cuckoo-modified/lib/cuckoo/common/quarantine.py error

brad-sp / cuckoo-modified

Modified edition of cuckoo

271 stars 100 forks source link

cuckoo-modified/lib/cuckoo/common/quarantine.py error #256

Closed simonk9 closed 9 years ago

simonk9 commented 9 years ago

Hi Brad, the quarantine unpacker for kaspersky fail on many files. i'm not the most skilled coder but the issue occur here:

if fsize != headerlen + origlen + metalen:
    return None

as a quick hack i observed that if i manually xor the file with the key, i get a "good" file.

still need to get rid of the header and the footer.

i observed that the header is always 64bytes and after that goes the original file magic header.

still didn’t had time to go over the footer pattern.

if you need samples that fail the check above i can provide handful.

brad-sp commented 9 years ago

Some samples would help, thanks

-Brad

simonk9 commented 9 years ago

http://www5.zippyshare.com/v/zBZ5gxoE/file.html

brad-sp commented 9 years ago

Thanks -- it seems there's extra data left at the end of the file not referenced by anything in the metadata. Were these files retrieved normally on a system running KAV or carved out through some forensics? I can change a few lines to make it handle these files as well, but would like to understand why they appear this way first.

-Brad

brad-sp commented 9 years ago

With some offset, that "footer" can also be deobfuscated using the same key, it includes the unicode pathname and some additional unknown metadata.

simonk9 commented 9 years ago

those files retrieved from the QB folder along with files that does decode correct. from what i've experienced, this mostly happen to files inside zip archives or macros inside office file. so it seem it has more meta data for files that contain few streams or some sort.

brad-sp commented 9 years ago

Several of the ones you provided were actually KAV quarantines of Symantec quarantine files. You'll need to submit those repeatedly to the interface. Actually, it seems that if for the last item being parsed in the metadata, the correct thing to do is to ignore the length and keep decoding with the XOR key until the end of the file. That will match it up properly for decoding. We don't need to do that for Cuckoo's purposes, so I've left it out.

-Brad

simonk9 commented 9 years ago

thank you, looks like it is working 100% of the times now, will report again if encounter more issues.