search

chainguard-dev / malcontent

detect malicious program behaviors
Apache License 2.0
407 stars 26 forks source link

analyze subcommand misses files (recursion bug? parallelism bug?) #449

Closed tstromberg closed 2 weeks ago

tstromberg commented 2 weeks ago

For example:

go run . analyze ../jail/npm/esdjiw-11.37.2/
../jail/npm/esdjiw-11.37.2/generateFiles.js [āœ… LOW]
----------------------------------------------------
RISK  KEY            DESCRIPTION     EVIDENCE       
----------------------------------------------------
LOW   fs/file/write  writes to file  writeFileSync  
----------------------------------------------------

I expected a result to show up... there was in fact a malicious file here:

go run . analyze ../jail/npm/esdjiw-11.37.2/uioeur/calderad.js 
../jail/npm/esdjiw-11.37.2/uioeur/calderad.js [šŸšØ CRITICAL]
-------------------------------------------------------------------------------------------------------
RISK  KEY                         DESCRIPTION                                 EVIDENCE                 
-------------------------------------------------------------------------------------------------------
HIGH  evasion/hex                 excessive references to hexadecimal values  0x100f                   
                                                                              0x1015                   
                                                                              0x1021                   
                                                                              0x10222b                 
                                                                              0x10249d                 
                                                                              0x1039e2                 
                                                                              0x103d5e                 
                                                                              0x104                    
                                                                              ā€¦                        
CRIT  evasion/script/obfuscation  javascript function obfuscation (hex)       const _0x103d5e=         
                                                                              const _0x11ef56=_0x8ecc  
                                                                              const _0x123577=_0x8ecc  
                                                                              const _0x164e79=_0x2fcā€¦  
                                                                              const _0x19bf47=_0x8ecc  
                                                                              const _0x210ada=_0x8ecc  
                                                                              const _0x2703da=_0x47ea  
                                                                              const _0x2df6b9=         
                                                                              ā€¦                        
-------------------------------------------------------------------------------------------------------
tstromberg commented 2 weeks ago

It gets weirder: it missed a result in the same directory:

 go run . analyze ../jail/npm/ethersscan-api-0.0.2/lib/

.. no output ...

go run . analyze ../jail/npm/ethersscan-api-0.0.2/lib/hash-blob.js

../jail/npm/ethersscan-api-0.0.2/lib/hash-blob.js [šŸšØ CRITICAL]
-----------------------------------------------------------------------------------------------------------------------------------------------------
RISK  KEY                         DESCRIPTION                                            EVIDENCE                                                    
-----------------------------------------------------------------------------------------------------------------------------------------------------
LOW   fs/file/write               writes to file                                         writeFileS                                                  
LOW   ref/path/home/config        path reference within ~/.config                        /.config/s                                                  
MED   combo/stealer/browser       Uses HTTP, archives, and references multiple browsers  .config                                                     
                                                                                         Brave                                                       
                                                                                         Chrome                                                      
                                                                                         http                                                        
                                                                                         tar                                                         
                                                                                         zip                                                         
MED   evasion/dynamic_import      imports a library dynamically                          require(_0x5d6b18(0x2d3,'0x323',0x2f4,'0x35e')),_0x18e755ā€¦  
MED   net/upload                  uploads files                                          uploads                                                     
HIGH  evasion/hex                 excessive references to hexadecimal values             0x1009c3                                                    
                                                                                         0x101dba                                                    
                                                                                         0x102                                                       
                                                                                         0x103                                                       
                                                                                         0x104df7c                                                   
                                                                                         0x105                                                       
                                                                                         0x106                                                       
                                                                                         0x107                                                       
                                                                                         ā€¦                                                           
CRIT  evasion/script/obfuscation  javascript function obfuscation (excessive const)      const _0x10c657=_0x5d9a0b                                   
                                                                                         const _0x1169b3=                                            
                                                                                         const _0x126ac7=_0x41483f                                   
                                                                                         const _0x127271=async                                       
                                                                                         const _0x135542=                                            
                                                                                         const _0x165870=                                            
                                                                                         const _0x16f58b=                                            
                                                                                         const _0x171e6b=_0x4c1e70                                   
                                                                                         ā€¦                                                           
-----------------------------------------------------------------------------------------------------------------------------------------------------
tstromberg commented 2 weeks ago

I'm worried that this may be related to the new parallelism improvements...

tstromberg commented 2 weeks ago

Here's a good example from main:

go run . analyze ../bincapz-samples/

It generated no output.

egibs commented 2 weeks ago

I noticed this behavior a while back but wasn't sure what the cause was.

I also get no output with go run . analyze ../bincapz-samples/ but doing go run . --min-risk any --min-file-risk any analyze ../bincapz-samples/ instead results in what I would expect. This precedes the CLI refactoring so I think there was something amiss going back several weeks at least.

egibs commented 2 weeks ago

I think it's related to this: https://github.com/chainguard-dev/bincapz/blob/ab542c394ed394cd5de31193ef4dbdf74d2eb3b7/pkg/action/scan.go#L330-L332

If I comment that out, I see results. I'll look into why that's invalid (we should probably use continue here?).

Update: continue rather than return nil, nil šŸ˜