Malware emulation error

FernandoDoming commented 6 years ago

So after playing around with the included files I tried something more real (this oldish Cerber sample 17fcd7a7162298225b06d85d1d5a90ea) but looks like Unicorn fails to emulate that (maybe I just need to tweak emulation params).

$ python test.py
VERSION.dll is loaded @ 0x70000000
GDI32.dll is loaded @ 0x7000c000
ADVAPI32.dll is loaded @ 0x70073000
KERNEL32.dll is loaded @ 0x70114000
SHELL32.dll is loaded @ 0x70224000
ole32.dll is loaded @ 0x70fac000
USER32.dll is loaded @ 0x711af000
COMCTL32.dll is loaded @ 0x712a9000
stack: 0x5ff00000-0x60000000
ERROR: Invalid memory read (UC_ERR_READ_UNMAPPED)
eax: 0x00000000
ebx: 0x00000000
ecx: 0x00000000
edx: 0x00000000
edi: 0x00000000
esi: 0x00000000
esp: 0x5ffffe68
ebp: 0x60000000
eip: 0x80000011

DLLs have been harvested from a Win7 VM (SysWow64 directory).

Test script:

$ cat test.py
import unitracer
from unicorn.x86_const import *

uni = unitracer.Windows()

# add search path for dll
uni.dll_path.insert(0, "dlls")

# change stack
uni.STACK_BASE = 0x60000000
uni.STACK_SIZE = 0x10000000

# load binary
uni.load_pe('./samples/17fcd7a7162298225b06d85d1d5a90ea')

# add api hooks
def IsDebuggerPresent(ip, sp, ut):
    emu = ut.emu
    retaddr = ut.popstack()
    print "IsDebuggerPresent"
    emu.reg_write(UC_X86_REG_EAX, 0)
    ut.pushstack(retaddr)

uni.api_hooks['IsDebuggerPresent'] = IsDebuggerPresent

# suppress verbose output (disassemble)
uni.verbose = False
uni.start(0)

For more details and what not you can hit me on email.

icchy commented 6 years ago

I think that is stack configuration problem. Please try to change uni.STACK_BASE or uni.STACK_SIZE, and give me the sample if possible. (because I couldn't get it)

FernandoDoming commented 6 years ago

Yes, that was my first thought. I tried multiple values without much luck. My observations:

The stack size seems to be capped at 0x100000 even if you supply a larger number
When the emuation fails esp is always at the top of the stack (or almost), so that makes me thing emulation is running out of stack memory

Do you have any kind of email / IM I can send you the sample(s) / discuss stuff?

icchy commented 6 years ago

Thank you for your observation, that is interesting result. I'll try to investigate cause of the error. Please contact me at public email: icchyr@gmail.com

icchy / tracecorn

Malware emulation error #17