search

mandiant / speakeasy

Windows kernel and user mode emulation.
MIT License
1.47k stars 228 forks source link

Unsupported API: MSVCP140.??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ (ret: 0x1400026b9) #240

Open berrios1 opened 6 months ago

berrios1 commented 6 months ago

I get the following error:

PS C:\speakeasy-master> python -m speakeasy -o C:\option1_encrypt_nocout.json -t C:\option1_encrypt_nocout.exe
* exec: module_entry
0x140003e5e: 'KERNEL32.GetSystemTimeAsFileTime(0x12fff88)' -> None
0x140003e6c: 'KERNEL32.GetCurrentThreadId()' -> 0x434
0x140003e78: 'KERNEL32.GetCurrentProcessId()' -> 0x420
0x140003e88: 'KERNEL32.QueryPerformanceCounter(0x12fff90)' -> 0x1
0x1400038f4: 'api-ms-win-crt-runtime-l1-1-0._initterm_e(0x1400053d0, 0x1400053e8)' -> 0x0
0x140003915: 'api-ms-win-crt-runtime-l1-1-0._initterm(0x1400053b0, 0x1400053c8)' -> 0x0
0x140003983: 'api-ms-win-crt-runtime-l1-1-0._get_initial_narrow_environment()' -> 0x48f0
0x14000398b: 'api-ms-win-crt-runtime-l1-1-0.__p___argv()' -> 0x4a10
0x140003993: 'api-ms-win-crt-runtime-l1-1-0.__p___argc()' -> 0x4a60
0x14000375f: 'api-ms-win-crt-heap-l1-1-0.malloc(0x20)' -> 0x4a70
0x140001344: 'VCRUNTIME140.memset(0x12ffd28, 0x0, 0x110)' -> 0x12ffd28
0x14000375f: 'api-ms-win-crt-heap-l1-1-0.malloc(0x20)' -> 0x4aa0
0x14000375f: 'api-ms-win-crt-heap-l1-1-0.malloc(0x20)' -> 0x4ad0
0x14000300c: 'VCRUNTIME140.memcpy(0x4ad0, 0x12ffc78, 0xf)' -> 0x4ad0
0x140001451: 'api-ms-win-crt-heap-l1-1-0.free(0x4aa0)' -> None 
0xfeedf02c: module_entry: Caught error: unsupported_api
Invalid memory read (UC_ERR_READ_UNMAPPED)
Unsupported API: MSVCP140.??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ (ret: 0x1400026b9)

I tried adding the dll with -l C:\Windows\System32\msvcp140.dll:

PS C:\speakeasy-master> python -m speakeasy -o C:\option1_encrypt_nocout.json -t C:\option1_encrypt_nocout.exe -l C:\Windows\System32\msvcp140.dll

  File "C:\speakeasy-master\speakeasy\windows\winemu.py", line 1615, in get_fp
    files = [os.path.join(path, fn) for fn in os.listdir(path)]
                                              ^^^^^^^^^^^^^^^^
NotADirectoryError: [WinError 267] The directory name is invalid: 'C:\\Windows\\System32\\msvcp140.dll'

-l C:\Windows\System32\

PS C:\speakeasy-master> python -m speakeasy -o C:\option1_encrypt_nocout.json -t C:\option1_encrypt_nocout.exe -l C:\Windows\System32\
* exec: module_entry
0x140003e5e: 'KERNEL32.GetSystemTimeAsFileTime(0x12fff88)' -> None
0x140003e6c: 'KERNEL32.GetCurrentThreadId()' -> 0x434
0x140003e78: 'KERNEL32.GetCurrentProcessId()' -> 0x420
0x140003e88: 'KERNEL32.QueryPerformanceCounter(0x12fff90)' -> 0x1
0x1400038f4: 'api-ms-win-crt-runtime-l1-1-0._initterm_e(0x1400053d0, 0x1400053e8)' -> 0x0
0x140003915: 'api-ms-win-crt-runtime-l1-1-0._initterm(0x1400053b0, 0x1400053c8)' -> 0x0
0x140003983: 'api-ms-win-crt-runtime-l1-1-0._get_initial_narrow_environment()' -> 0x48f0
0x14000398b: 'api-ms-win-crt-runtime-l1-1-0.__p___argv()' -> 0x4a10
0x140003993: 'api-ms-win-crt-runtime-l1-1-0.__p___argc()' -> 0x4a60
0x14000375f: 'api-ms-win-crt-heap-l1-1-0.malloc(0x20)' -> 0x4a70
0x140001344: 'VCRUNTIME140.memset(0x12ffd28, 0x0, 0x110)' -> 0x12ffd28
0x14000375f: 'api-ms-win-crt-heap-l1-1-0.malloc(0x20)' -> 0x4aa0
0x14000375f: 'api-ms-win-crt-heap-l1-1-0.malloc(0x20)' -> 0x4ad0
0x14000300c: 'VCRUNTIME140.memcpy(0x4ad0, 0x12ffc78, 0xf)' -> 0x4ad0
0x140001451: 'api-ms-win-crt-heap-l1-1-0.free(0x4aa0)' -> None
0xfeedf02c: module_entry: Caught error: unsupported_api
Invalid memory read (UC_ERR_READ_UNMAPPED)
Unsupported API: MSVCP140.??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ (ret: 0x1400026b9)
* Finished emulating
* Saving emulation report to C:\option1_encrypt_nocout.json

-l C:\Windows\SysWOW64\

PS C:\speakeasy-master> python -m speakeasy -o C:\option1_encrypt_nocout.json -t C:\option1_encrypt_nocout.exe -l C:\Windows\SysWOW64\
* exec: module_entry
0x140003e5e: 'KERNEL32.GetSystemTimeAsFileTime(0x12fff88)' -> None
0x140003e6c: 'KERNEL32.GetCurrentThreadId()' -> 0x434
0x140003e78: 'KERNEL32.GetCurrentProcessId()' -> 0x420
0x140003e88: 'KERNEL32.QueryPerformanceCounter(0x12fff90)' -> 0x1
0x1400038f4: 'api-ms-win-crt-runtime-l1-1-0._initterm_e(0x1400053d0, 0x1400053e8)' -> 0x0
0x140003915: 'api-ms-win-crt-runtime-l1-1-0._initterm(0x1400053b0, 0x1400053c8)' -> 0x0
0x140003983: 'api-ms-win-crt-runtime-l1-1-0._get_initial_narrow_environment()' -> 0x48f0
0x14000398b: 'api-ms-win-crt-runtime-l1-1-0.__p___argv()' -> 0x4a10
0x140003993: 'api-ms-win-crt-runtime-l1-1-0.__p___argc()' -> 0x4a60
0x14000375f: 'api-ms-win-crt-heap-l1-1-0.malloc(0x20)' -> 0x4a70
0x140001344: 'VCRUNTIME140.memset(0x12ffd28, 0x0, 0x110)' -> 0x12ffd28
0x14000375f: 'api-ms-win-crt-heap-l1-1-0.malloc(0x20)' -> 0x4aa0
0x14000375f: 'api-ms-win-crt-heap-l1-1-0.malloc(0x20)' -> 0x4ad0
0x14000300c: 'VCRUNTIME140.memcpy(0x4ad0, 0x12ffc78, 0xf)' -> 0x4ad0
0x140001451: 'api-ms-win-crt-heap-l1-1-0.free(0x4aa0)' -> None
0xfeedf02c: module_entry: Caught error: unsupported_api
Invalid memory read (UC_ERR_READ_UNMAPPED)
Unsupported API: MSVCP140.??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ (ret: 0x1400026b9)
* Finished emulating
* Saving emulation report to C:\option1_encrypt_nocout.json

I tried adding an API handler by adding: C:\speakeasy-master\speakeasy\winenv\api\usermode\msvcp140.py using this documentation: https://en.cppreference.com/w/cpp/io/basic_ios/basic_ios

from .. import api

class basic_ios(api.ApiHandler):
    """
    Implements exported functions from msvcp140.dll
    """
    name = 'msvcp140'
    apihook = api.ApiHandler.apihook
    impdata = api.ApiHandler.impdata

    def __init__(self, emu):
        super(basic_ios, self).__init__(emu)
        super(basic_ios, self).__get_hook_attrs__(self)

and get the same error:

PS C:\speakeasy-master> python -m speakeasy -o C:\option1_encrypt_nocout.json -t C:\option1_encrypt_nocout.exe
* exec: module_entry
0x140003e5e: 'KERNEL32.GetSystemTimeAsFileTime(0x12fff88)' -> None
0x140003e6c: 'KERNEL32.GetCurrentThreadId()' -> 0x434
0x140003e78: 'KERNEL32.GetCurrentProcessId()' -> 0x420
0x140003e88: 'KERNEL32.QueryPerformanceCounter(0x12fff90)' -> 0x1
0x1400038f4: 'api-ms-win-crt-runtime-l1-1-0._initterm_e(0x1400053d0, 0x1400053e8)' -> 0x0
0x140003915: 'api-ms-win-crt-runtime-l1-1-0._initterm(0x1400053b0, 0x1400053c8)' -> 0x0
0x140003983: 'api-ms-win-crt-runtime-l1-1-0._get_initial_narrow_environment()' -> 0x48f0
0x14000398b: 'api-ms-win-crt-runtime-l1-1-0.__p___argv()' -> 0x4a10
0x140003993: 'api-ms-win-crt-runtime-l1-1-0.__p___argc()' -> 0x4a60
0x14000375f: 'api-ms-win-crt-heap-l1-1-0.malloc(0x20)' -> 0x4a70
0x140001344: 'VCRUNTIME140.memset(0x12ffd28, 0x0, 0x110)' -> 0x12ffd28
0x14000375f: 'api-ms-win-crt-heap-l1-1-0.malloc(0x20)' -> 0x4aa0
0x14000375f: 'api-ms-win-crt-heap-l1-1-0.malloc(0x20)' -> 0x4ad0
0x14000300c: 'VCRUNTIME140.memcpy(0x4ad0, 0x12ffc78, 0xf)' -> 0x4ad0
0x140001451: 'api-ms-win-crt-heap-l1-1-0.free(0x4aa0)' -> None
0xfeedf02c: module_entry: Caught error: unsupported_api
Invalid memory read (UC_ERR_READ_UNMAPPED)
Unsupported API: MSVCP140.??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ (ret: 0x1400026b9)
* Finished emulating
* Saving emulation report to C:\option1_encrypt_nocout.json

Did I implement the API handler correctly?

Update: I noticed that basic_ios is not in MSVCP140. It is in MSVC170 https://learn.microsoft.com/en-us/cpp/standard-library/basic-ios-class?view=msvc-170