Open re-fox opened 4 years ago
Hey, thanks a lot that is super helpful! I'll be sure to keep this open.
Quite a few changes were updated last night, I re-ran the analysis and posted up the new results. I'll keep editing this issue on a semi-regular basis to keep the list current.
Could I get a hint for where I have to add undocumented functions for emulation support. I really need this to be working for the API ntoskrnl.ZwCreateKey
@Flerov this blog has the hints you are looking for: https://www.mandiant.com/resources/blog/using-speakeasy-emulation-framework-programmatically-to-unpack-malware.
@JohnLaTwC Thanks for the link do you have some further recommendations to get into the functionality of API hooks implemented in '/speakesy/winenv/api/kernelmode/' specifically for '[...]/ntoskrnl.py' since the function is not supported and a simple return 0x0 wont help for further emulation of the driver I'm facing. I would like to get into how to add support for the API 'ZwCreateKey' for a successfull emulation
From my report it seems that "ZwCreateKey" gets called and after that there is only one more api being called 'RtlInitUnicodeString' According to the listed errors my error type is: 'NoneType' object has no attribute 'to_bytes' raised by the emulation's attempt to call "ZwOpenKey" My Terminal output give me the following hint:"""Invalid memory read (UC_ERR_READ_UNMAPPED) Unsupported API: ntoskrnl.ZwCreateKey"""
I appreciate any further links to documentation and help regarding my problem many thanks in advance
@Flerov I recommend reading the documentation on the API: https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-zwcreatekey
It is up to you to decide how much of the API you want to support in emulation to meet your needs.
@jtbennett-fe I added support for ZwCreateKey as far as I was able to. Seems like it works better to change the create Flag in the code for ZwOpenKey.
TLDR: Finally it works now, I appreciate it alot thanks
@Flerov awesome, glad to hear it!
First off, thanks for releasing this tool.
I ran speakeasy against the Malpedia corpus (https://malpedia.caad.fkie.fraunhofer.de/) to get a rough estimate of how many samples successfully emulate with/without tossing errors. While running this test I gathered up a list of the count of unsupported API functions that were causing emulation to halt.
I understand a github issue may not be the best place to store this information. It may be useful for someone looking to contribute by going after the highly used API's first.
The result of ~4k samples (truncating results at 15 - the data has a long tail of one-off's) (Updated: 2022-02-17 running against c94bb629e8ecc1ab00b326b3e2919365c4bbc66d)
In addition to the above data, Malpedia publicly posts an API frequency graph: https://malpedia.caad.fkie.fraunhofer.de/stats/api_dll_frequencies