search

binref / refinery

High Octane Triage Analysis
Other
615 stars 62 forks source link

NSIS Extraction EOF Error #49

Closed Squiblydoo closed 4 weeks ago

Squiblydoo commented 1 month ago

Description

The xtnsis fails to properly parse some NSIS files such as this one: https://mega.nz/file/QrsG0STY#4uAml4wfCe8-aAUHIXGuHDMK9Po7JmZgrTyQpYwCbLw
When attempting to parse, the user is returned an error stating "failure in xtnsis: exception of type EOF; Unexpected end of buffer."

To Reproduce

Attempting to use the xtnsis to list or extract from this NSIS installer will produce the error.

emit malware.exe | xtnsis -l
(07:05:29) failure in xtnsis: exception of type EOF; Unexpected end of buffer.

or 

emit malware.exe | xtnsis [| dump archive/{path} ]
(07:09:29) failure in xtnsis: exception of type EOFError

Environment

Additional Context

I use an adapted copy of xtnsis in my debloat tool. When debugging debloat, the error occurs in the "read_exactly" method an returns the following, which I THINK suggests the error is occurring while parsing the NSIS Script, so perhaps there is another missing instruction or something?:

Exception has occurred: EOF
End of File
  File "/home/Documents/GitHub/debloat/src/debloat/utilities/readers.py", line 329, in read_exactly
    raise EOF(data)
  File "/home/Documents/GitHub/debloat/src/debloat/utilities/readers.py", line 376, in read_integer
    result = int.from_bytes(self.read_exactly(bytecount, peek), self.byteorder_name)
  File "/home/Documents/GitHub/debloat/src/debloat/utilities/readers.py", line 468, in u32
    return self.read_integer(32, peek)
  File "/home/Documents/GitHub/debloat/src/debloat/utilities/nsisParser.py", line 413, in <listcomp>
    self.arguments = [reader.u32() for _ in range(6)]
  File "/home/Documents/GitHub/debloat/src/debloat/utilities/nsisParser.py", line 413, in __init__
    self.arguments = [reader.u32() for _ in range(6)]
  File "/home/Documents/GitHub/debloat/src/debloat/utilities/readers.py", line 575, in wrapped__init__
    original__init__(self, reader, *args, **kwargs)
  File "/home/Documents/GitHub/debloat/src/debloat/utilities/nsisParser.py", line 988, in <listcomp>
    self.instructions: List[NSScriptInstruction] = [NSScriptInstruction(reader) for _ in range(self.block_header_entries.size)]
  File "/home/Documents/GitHub/debloat/src/debloat/utilities/nsisParser.py", line 988, in __init__
    self.instructions: List[NSScriptInstruction] = [NSScriptInstruction(reader) for _ in range(self.block_header_entries.size)]
  File "/home/Documents/GitHub/debloat/src/debloat/utilities/readers.py", line 575, in wrapped__init__
    original__init__(self, reader, *args, **kwargs)
  File "/home/Documents/GitHub/debloat/src/debloat/utilities/nsisParser.py", line 1148, in __init__
    self.header = NSHeader(header_data, size=header_size)
  File "/home/Documents/GitHub/debloat/src/debloat/utilities/readers.py", line 575, in wrapped__init__
    original__init__(self, reader, *args, **kwargs)
  File "/home/Documents/GitHub/debloat/src/debloat/utilities/nsisParser.py", line 1309, in unpack
    raise _error
  File "/home/Documents/GitHub/debloat/src/debloat/utilities/nsisParser.py", line 1309, in unpack
    raise _error
  File "/home/Documents/GitHub/debloat/src/debloat/processor.py", line 114, in check_and_extract_NSIS
    extracted_files = extractor.unpack(memoryview(pe.__data__))
huettenhain commented 4 weeks ago

This archive contains its files without any compression, I didn't have a good test case for this method until now, so the code was just buggy. A few offsets were off by 4 where a size prefix was incorrectly read as part of the data. Commit 5ccd3e34217e59862868302d951a27a8aec57ff1 should fix all of this.

huettenhain commented 4 weeks ago

This is fixed in release 0.6.40. I will close this out. Cheers!

Squiblydoo commented 4 weeks ago

Awesome work as always. Thank you. :)