search

cea-sec / miasm

Reverse engineering framework in Python
https://miasm.re/
GNU General Public License v2.0
3.51k stars 474 forks source link

error struct.error: 'I' format requires 0 <= number <= 4294967295 when using -y #647

Open Meow-ops opened 6 years ago

Meow-ops commented 6 years ago

I have the following stack trace when using the "-y" option with the Sandbox_Win_x86_32 parser:

python sandboxed_powershell.py -j gcc -l -s -y powershell.exe
[INFO]: Loading module 'ntdll.dll'
[INFO]: Loading module 'kernel32.dll'
[INFO]: Loading module 'user32.dll'
[INFO]: Loading module 'ole32.dll'
[INFO]: Loading module 'urlmon.dll'
[INFO]: Loading module 'ws2_32.dll'
[INFO]: Loading module 'advapi32.dll'
[INFO]: Loading module 'psapi.dll'
[WARNING]: Create dummy entry for 'iertutil.dll'
[WARNING]: Create dummy entry for 'msvcrt.dll'
[WARNING]: Create dummy entry for 'oleaut32.dll'
[WARNING]: Create dummy entry for 'rpcrt4.dll'
[WARNING]: Create dummy entry for 'shlwapi.dll'
[WARNING]: Create dummy entry for 'atl.dll'
[WARNING]: Create dummy entry for 'mscoree.dll'
[WARNING]: Create dummy entry for 'gdi32.dll'
[WARNING]: Create dummy entry for 'ws2help.dll'
Traceback (most recent call last):
  File "sandboxed_powershell.py", line 31, in <module>
    sb = Sandbox_Win_x86_32(options.filename, options, globals())
  File "/usr/local/lib/python2.7/dist-packages/miasm2/analysis/sandbox.py", line 447, in __init__
    Sandbox.__init__(self, *args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/miasm2/analysis/sandbox.py", line 55, in __init__
    cls.__init__(self, custom_methods, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/miasm2/analysis/sandbox.py", line 246, in __init__
    win_api_x86_32_seh.init_seh(self.jitter)
  File "/usr/local/lib/python2.7/dist-packages/miasm2/os_dep/win_api_x86_32_seh.py", line 414, in init_seh
    build_peb(jitter, peb_address)
  File "/usr/local/lib/python2.7/dist-packages/miasm2/os_dep/win_api_x86_32_seh.py", line 132, in build_peb
    Peb.ImageBaseAddress = main_pe.NThdr.ImageBase
  File "/usr/local/lib/python2.7/dist-packages/miasm2/core/types.py", line 1472, in <lambda>
    lambda self, val, name=name: self.set_field(name, val)
  File "/usr/local/lib/python2.7/dist-packages/miasm2/core/types.py", line 1408, in set_field
    return self._type.set_field(self._vm, self.get_addr(), name, val)
  File "/usr/local/lib/python2.7/dist-packages/miasm2/core/types.py", line 643, in set_field
    field.set(vm, addr + offset, val)
  File "/usr/local/lib/python2.7/dist-packages/miasm2/core/types.py", line 283, in set
    raw = self._pack(val)
  File "/usr/local/lib/python2.7/dist-packages/miasm2/core/types.py", line 381, in _pack
    return super(Num, self)._pack([number])
  File "/usr/local/lib/python2.7/dist-packages/miasm2/core/types.py", line 354, in _pack
    return struct.pack(self._fmt, *fields)
struct.error: 'I' format requires 0 <= number <= 4294967295

powershell.exe is the executable from windows (852d67a27e454bd389fa7f02a8cbe23f) The code I am using is very basic:

import os
from pdb import pm
from miasm2.analysis.sandbox import Sandbox_Win_x86_32
from miasm2.jitter.csts import PAGE_READ, PAGE_WRITE

ADDR = 0x1000

# Python auto completion
filename = os.environ.get('PYTHONSTARTUP')
if filename and os.path.isfile(filename):
    execfile(filename)

parser = Sandbox_Win_x86_32.parser(description="PE sandboxer")
parser.add_argument("filename", help="PE Filename")
options = parser.parse_args()
sb = Sandbox_Win_x86_32(options.filename, options, globals())

sb.jitter.jit.log_mn = True

f = open('file.bin', 'rb')
sb.jitter.vm.add_memory_page(ADDR, PAGE_READ|PAGE_WRITE, f.read(), "whatever")
f.close()

sb.run(ADDR)
assert(sb.jitter.run is False)

Any idea on how to fix that?

itsacoderepo commented 6 years ago

Hi sarcarx,

it looks like that you are running a 64bit binary (according to virustotal) in a 32bit sandbox.

Meow-ops commented 6 years ago

Hi itsacoderepo, Ok I have tried using a Sandbox_Win_x86_64 instead of Sandbox_Win_x86_32, the output seems to be the same.

Traceback (most recent call last):
  File "sandboxed_powershell.py", line 31, in <module>
    sb = Sandbox_Win_x86_64(options.filename, options, globals())
  File "/usr/local/lib/python2.7/dist-packages/miasm2/analysis/sandbox.py", line 479, in __init__
    Sandbox.__init__(self, *args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/miasm2/analysis/sandbox.py", line 55, in __init__
    cls.__init__(self, custom_methods, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/miasm2/analysis/sandbox.py", line 246, in __init__
    win_api_x86_32_seh.init_seh(self.jitter)
  File "/usr/local/lib/python2.7/dist-packages/miasm2/os_dep/win_api_x86_32_seh.py", line 414, in init_seh
    build_peb(jitter, peb_address)
  File "/usr/local/lib/python2.7/dist-packages/miasm2/os_dep/win_api_x86_32_seh.py", line 132, in build_peb
    Peb.ImageBaseAddress = main_pe.NThdr.ImageBase
  File "/usr/local/lib/python2.7/dist-packages/miasm2/core/types.py", line 1472, in <lambda>
    lambda self, val, name=name: self.set_field(name, val)
  File "/usr/local/lib/python2.7/dist-packages/miasm2/core/types.py", line 1408, in set_field
    return self._type.set_field(self._vm, self.get_addr(), name, val)
  File "/usr/local/lib/python2.7/dist-packages/miasm2/core/types.py", line 643, in set_field
    field.set(vm, addr + offset, val)
  File "/usr/local/lib/python2.7/dist-packages/miasm2/core/types.py", line 283, in set
    raw = self._pack(val)
  File "/usr/local/lib/python2.7/dist-packages/miasm2/core/types.py", line 381, in _pack
    return super(Num, self)._pack([number])
  File "/usr/local/lib/python2.7/dist-packages/miasm2/core/types.py", line 354, in _pack
    return struct.pack(self._fmt, *fields)
struct.error: 'I' format requires 0 <= number <= 4294967295
Meow-ops commented 6 years ago

Also I tried using the same code with a 32bits executable with the Sandbox_Win_x86_32 and it does seem to work. Maybe the problem comes indeed from me using a 64bit executable

themaks commented 5 years ago

It seems that process envrionnement structures (PEB, TEB, etc) are only implemented for 32bits, so it cannot work with 64 bits binaries for now

serpilliere commented 5 years ago

Hi guys! @itsacoderepo : Nice catch for the 32/64 bit :) @themaks: You are right! for the moment only windows 32 bits structures are in the public repo. @sarcarx: We have a test branch internally for the 64bit we will release in a near future!