search

decaf-project / DECAF

DECAF (short for Dynamic Executable Code Analysis Framework) is a binary analysis platform based on QEMU. This is also the home of the DroidScope dynamic Android malware analysis platform. DroidScope is now an extension to DECAF.
GNU General Public License v3.0
803 stars 168 forks source link

VMI won't work #73

Closed ssdemajia closed 5 years ago

ssdemajia commented 5 years ago

I use DECAF in ubuntu 18.04 64bits, and guest OS is ubuntu 14.04 32bit. I used procinfo_generic in ubuntu18.04 64bits to get kernel info. Isn't right? Because I got a large init_task addr that is:

[info]
total = 1

[1]
strName = 4.15.0-55-generic
init_task_addr  = 18446744071811703936
init_task_size  = 9088
ts_tasks        = 1960
ts_pid          = 2216
ts_tgid         = 2220
ts_group_leader = 2280
ts_thread_group = 2392
ts_real_parent  = 2232
ts_mm           = 2040
ts_stack        = 24
module_name   = 24
module_size   = 392
module_init   = 384
module_list   = 8
ts_real_cred    = 2624
ts_cred         = 2632
ts_comm         = 2640
cred_uid        = 4
cred_gid        = 8
cred_euid       = 20
cred_egid       = 24
mm_mmap         = 0
mm_pgd          = 80
mm_arg_start    = 296
mm_start_brk    = 272
mm_brk          = 280
mm_start_stack  = 288
vma_vm_start    = 0
vma_vm_end      = 8
vma_vm_next     = 16
vma_vm_file     = 160
vma_vm_flags    = 80
vma_vm_pgoff    = 152
file_dentry     = 32
file_inode      = 48
dentry_d_name   = 32
dentry_d_iname  = 56
dentry_d_parent = 24
ti_task         = 8
inode_ino   = 64

I found decaf found task struct in a small address.tulInitTaskAddr: 3249244800 https://github.com/decaf-project/DECAF/blob/8c12a8d97ad476a226815398e66457586dbf1b34/decaf/shared/linux_procinfo.cpp#L1788

➜  i386-softmmu git:(master) ✗ ./qemu-system-i386 -monitor stdio -m 2048 ./ubuntu1404_32.img -cdrom ~/ubuntu-14.04.6-desktop-i386.iso

(process:20336): GLib-WARNING **: 21:40:36.398: ../../../../glib/gmem.c:489: custom memory allocation vtable not supported
register_savevm slirp
register_savevm cpu
QEMU 1.0 monitor - type 'help' for more information
(qemu) inside bdrv open, drv addr= 0x0x560fb28b6e60, size= 32212254720
fs_open = Fragment 
inside bdrv open, drv addr= 0x0x560fb28c7950, size= 1170964480
fs_open error! drv addr=0x0x560fb28c7950
register_savevm DECAF
register_savevm funmap
register_savevm hookapi
inside vmi init 
tulInitTaskAddr: 3249244800

Procinfo path: /home/shaoshuai/DECAF/decaf/i386-softmmu/../shared/kernelinfo/procinfo_generic/procinfo.ini
terminate called after throwing an instance of 'boost::exception_detail::clone_impl<boost::exception_detail::error_info_injector<boost::property_tree::ptree_bad_data> >'
  what():  conversion of data to type "j" failed
[1]    20336 abort (core dumped)  ./qemu-system-i386 -monitor stdio -m 2048 ./ubuntu1404_32.img -cdrom

how can I start vmi?

when I set init_task_addr = 3249244800, decaf will work.But how can I verify this VMI works righ?

sycurelab commented 5 years ago

It seems like a bug in linux_procinfo.cpp. A simple way to verify is by checking ps inside as well as from DECAF.

ssdemajia commented 5 years ago

I get the right ubuntu14.04 proc info and it works! Thank you.