search

dod-cyber-crime-center / rugosa

The next generation of kordesii. This is a library (not a framework) for managing emulation and provides utilities for interfacing with decompiled malware samples using dragodis.
Other
7 stars 3 forks source link

ELF GoLang Emulation Failure #10

Open ddash-ct opened 2 months ago

ddash-ct commented 2 months ago

GobRAT samples (https://blogs.jpcert.or.jp/en/2023/05/gobrat.html) are x64 ELF binaries programmed in GoLang (example SHA256 hash ca6591e246e581af1411735df514a347c43d6d32663d2584420cbbee8c2388b9).

Rugosa does not currently support acquiring a context within the binary. e.g. context = emulator.context_at(0x619A16) results in a NoneType result.

The emulator appears to (correctly) select the x86_64ProcessorContext as the _context_class, and the following debug messages are obtained:

[*] Emulating call level 0 for function at 0x00619A16: follow_loops = False, exhaustive = True
[*] Iterating contexts for call level: 0

Request supporting the x86/x64 instruction set for these binaries.

dc3-tsd commented 2 months ago

Thanks for letting us know about this. We verified the issue and are currently working on a fix for it that will be in our next release.