search

bontchev / pcodedmp

A VBA p-code disassembler
GNU General Public License v3.0
456 stars 85 forks source link

Error: unpack_from requires a buffer of at least 4 bytes #14

Closed decalage2 closed 4 years ago

decalage2 commented 4 years ago

The attached sample triggers an error "unpack_from requires a buffer of at least 4 bytes" when parsing it with pcodedmp 1.2.6.

ab161b4bb9af46dd5f283288c0a5ca796fbb4cacf963db2bf1e3619aab2a3b12.zip password: infected

Full output:

pcodedmp ab161b4bb9af46dd5f283288c0a5ca796fbb4cacf963db2bf1e3619aab2a3b12
Processing file: ab161b4bb9af46dd5f283288c0a5ca796fbb4cacf963db2bf1e3619aab2a3b12
===============================================================================
dir stream: _VBA_PROJECT_CUR/VBA/dir
-------------------------------------------------------------------------------
dir stream after decompression:
1080 bytes
dir stream parsed:
00000000:  PROJ_SYSKIND:
00000000   03 00 00 00                                        ....

0000000A:  PROJ_LCID:
00000000   09 04 00 00                                        ....

00000014:  PROJ_LCIDINVOKE:
00000000   09 04 00 00                                        ....

0000001E:  PROJ_CODEPAGE:
00000000   E4 04                                              ..

00000026:  PROJ_NAME:
00000000   56 42 41 50 72 6F 6A 65 63 74                      VBAProject

00000036:  PROJ_DOCSTRING
0000003C:  PROJ_UNICODE_DOCSTRING
00000042:  PROJ_HELPFILE
00000048:  PROJ_UNICODE_HELPFILE
0000004E:  PROJ_HELPCONTEXT:
00000000   00 00 00 00                                        ....

00000058:  PROJ_LIBFLAGS:
00000000   00 00 00 00                                        ....

00000062:  PROJ_VERSION:
00000000   98 EC 15 60 01 00                                  ...`..

0000006E:  PROJ_CONSTANTS
00000074:  PROJ_UNICODE_CONSTANTS
0000007A:  PROJ_REFNAME_PROJ:
00000000   73 74 64 6F 6C 65                                  stdole

00000086:  PROJ_UNICODE_REFNAME_PROJ:
00000000   73 00 74 00 64 00 6F 00 6C 00 65 00                s.t.d.o.l.e.

00000098:  PROJ_LIBID_REGISTERED:
00000000   5E 00 00 00 2A 5C 47 7B 30 30 30 32 30 34 33 30    ^...*\G{00020430
00000010   2D 30 30 30 30 2D 30 30 30 30 2D 43 30 30 30 2D    -0000-0000-C000-
00000020   30 30 30 30 30 30 30 30 30 30 34 36 7D 23 32 2E    000000000046}#2.
00000030   30 23 30 23 43 3A 5C 57 69 6E 64 6F 77 73 5C 53    0#0#C:\Windows\S
00000040   79 73 74 65 6D 33 32 5C 73 74 64 6F 6C 65 32 2E    ystem32\stdole2.
00000050   74 6C 62 23 4F 4C 45 20 41 75 74 6F 6D 61 74 69    tlb#OLE Automati
00000060   6F 6E 00 00 00 00 00 00                            on......

00000106:  PROJ_REFNAME_PROJ:
00000000   4F 66 66 69 63 65                                  Office

00000112:  PROJ_UNICODE_REFNAME_PROJ:
00000000   4F 00 66 00 66 00 69 00 63 00 65 00                O.f.f.i.c.e.

00000124:  PROJ_LIBID_REGISTERED:
00000000   94 00 00 00 2A 5C 47 7B 32 44 46 38 44 30 34 43    ....*\G{2DF8D04C
00000010   2D 35 42 46 41 2D 31 30 31 42 2D 42 44 45 35 2D    -5BFA-101B-BDE5-
00000020   30 30 41 41 30 30 34 34 44 45 35 32 7D 23 32 2E    00AA0044DE52}#2.
00000030   30 23 30 23 43 3A 5C 50 72 6F 67 72 61 6D 20 46    0#0#C:\Program F
00000040   69 6C 65 73 5C 43 6F 6D 6D 6F 6E 20 46 69 6C 65    iles\Common File
00000050   73 5C 4D 69 63 72 6F 73 6F 66 74 20 53 68 61 72    s\Microsoft Shar
00000060   65 64 5C 4F 46 46 49 43 45 31 36 5C 4D 53 4F 2E    ed\OFFICE16\MSO.
00000070   44 4C 4C 23 4D 69 63 72 6F 73 6F 66 74 20 4F 66    DLL#Microsoft Of
00000080   66 69 63 65 20 31 36 2E 30 20 4F 62 6A 65 63 74    fice 16.0 Object
00000090   20 4C 69 62 72 61 72 79 00 00 00 00 00 00           Library......

000001C8:  PROJ_MODULECOUNT:
00000000   05 00                                              ..

000001D0:  PROJ_COOKIE:
00000000   40 61                                              @a

000001D8:  MOD_NAME:
00000000   4D 6F 64 75 6C 65 31                               Module1

000001E5:  MOD_UNICODE_NAME:
00000000   4D 00 6F 00 64 00 75 00 6C 00 65 00 31 00          M.o.d.u.l.e.1.

000001F9:  MOD_STREAM:
00000000   4D 6F 64 75 6C 65 31                               Module1

00000206:  MOD_UNICODESTREAM:
00000000   4D 00 6F 00 64 00 75 00 6C 00 65 00 31 00          M.o.d.u.l.e.1.

0000021A:  MOD_DOCSTRING
00000220:  MOD_UNICODE_DOCSTRING
00000226:  MOD_TEXTOFFSET:
00000000   17 03 00 00                                        ....

00000230:  MOD_HELPCONTEXT:
00000000   00 00 00 00                                        ....

0000023A:  MOD_COOKIETYPE:
00000000   C4 62                                              .b

00000242:  MOD_FBASMOD_StdMods
00000248:  MOD_END
0000024E:  MOD_NAME:
00000000   54 68 69 73 57 6F 72 6B 62 6F 6F 6B                ThisWorkbook

00000260:  MOD_UNICODE_NAME:
00000000   54 00 68 00 69 00 73 00 57 00 6F 00 72 00 6B 00    T.h.i.s.W.o.r.k.
00000010   62 00 6F 00 6F 00 6B 00                            b.o.o.k.

0000027E:  MOD_STREAM:
00000000   54 68 69 73 57 6F 72 6B 62 6F 6F 6B                ThisWorkbook

00000290:  MOD_UNICODESTREAM:
00000000   54 00 68 00 69 00 73 00 57 00 6F 00 72 00 6B 00    T.h.i.s.W.o.r.k.
00000010   62 00 6F 00 6F 00 6B 00                            b.o.o.k.

000002AE:  MOD_DOCSTRING
000002B4:  MOD_UNICODE_DOCSTRING
000002BA:  MOD_TEXTOFFSET:
00000000   78 10 00 00                                        x...

000002C4:  MOD_HELPCONTEXT:
00000000   00 00 00 00                                        ....

000002CE:  MOD_COOKIETYPE:
00000000   33 80                                              3.

000002D6:  MOD_FBASMOD_Classes
000002DC:  MOD_END
000002E2:  MOD_NAME:
00000000   53 68 65 65 74 31                                  Sheet1

000002EE:  MOD_UNICODE_NAME:
00000000   53 00 68 00 65 00 65 00 74 00 31 00                S.h.e.e.t.1.

00000300:  MOD_STREAM:
00000000   53 68 65 65 74 31                                  Sheet1

0000030C:  MOD_UNICODESTREAM:
00000000   53 00 68 00 65 00 65 00 74 00 31 00                S.h.e.e.t.1.

0000031E:  MOD_DOCSTRING
00000324:  MOD_UNICODE_DOCSTRING
0000032A:  MOD_TEXTOFFSET:
00000000   33 03 00 00                                        3...

00000334:  MOD_HELPCONTEXT:
00000000   00 00 00 00                                        ....

0000033E:  MOD_COOKIETYPE:
00000000   A9 ED                                              ..

00000346:  MOD_FBASMOD_Classes
0000034C:  MOD_END
00000352:  MOD_NAME:
00000000   53 68 65 65 74 32                                  Sheet2

0000035E:  MOD_UNICODE_NAME:
00000000   53 00 68 00 65 00 65 00 74 00 32 00                S.h.e.e.t.2.

00000370:  MOD_STREAM:
00000000   53 68 65 65 74 32                                  Sheet2

0000037C:  MOD_UNICODESTREAM:
00000000   53 00 68 00 65 00 65 00 74 00 32 00                S.h.e.e.t.2.

0000038E:  MOD_DOCSTRING
00000394:  MOD_UNICODE_DOCSTRING
0000039A:  MOD_TEXTOFFSET:
00000000   33 03 00 00                                        3...

000003A4:  MOD_HELPCONTEXT:
00000000   00 00 00 00                                        ....

000003AE:  MOD_COOKIETYPE:
00000000   C4 CE                                              ..

000003B6:  MOD_FBASMOD_Classes
000003BC:  MOD_END
000003C2:  MOD_NAME:
00000000   53 68 65 65 74 33                                  Sheet3

000003CE:  MOD_UNICODE_NAME:
00000000   53 00 68 00 65 00 65 00 74 00 33 00                S.h.e.e.t.3.

000003E0:  MOD_STREAM:
00000000   53 68 65 65 74 33                                  Sheet3

000003EC:  MOD_UNICODESTREAM:
00000000   53 00 68 00 65 00 65 00 74 00 33 00                S.h.e.e.t.3.

000003FE:  MOD_DOCSTRING
00000404:  MOD_UNICODE_DOCSTRING
0000040A:  MOD_TEXTOFFSET:
00000000   33 03 00 00                                        3...

00000414:  MOD_HELPCONTEXT:
00000000   00 00 00 00                                        ....

0000041E:  MOD_COOKIETYPE:
00000000   43 05                                              C.

00000426:  MOD_FBASMOD_Classes
0000042C:  MOD_END
00000432:  PROJ_EOF
-------------------------------------------------------------------------------
_VBA_PROJECT stream:
5156 bytes
Identifiers:

0000: Excel
0001: VBA
0002: Win16
0003: Win32
0004: Win64
0005: Mac
0006: VBA6
0007: VBA7
0008: VBAProject
0009: stdole
000A: Office
000B: Module1
000C: _Evaluate
000D: book
000E: ThisWorkbook
000F: Sheet1
0010: Sheet2
0011: Sheet3
0012: Workbook
0013: Workbook_Open
0014: LSOHXYJXZHMWDWPDOOCSCUWJWCYIHSDPLJPXFQKOBXMNENQUPFJKJLWBETZZHJKGTBWPGHRGIPNFLXXLQWKUKVFRFKHQITLQTRXGNRSWIGUVMPYDXNLLKNFJMUIIPKMIUJYXOISOJQVMMGGTXESCRE
0015: Chr
0016: NSNMJRQCTYCZGOOZZFQHVEUXHLGVTTSUNKNDQJRSUQDRGYWQBVRYEUUOHVGMTKTMOBVTQZYKUHKIOPWIINSPEMVGPMHWCCBDVSVLRRYBDYLSOHXYJXZHMWDWPDOOCSCUWJWCYIHSDPLJPXFQKOBXMNENQUPFJKJLWBETZ
0017: ZHJKGTBWPGHRGIPNFLXXLQWKUKVFRFKHQITLQTRXGNRSWIGUVMPYDXNLLKNFJMUIIPKMIUJYXOISOJQVMMGGTXESCRENSNMJRQCTYCZGOOZZFQHVEUXHLGVTTSUNKNDQJRSUQDRGYWQBVRYEUUOHVGMTKTMOBVT
0018: CreateObject
0019: SpecialFolders
001A: ITLQTRXGNRSWIGUVMPYDXNLLKNFJMUIIPKMIUJYXOISOJQVMMGGTXESCRENSNMJRQCTYCZGOOZZFQHVEUXHLGVTTSUNKNDQJRSUQDRGYWQBVRYEUUOHVGMTKTMOBVTQZYKUHKIOPWIINSPEMVGPMHWCCBDVSVLRRYBDYLSOHXYJXZHMWDW
001B: JXZHMWDWPDOOCSCUWJWCYIHSDPLJPXFQKOBXMNENQUPFJKJLWBETZZHJKGTBWPGHRGIPNFLXXLQWKUKVFRFKHQITLQTRXGNRSWIGUVMPYDXNLLKNFJMUIIPKMIUJYXOISOJQVMMGGTXESCRENSNMJRQCTYCZGOOZZFQHVEUXHLGVTTSUNKNDQJR
001C: XHLGVTTSUNKNDQJRSUQDRGYWQBVRYEUUOHVGMTKTMOBVTQZYKUHKIOPWIINSPEMVGPMHWCCBDVSVLRRYBDYLSOHXYJXZHMWDWPDOOCSCUWJWCYIHSDPLJPXFQKOBXMNENQUPFJKJLWBETZZHJKGTBWPGHRGIPNFLXXLQWKUKVFRFK
001D: DOOCSCUWJWCYIHSDPLJPXFQKOBXMNENQUPFJKJLWBETZZHJKGTBWPGHRGIPNFLXXLQWKUKVFRFKHQITLQTRXGNRSWIGUVMPYDXNLLKNFJMUIIPKMIUJYXOISOJQVMMGGTXESCRENSNMJRQCTYCZGOOZZFQHVEUXHLGVTTSUNKNDQJR
001E: CSCUWJWCYIHSDPLJPXFQKOBXMNENQUPFJKJLWBETZZHJKGTBWPGHRGIPNFLXXLQWKUKVFRFKHQITLQTRXGNRSWIGUVMPYDXNLLKNFJMUIIPKMIUJYXOISOJQVMMGGTXESCRENSNMJRQCTYCZGOOZZFQHVEUXHLGVTTSUNKNDQJRSUQDRGYWQBVRYEUUOHVG
001F: HQITLQTRXGNRSWIGUVMPYDXNLLKNFJMUIIPKMIUJYXOISOJQVMMGGTXESCRENSNMJRQCTYCZGOOZZFQHVEUXHLGVTTSUNKNDQJRSUQDRGYWQBVRYEUUOHVGMTKTMOBVTQZYKUHKIOPWIINSPEMVGPMHWCCBDVSVLRRYBDY
0020: GOOZZFQHVEUXHLGVTTSUNKNDQJRSUQDRGYWQBVRYEUUOHVGMTKTMOBVTQZYKUHKIOPWIINSPEMVGPMHWCCBDVSVLRRYBDYLSOHXYJXZHMWDWPDOOCSCUWJWCYIHSDPLJPXFQKOBXMNENQUPFJKJLWBETZZHJKGTBWPGHR
0021: PDOOCSCUWJWCYIHSDPLJPXFQKOBXMNENQUPFJKJLWBETZZHJKGTBWPGHRGIPNFLXXLQWKUKVFRFKHQITLQTRXGNRSWIGUVMPYDXNLLKNFJMUIIPKMIUJYXOISOJQVMMGGTXESCRENSNMJRQCTYCZGOOZZFQHVEU
0022: CleanEncryptSTR
0023: send
0024: responseBody
0025: Status
0026: SaveToFile
0027: MsgBox
0028: MyString
0029: BDFHBSDFGDRFGVASDVASDRGEARGERGERG
002A: BGDFBDFDFGBVADRFGVDFGVDFBHEATRFHNGSRFHBTFBHEARBHEARBVEDRGEARHEARHEARGERFBERGERG
002B: i
002C: ASCToAdd
002D: ThisChar
002E: ThisASC
002F: NewASC
0030: BNGFSNFJNTRHEATRHETRGHTRGHERGHERHEATRHEATHERHETRHETSRHETRHH
0031: AllowedChars
0032: Asc

_VBA_PROJECT parsing done.
-------------------------------------------------------------------------------
Module streams:
_VBA_PROJECT_CUR/VBA/Module1 - 855 bytes
Line #0:
        FuncDefn (Sub book())
Line #1:
        QuoteRem 0x0000 0x0000 ""
Line #2:
        EndSub
_VBA_PROJECT_CUR/VBA/ThisWorkbook - 4396 bytes
Error: unpack_from requires a buffer of at least 4 bytes.
_VBA_PROJECT_CUR/VBA/Sheet1 - 991 bytes
_VBA_PROJECT_CUR/VBA/Sheet2 - 991 bytes
_VBA_PROJECT_CUR/VBA/Sheet3 - 991 bytes
bontchev commented 4 years ago

LOL. This isn't exactly my problem - the ThisWorkbook stream has been fucked up by Kaspersky's anti-virus program, zapping with zeroes all the structures that pcodedmp normally parses:

Clipboard01

I should probably add some kind of sanity check and abort the processing of the stream if this kind of idiocy is encountered, but it's not too urgent; the current error is probably good enough.

decalage2 commented 4 years ago

Good catch, I hadn't looked at it in a hex viewer... :-) So if we get an error in pcodedmp and if the stream starts with zeroes and contains "Kaspersky", then we know what it is. ;-) However, it's strange the pcode is wiped but not the compressed VBA (I mean, not fully).

bontchev commented 4 years ago

I am more and more inclined not to do anything about this... I mean, if I add a specific check that a pointer I'm trying to read from points outside the stream everywhere where this can happen, the program will become twice the size and much less readable. Now it just has a catch-all error.

Honestly, I had a better opinion of Kaspersky's ability to handle VBA. They seemed to be doing better than this in the past.

The source is not malicious. This makes me think that this is not the original source. Most likely, there was something malicious in the module - that's why KAV zapped the p-code area (and lots of stuff before it) and overwrote the source code area with some innocent source.

Seems stupid, though. In such cases (when you can't remove the module, because ThisWorkbook has to be present), we overwrite it with a complete, valid, empty module that our scanner carries within itself.

bontchev commented 4 years ago

I've pushed a change to the develop branch that makes the program display are more meaningful error message when trying to read past the end of a stream. Merging with master and releasing a new version o PyPi will have to wait until there are more substantial changes.