search

radareorg / radare2

UNIX-like reverse engineering framework and command-line toolset
https://www.radare.org/
GNU Lesser General Public License v3.0
20.44k stars 2.98k forks source link

Simulating Windows API calls while emulating in Linux with ESIL #13853

Open laminenoureddine opened 5 years ago

laminenoureddine commented 5 years ago

Hello,

Following #13720, I'm trying to extract the first 50 emulated instructions starting from the entry point, using ESIL of radar2.

However, I tested it on a binary packed with MEW SE 11. Unfortunately, after the first jump, I go directly on invalid instructions (ff invalid instructions).

What is the cause of that ? Is MEW packer loading a section dynamically containing its code, and for which ESIL is not able to emulate ?

The commands I use for emulating the 50 first instructions are: e dbg.trace=true aeim dr PC=entry0 50aes dtd

I've attached the binary here.

So, could you explain me what is the cause of that and how it could be resolved ?

Thanks in advance for your help

MEW_aitstatic.exe.zip

radare commented 5 years ago

thats because r2 is setting the maps incorrectly, seems like a bug in the PE parser

On 21 Apr 2019, at 19:35, lamin3 notifications@github.com wrote:

Hello,

Following #13720 https://github.com/radare/radare2/issues/13720, I'm trying to extract the first 50 emulated instructions starting from the entry point, using ESIL of radar2.

However, I tested it on a binary packed with MEW SE 11. Unfortunately, after the first jump, I go directly on invalid instructions (ff invalid instructions).

What is the cause of that ? Is MEW packer loading a section dynamically containing its code, and for which ESIL is not able to emulate ?

I've attached the binary here.

So, could you explain me what is the cause of that and it could be resolved ?

Thanks in advance for your help

MEW_aitstatic.exe.zip https://github.com/radare/radare2/files/3101441/MEW_aitstatic.exe.zip — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/radare/radare2/issues/13853, or mute the thread https://github.com/notifications/unsubscribe-auth/AAG75FVNYMOCX42OKIBMPP3PRSQV3ANCNFSM4HHMCMUA.

laminenoureddine commented 5 years ago

@radare Thanks a lot for your reply.

Ok, so what is the solution, is it possible to load another PE parser into radar2 ?

Also, by the way, how can I map system calls ? Because I have the same problem (it jumps towards invalid instructions ff) when a windows system-call is called

Thanks in advance.

radare commented 5 years ago

my solution is fixing the pe parser. and yes you can use the lief-pe plugin for r2. is not much maintained, but fiixing that shouldnt be hard.

what do you mean by map syscalls? syscalls are not mapped, they live in another ring. the function library calls iis whta i guess you are refering to. and this is something the runtime linker do. r2 doesnt handle that by default, but have the tools to let you reimplement any API call or load any library in there, but i dont think you want to run real native code in your malware

On 23 Apr 2019, at 21:25, lamin3 notifications@github.com wrote:

@radare https://github.com/radare Thanks a lot for your reply.

Ok, so what is the solution, is it possible to load another PE parser into radar2 ?

Also, by the way, how can I map system calls ? Because I have the same problem (it jumps towards invalid instructions ff) when a windows system-call is called

Thanks in advance.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/radare/radare2/issues/13853#issuecomment-485941022, or mute the thread https://github.com/notifications/unsubscribe-auth/AAG75FTOTQRYROKUQL3LEZLPR5PDNANCNFSM4HHMCMUA.

laminenoureddine commented 5 years ago

@radare : Thanks a lot for your replies. And I hope I'm disturbing a lot :-)

Yes, indeed I don't want to emulate to native code of the api system call. As said before, I just want to emulate the first 50 mnemonics of the PE packed binary,starting from the entry point, then get back the traces using the "dtd" comamnd. I want something like [push, mov, mov, call, call, ...., till the 50th mnemonic].

The problem is, sometimes there is an API system call in the first mnemoincs (LoadLIbrary, or GetVersion, or VirtualAlloc) and then when I try to emulate using the command "50aes", it emulates just till the first api system call it meets, and then just after it goes to invalid instructions (ff invalid instructions)

So, what is the solution to that ? Just skipping the api system call would be a solution ? But I don't want to skip all the calls, I would like to skip only Windows api calls and not a simple call like "call, offset"

and please, for the parser plugin, how sould I add it ? is there a command similar to changing the debugger dL= ?

Just for information: all what I'm doing is under Fedora.

Thanks a lot for your help

radare commented 5 years ago

aht ret @@ imp*

Will make all improts return withiut falling in ffff places

But there r are many other ways to do that

On 24 Apr 2019, at 16:16, lamin3 notifications@github.com wrote:

@radare : Thanks a lot for your replies. And I hope I'm disturbing a lot :-)

Yes, indeed I don't want to emulate to native code of the api system call. As said before, I just want to emulate the first 50 mnemonics of the PE packed binary,starting from the entry point, then get back the traces using the "dtd" comamnd. I want something like [push, mov, mov, call, call, ...., till the 50th mnemonic].

The problem is, sometimes there is an API system call in the first mnemoincs (LoadLIbrary, or GetVersion, or VirtualAlloc) and then when I try to emulate using the command "50aes", it emulates just till the first api system call it meets, and then just after it goes to invalid instructions (ff invalid instructions)

So, what is the solution to that ? Just skipping the api system call would be a solution ? But I don't want to skip all the calls, I would like to skip only Windows api calls and not a simple call like "call, offset"

and please, for the parser plugin, how sould I add it ? is there a command similar to changing the debugger dL= ?

Thanks a lot for your help

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

laminenoureddine commented 5 years ago

@radare : Thanks for the reply.

I've just tested it, unfortunately it didn't work. It still stops at the first system call and goes to ff instructions. I've attached you here the packed binary (a PE binary packed with Armadillo) i'm testing with.

It stop at call dword [sym.imp.KERNEL32.dll_GetVersion] the 14 th instruction from the entrypoint.

The commands I'm using are: e.dbg.trace=true aei aeim aht ret @@ imp* 50aes dtd

Thanks Armadillo_aitagent.exe.zip

laminenoureddine commented 5 years ago

@radare : Please, the command "aht ret @@ imp*" didn't work, it still stops at call dword [sym.imp.KERNEL32.dll_GetVersion] as showed above.

Is there another way to simulate the api calls without going to ff instructions ?

I've attached you the packed binary in the previous message.

Thanks a lot for your help

khellendros commented 5 years ago

Having the same issue with system calls on ubuntu.

wesinator commented 4 years ago

@radare : Thanks for the reply.

I've just tested it, unfortunately it didn't work. It still stops at the first system call and goes to ff instructions. I've attached you here the packed binary (a PE binary packed with Armadillo) i'm testing with.

It stop at call dword [sym.imp.KERNEL32.dll_GetVersion] the 14 th instruction from the entrypoint.

The commands I'm using are: e.dbg.trace=true aei aeim aht ret @@ imp* 50aes dtd

Thanks Armadillo_aitagent.exe.zip

@lamin3 note this file isn't actually packed with Armadillo. https://www.zscaler.com/blogs/research/your-windows-8-packed

PEiD sig detections for Armadillo v1.71 and v1.xx - v2.xx are false positives.

laminenoureddine commented 4 years ago

@wesinator Thanks for the notification. But have you checked the unzipped file ? The file to check is not the zipped one, I had to zip it just for uploading it here. You should first unzip it and then check it with PEiD or ideally with DiE. And it is a file that I packed my self with Armadillo v2.52.

wesinator commented 4 years ago

@wesinator Thanks for the notification. But have you checked the unzipped file ? The file to check is not the zipped one, I had to zip it just for uploading it here. You should first unzip it and then check it with PEiD or ideally with DiE. And it is a file that I packed my self with Armadillo v2.52.

Oh, yes of course I checked the exe, I assumed it wasn't modified. Ok, makes sense

XVilka commented 4 years ago

@GustavoLCR you might be interested in this.

XVilka commented 4 years ago

Related: https://github.com/radareorg/radare2/issues/16226

gogo2464 commented 9 months ago

very good idea !

win peb is not even emulated on windows.

the issue is there are many many version of windows see at least for win10: https://www.vergiliusproject.com/kernels/x86/Windows%2010

I how 2 implementation design ideas:

1- brute force all the versions from vergilius project (long but working on linux) 2- calulating teb address from register dynamically from any windows process. (fast to implement but could work only on windows).