vivisect/viv-utils - Exception: Invalid File: shellcode

[mr-tz]

$ capa -f sc32 tests/data/499c2a85f6e8142c3f48d4251c9c7cd6.raw32
INFO:capa:--------------------------------------------------------------------------------
INFO:capa: Using default embedded rules.
INFO:capa: To provide your own rules, use the form `capa.exe  ./path/to/rules/  /path/to/mal.exe`.
INFO:capa: You can see the current default rule set here:
INFO:capa:     https://github.com/fireeye/capa-rules
INFO:capa:--------------------------------------------------------------------------------
WARNING:capa:skipping non-.yml file: .git
WARNING:capa:skipping non-.yml file: README.md
INFO:capa:successfully loaded 277 rules
INFO:capa:generating vivisect workspace for: tests/data/499c2a85f6e8142c3f48d4251c9c7cd6.raw32
Traceback (most recent call last):
  File "c:\python27\lib\site-packages\vivisect\impemu\monitor.py", line 147, in prehook
    cb(self, emu, op, starteip)
  File "c:\python27\lib\site-packages\vivisect\analysis\generic\switchcase.py", line 19, in analyzeJmp
    ctx = getSwitchBase(vw, op, starteip, emu)
  File "c:\python27\lib\site-packages\vivisect\analysis\generic\switchcase.py", line 69, in getSwitchBase
    imgbase = vw.getFileMeta(filename, 'imagebase')
  File "c:\python27\lib\site-packages\vivisect\__init__.py", line 2484, in getFileMeta
    raise Exception("Invalid File: %s" % filename)
Exception: Invalid File: shellcode
[...]
INFO:capa:format: blob, platform: windows, architecture: i386, number of functions: 42
INFO:capa:analyzed file and extracted 112 features
+------------------------+----------------------------------------------------------------+
| ATT&CK Tactic          | ATT&CK Technique                                               |
|------------------------+----------------------------------------------------------------|
| DEFENSE EVASION        | Obfuscated Files or Information [T1027]                        |
| EXECUTION              | Shared Modules [T1129]                                         |
+------------------------+----------------------------------------------------------------+

+---------------------------------------------+----------------------------------------------+
| CAPABILITY                                  | NAMESPACE                                    |
|---------------------------------------------+----------------------------------------------|
| contain obfuscated stackstrings (2 matches) | anti-analysis/obfuscation/string/stackstring |
| encode data using XOR                       | data-manipulation/encoding/xor               |
| parse PE header                             | load-code/pe                                 |
+---------------------------------------------+----------------------------------------------+

INFO:capa:done.

[williballenthin]

looks like we need to set filemeta imagebase in the viv-utils shellcode loader?

[mr-tz]

I think the issues is the missing filename:

def getFileMeta(self, filename, key, default=None):
        """
        Retrieve a piece of file specific metadata
        """
        d = self.filemeta.get(filename)
        if d == None:
            raise Exception("Invalid File: %s" % filename)
        return d.get(key, default)

Maybe we need to use vw.addFile()? Must have been changed not too long ago?

[williballenthin]

[williballenthin]

using addFile fixes this

[williballenthin]

fixed in https://github.com/williballenthin/viv-utils/commit/1adcfe25f2dd0ae5b9780298d40b30dade55687d

[mr-tz]

👏 thanks!!!