search

decalage2 / ViperMonkey

A VBA parser and emulation engine to analyze malicious macros.
1.05k stars 186 forks source link

Too many open files #48

Closed Idriel closed 5 years ago

Idriel commented 6 years ago

Hi, I run analysis and it' started to show real meaning of the macro and then at the end

.
.
.
INFO     calling Function: QEh('C:\\ProgramData\\golangSource.htm', 'l')
INFO     calling Function: ERb('C:\\ProgramData\\golangSource.html', '[version]\r\nSignature =$chicago$\r\n\r\n...)
INFO     calling Function: CreateObject('Scripting.FileSystemObject')
INFO     ACTION: CreateObject - params ['Scripting.FileSystemObject'] - Interesting Function Call
INFO     calling Function: CreateTextFile('C:\\ProgramData\\golangSource.html', True, True)
INFO     ACTION: CreateTextFile - params ['C:\\ProgramData\\golangSource.html', True, True] - Interesting Function Call
INFO     calling Function: Write('[version]\r\nSignature =$chicago$\r\n\r\n[golangSource]\r\nUnRegisterOCXs = Eve...)
ERROR    Cannot process Write(). Too many open files.

Segmentation fault (core dumped)
Idriel commented 6 years ago 
DEBUG    try eval variable/function 'VUB'
DEBUG    Looking for var 'vub'...
DEBUG    Found 'vub' in globals
DEBUG    get variable 'VUB' = Function VUB (): 2 statement(s)
DEBUG    evaluating function Function VUB (): 2 statement(s)
DEBUG    Have xlrd loaded Excel file = False
DEBUG    evaluating Function VUB(None)
DEBUG    Function VUB eval statement: Do While Len('VUB') < 32\n[If Len('V... Then , Let VUB = (VUB & Hex("CInt('(Rnd * 15)')"))]\nLoop
DEBUG    WHILE loop: start: Do While Len('VUB') < 32\n[If Len('V... Then , Let VUB = (VUB & Hex("CInt('(Rnd * 15)')"))]\nLoop
DEBUG    try eval arg: Len('VUB') < 32
DEBUG    eval_arg: eval as VBA_Object Len('VUB') < 32
DEBUG    try eval arg: Len('VUB') < 32
DEBUG    eval_arg: eval as VBA_Object Len('VUB') < 32
DEBUG    try eval arg: Len('VUB')
DEBUG    eval_arg: eval as VBA_Object Len('VUB')
DEBUG    try eval arg: VUB
DEBUG    eval_arg: eval as VBA_Object VUB
DEBUG    try eval variable/function 'VUB'
DEBUG    Looking for var 'vub'...
DEBUG    Found 'vub' in globals
DEBUG    get variable 'VUB' = Function VUB (): 2 statement(s)
DEBUG    evaluating function Function VUB (): 2 statement(s)
DEBUG    Have xlrd loaded Excel file = False
DEBUG    evaluating Function VUB(None)
DEBUG    Function VUB eval statement: Do While Len('VUB') < 32\n[If Len('V... Then , Let VUB = (VUB & Hex("CInt('(Rnd * 15)')"))]\nLoop
DEBUG    WHILE loop: start: Do While Len('VUB') < 32\n[If Len('V... Then , Let VUB = (VUB & Hex("CInt('(Rnd * 15)')"))]\nLoop
DEBUG    try eval arg: Len('VUB') < 32
DEBUG    eval_arg: eval as VBA_Object Len('VUB') < 32
DEBUG    try eval arg: Len('VUB') < 32
DEBUG    eval_arg: eval as VBA_Object Len('VUB') < 32
DEBUG    try eval arg: Len('VUB')
DEBUG    eval_arg: eval as VBA_Object Len('VUB')
DEBUG    try eval arg: VUB
DEBUG    eval_arg: eval as VBA_Object VUB
DEBUG    try eval variable/function 'VUB'
DEBUG    Looking for var 'vub'...
DEBUG    Found 'vub' in globals
DEBUG    get variable 'VUB' = Function VUB (): 2 statement(s)
DEBUG    evaluating function Function VUB (): 2 statement(s)
DEBUG    Have xlrd loaded Excel file = False
DEBUG    evaluating Function VUB(None)
Segmentation fault (core dumped)
decalage2 commented 6 years ago

Which version of python are you using on which OS, and is it Pypy or CPython?

kirk-sayre-work commented 6 years ago

Can your share the hash of the doc that triggers the failure?

Idriel commented 5 years ago

Hi, I am using it in docker based on Ubuntu with pypy Hash

    SHA256: 15639b8ea8a81229e88619d1081199528a4a07c8053e8f54d76487dc62ecc486

    SHA1: c4078127495e2b0ff35c498ea6f9b57c016ab0e1

    MD5: e355afc307d9bd8c5b1e1a6dd64d01f7
kirk-sayre-work commented 5 years ago

I think I have this fixed. Can you try out the dev ViperMonkey fork @ https://github.com/kirk-sayre-work/ViperMonkey and verify that it works?

Idriel commented 5 years ago

It's working in dev version. : ) Thank you.