Open 59e5aaf4 opened 3 years ago
Same with IDA Pro 7.6.210427:
PS C:\tmp> Expand-Archive .\BinaryPackage.zip
PS C:\tmp> cp .\BinaryPackage\MemoryLoader.dll 'C:\Program Files\IDA Pro 7.6\'
PS C:\tmp> cp .\BinaryPackage\MemoryLoader64.dll 'C:\Program Files\IDA Pro 7.6\'
PS C:\tmp> cp .\BinaryPackage\MemZipLoader.dll 'C:\Program Files\IDA Pro 7.6\loaders\'
PS C:\tmp> cp .\BinaryPackage\MemZipLoader64.dll 'C:\Program Files\IDA Pro 7.6\loaders\'
PS C:\tmp> cp .\BinaryPackage\UrlLoader.dll 'C:\Program Files\IDA Pro 7.6\loaders\'
PS C:\tmp> cp .\BinaryPackage\UrlLoader64.dll 'C:\Program Files\IDA Pro 7.6\loaders\'
...
Possible file format: UrlLoader (C:\Program Files\IDA Pro 7.6\loaders\UrlLoader64.dll)
Possible file format: ZIP (C:\Program Files\IDA Pro 7.6\loaders\archldr_zip64.dll)
Hi, can you please run IDA with "-z" option and upload the log, I will review it and upload a fix.
Relevant part (guessing), where Possible file format
isn't reported for MemZipLoader:
Scanning directory 'C:\Users\username\AppData\Roaming\Hex-Rays\IDA Pro\loaders' for loaders
Scanning directory 'C:\Program Files\IDA Pro 7.5\loaders' for loaders
Loading C:\Program Files\IDA Pro 7.5\loaders\MemZipLoader.dll...
Calling accept_file()
Loading C:\Program Files\IDA Pro 7.5\loaders\UrlLoader.dll...
Calling accept_file()
Possible file format: UrlLoader (C:\Program Files\IDA Pro 7.5\loaders\UrlLoader.dll)
Loading C:\Program Files\IDA Pro 7.5\loaders\aif.dll...
Calling accept_file()
Loading C:\Program Files\IDA Pro 7.5\loaders\amiga.dll...
Calling accept_file()
Loading C:\Program Files\IDA Pro 7.5\loaders\aof.dll...
Calling accept_file()
Loading C:\Program Files\IDA Pro 7.5\loaders\aout.dll...
Calling accept_file()
Loading C:\Program Files\IDA Pro 7.5\loaders\archldr_zip.dll...
Calling accept_file()
Possible file format: ZIP (C:\Program Files\IDA Pro 7.5\loaders\archldr_zip.dll)
Loading C:\Program Files\IDA Pro 7.5\loaders\bochsrc.dll...
Calling accept_file()
Loading C:\Program Files\IDA Pro 7.5\loaders\coff.dll...
Calling accept_file()
Ok, I think I figured it out. Maybe the zip format you are selected is not supported on my PC this ZIP for example works great.
Hm indeed these are not the same version, but it still won't load:
$ unzip -v ~/tmp/many_files\ \(1\).zip
Archive: /home/user/tmp/many_files (1).zip
Length Method Size Cmpr Date Time CRC-32 Name
-------- ------ ------- ---- ---------- ----- -------- ----
65536 Defl:N 28249 57% 2018-09-15 09:28 655cd14b amsi.dll
43224 Defl:N 22840 47% 2020-11-04 15:28 3f548079 PROCEXP152.SYS
-------- ------- --- -------
108760 51089 53% 2 files
$ unzip -Z ~/tmp/many_files\ \(1\).zip
Archive: /home/user/tmp/many_files (1).zip
Zip file size: 51403 bytes, number of entries: 2
-rw-a-- 6.3 fat 65536 Bx defN 18-Sep-15 09:28 amsi.dll
-rw-a-- 6.3 fat 43224 Bx defN 20-Nov-04 15:28 PROCEXP152.SYS
2 files, 108760 bytes uncompressed, 51089 bytes compressed: 53.0%
$ unzip -Z malware.zip
Archive: malware.zip
Zip file size: 512371 bytes, number of entries: 1
-rw---- 2.0 fat 894976 Bl defN 80-000-00 00:00 084659a92ed6499bf391534e649f3cf620b9405f7c03ef8c7a1fa35f8b9caa64
1 file, 894976 bytes uncompressed, 512117 bytes compressed: 42.8%
$ unzip -v malware.zip
Archive: malware.zip
Length Method Size Cmpr Date Time CRC-32 Name
-------- ------ ------- ---- ---------- ----- -------- ----
894976 Defl:N 512117 43% 1980-00-00 00:00 a14d6fe5 084659a92ed6499bf391534e649f3cf620b9405f7c03ef8c7a1fa35f8b9caa64
-------- ------- --- -------
894976 512117 43% 1 file
IDA logs:
Possible file format: UrlLoader (C:\Program Files\IDA Pro 7.6\loaders\UrlLoader64.dll)
Possible file format: ZIP (C:\Program Files\IDA Pro 7.6\loaders\archldr_zip64.dll)
bytes pages size description
--------- ----- ---- --------------------------------------------
524288 64 8192 allocating memory for b-tree...
204800 25 8192 allocating memory for virtual array...
262144 32 8192 allocating memory for name pointers...
-----------------------------------------------------------------
991232 total memory allocated
Loading processor module C:\Program Files\IDA Pro 7.6\procs\pc64.dll for metapc...Initializing processor module metapc...OK
Autoanalysis subsystem has been initialized.
Unloading IDP module C:\Program Files\IDA Pro 7.6\procs\pc64.dll...
Same situation here, even with the provided zip file :(
Sorry about that I will update you when it's fixed.
Rusetsky Roman
On Wed, May 19, 2021, 22:10 4rchib4ld @.***> wrote:
Same situation here, even with the provided zip file :(
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/SentineLabs/Memloader/issues/1#issuecomment-844391343, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACW3YMYV25SDPU7O45WZFGLTOQELDANCNFSM44J2AI7A .
Don't worry, it really should have been a native feature of IDA Pro in the beginning. Given the amount of time I had my samples deleted by the local AV I don't understand why it's still not the case though, surely we're not the only IDA Pro customers who had troubles when touching the disk.
While in theory we should always have a detonation VM handy with no AV to run IDA Pro, erm, reality is a complex thing.
Hi, and THANK YOU VERY MUCH for that plugin, I also get annoyed by McAfee whenever reversing binaries, and popping a full VM just to unpack generic malware is annoying.
I downloaded the archive and ran the following script:
Integrity check:
When loading IDA Pro, I only see the UrlLoader being loaded, the MemZipLoader isn't loaded:
I am using IDA Pro 7.5.201028.
I'm willing to provide assistance to diagnose this on request, thanks again.