'
PS C:\tmp> cp .\BinaryPackage\UrlLoader64.dll 'C:\Program Files\IDA Pro 7.6\loaders\'

...

Possible file format: UrlLoader (C:\Program Files\IDA Pro 7.6\loaders\UrlLoader64.dll)
Possible file format: ZIP (C:\Program Files\IDA Pro 7.6\loaders\archldr_zip64.dll)

romanrusetsky commented 3 years ago

Hi, can you please run IDA with "-z" option and upload the log, I will review it and upload a fix.

59e5aaf4 commented 3 years ago

7.5 - ida_debug_log.log
7.6 - ida_76.log

Relevant part (guessing), where Possible file format isn't reported for MemZipLoader:

Scanning directory 'C:\Users\username\AppData\Roaming\Hex-Rays\IDA Pro\loaders' for loaders
Scanning directory 'C:\Program Files\IDA Pro 7.5\loaders' for loaders
Loading C:\Program Files\IDA Pro 7.5\loaders\MemZipLoader.dll...
Calling accept_file()
Loading C:\Program Files\IDA Pro 7.5\loaders\UrlLoader.dll...
Calling accept_file()
Possible file format: UrlLoader (C:\Program Files\IDA Pro 7.5\loaders\UrlLoader.dll)
Loading C:\Program Files\IDA Pro 7.5\loaders\aif.dll...
Calling accept_file()
Loading C:\Program Files\IDA Pro 7.5\loaders\amiga.dll...
Calling accept_file()
Loading C:\Program Files\IDA Pro 7.5\loaders\aof.dll...
Calling accept_file()
Loading C:\Program Files\IDA Pro 7.5\loaders\aout.dll...
Calling accept_file()
Loading C:\Program Files\IDA Pro 7.5\loaders\archldr_zip.dll...
Calling accept_file()
Possible file format: ZIP (C:\Program Files\IDA Pro 7.5\loaders\archldr_zip.dll)
Loading C:\Program Files\IDA Pro 7.5\loaders\bochsrc.dll...
Calling accept_file()
Loading C:\Program Files\IDA Pro 7.5\loaders\coff.dll...
Calling accept_file()

romanrusetsky commented 3 years ago

Ok, I think I figured it out. Maybe the zip format you are selected is not supported on my PC this ZIP for example works great.

Contains two files, both not malicious. many_files.zip

59e5aaf4 commented 3 years ago

Hm indeed these are not the same version, but it still won't load:

your file: zip v 6.3
VT sample files: zip v 2.0

$ unzip -v ~/tmp/many_files\ \(1\).zip 
Archive:  /home/user/tmp/many_files (1).zip
 Length   Method    Size  Cmpr    Date    Time   CRC-32   Name
--------  ------  ------- ---- ---------- ----- --------  ----
   65536  Defl:N    28249  57% 2018-09-15 09:28 655cd14b  amsi.dll
   43224  Defl:N    22840  47% 2020-11-04 15:28 3f548079  PROCEXP152.SYS
--------          -------  ---                            -------
  108760            51089  53%                            2 files
$ unzip -Z ~/tmp/many_files\ \(1\).zip 
Archive:  /home/user/tmp/many_files (1).zip
Zip file size: 51403 bytes, number of entries: 2
-rw-a--     6.3 fat    65536 Bx defN 18-Sep-15 09:28 amsi.dll
-rw-a--     6.3 fat    43224 Bx defN 20-Nov-04 15:28 PROCEXP152.SYS
2 files, 108760 bytes uncompressed, 51089 bytes compressed:  53.0%
$ unzip -Z malware.zip 
Archive:  malware.zip
Zip file size: 512371 bytes, number of entries: 1
-rw----     2.0 fat   894976 Bl defN 80-000-00 00:00 084659a92ed6499bf391534e649f3cf620b9405f7c03ef8c7a1fa35f8b9caa64
1 file, 894976 bytes uncompressed, 512117 bytes compressed:  42.8%
$ unzip -v malware.zip 
Archive:  malware.zip
 Length   Method    Size  Cmpr    Date    Time   CRC-32   Name
--------  ------  ------- ---- ---------- ----- --------  ----
  894976  Defl:N   512117  43% 1980-00-00 00:00 a14d6fe5  084659a92ed6499bf391534e649f3cf620b9405f7c03ef8c7a1fa35f8b9caa64
--------          -------  ---                            -------
  894976           512117  43%                            1 file

IDA logs:

Possible file format: UrlLoader (C:\Program Files\IDA Pro 7.6\loaders\UrlLoader64.dll)
Possible file format: ZIP (C:\Program Files\IDA Pro 7.6\loaders\archldr_zip64.dll)

  bytes   pages size description
--------- ----- ---- --------------------------------------------
   524288    64 8192 allocating memory for b-tree...
   204800    25 8192 allocating memory for virtual array...
   262144    32 8192 allocating memory for name pointers...
-----------------------------------------------------------------
   991232            total memory allocated

Loading processor module C:\Program Files\IDA Pro 7.6\procs\pc64.dll for metapc...Initializing processor module metapc...OK
Autoanalysis subsystem has been initialized.
Unloading IDP module C:\Program Files\IDA Pro 7.6\procs\pc64.dll...

4rchib4ld commented 3 years ago

Same situation here, even with the provided zip file :(

romanrusetsky commented 3 years ago

Sorry about that I will update you when it's fixed.

Rusetsky Roman

On Wed, May 19, 2021, 22:10 4rchib4ld @.***> wrote:

Same situation here, even with the provided zip file :(

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/SentineLabs/Memloader/issues/1#issuecomment-844391343, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACW3YMYV25SDPU7O45WZFGLTOQELDANCNFSM44J2AI7A .

59e5aaf4 commented 3 years ago

Don't worry, it really should have been a native feature of IDA Pro in the beginning. Given the amount of time I had my samples deleted by the local AV I don't understand why it's still not the case though, surely we're not the only IDA Pro customers who had troubles when touching the disk.

While in theory we should always have a detonation VM handy with no AV to run IDA Pro, erm, reality is a complex thing.

SentineLabs / Memloader

MemZipLoader won't load #1