search

decaf-project / DECAF

DECAF (short for Dynamic Executable Code Analysis Framework) is a binary analysis platform based on QEMU. This is also the home of the DroidScope dynamic Android malware analysis platform. DroidScope is now an extension to DECAF.
GNU General Public License v3.0
803 stars 168 forks source link

ARM support #67

Open canance opened 5 years ago

canance commented 5 years ago

Hi,

I'm running into an issue trying to get DECAF working with an ARM guest and hoping that someone can point me in the right direction. I have created and inserted the procinfo kernel driver to get the correct values for procinfo.ini, and DECAF is able to detect the correct kernel during boot. After the VM is fully booted and I run guest_ps it only shows the kernel though:

(qemu) guest_ps
0   cr3=0x00000000  <kernel>

The lsmod command also doesn't show any results. Is there anything special that I need to do in order to get DECAF to work with an ARM guest?

EDIT -- Here is the output from the qemu monitor when the VM is first booted:

inside bdrv open, drv addr= 0x0x55cdc4d2cd40, size= 26843545600
QEMU 1.0 monitor - type 'help' for more information
(qemu) fs_open = Fragment 
inside bdrv open, drv addr= 0x0x55cdc4d2e7c0, size= 0
fs_open error! drv addr=0x0x55cdc4d2e7c0
inside vmi init 

Procinfo path: /decafroot/DECAF/decaf/arm-softmmu/../shared/kernelinfo/procinfo_generic/procinfo.ini
Total Sections: 1
Match 3.2.0-4-versatile
swapper task @ [c0393310]

Thanks, Cory

hengyin commented 5 years ago

Hi Sina,

Could you point Cory to the right document about VMI configuration?

Heng

On Wed, Jun 5, 2019 at 11:26 AM Cory Nance notifications@github.com wrote:

Hi,

I'm running into an issue trying to get DECAF working with an ARM guest and hoping that someone can point me in the right direction. I have created and inserted the procinfo kernel driver to get the correct values for procinfo.ini, and DECAF is able to detect the correct kernel during boot. After the VM is fully booted and I run guest_ps it only shows the kernel though:

(qemu) guest_ps 0 cr3=0x00000000

The lsmod command also doesn't show any results. Is there anything special that I need to do in order to get DECAF to work with an ARM guest?

Thanks, Cory

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/sycurelab/DECAF/issues/67?email_source=notifications&email_token=AAWJ2RQWNGDEIPUOHUONDN3PZAANHA5CNFSM4HUCX6I2YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4GX243KQ, or mute the thread https://github.com/notifications/unsubscribe-auth/AAWJ2RREEUCWDFZ3OQ3WJLTPZAANHANCNFSM4HUCX6IQ .

adava commented 5 years ago

Dear Cory, From what I see, it seems that the address in your procinfo.ini is different than what DECAF sees during emulation. One possible reason for this would be different memory sizes between when you generated the procinfo and when you're emulating (the "-m x" option). Other than that, you can refer to further documentation available at here. Hope this helps.

canance commented 5 years ago

Hi @hengyin and @adava,

Thank you both for the quick response! I verified that the address from the swapper task @ [c0393310] is the same as the value given for init_task_addr while the VM is running and being monitored. I've also tried using the default -m value of 128 MB and the max of 256 MB (for this qemu machine -- versatilepb) with no luck.

Do you happen to have a reference example of using DECAF on arm, similar to the winxp example?

I will read through the wiki to try and get a better understanding of how qemu and DECAF work to see if I can debug this. If you can think of any other reason why what I'm doing wouldn't work, please let me know.

Thanks, Cory