search

spender-sandbox / cuckoomon-modified

Modified edition of cuckoomon
GNU General Public License v3.0
48 stars 22 forks source link

Crash in InternetSetOptionA #1

Closed KillerInstinct closed 8 years ago

KillerInstinct commented 8 years ago

Sample SHA1: e54c43312f800c2d9d6d54223af97d6af5387622

284    InternetOpenW    
ProxyBypass: 
AccessType: 0x00000001 
Agent: 
Flags: 0x00000000 
ProxyName:

->

284     __anomaly__ 
ThreadIdentifier: 284 
Subcategory: cuckoocrash 
Message: Exception reported at offset 0xd840 in cuckoomon itself
KillerInstinct commented 8 years ago

With exceptions turned on, heres my debug logs (copy them out since I'm using code blocks):

2015-12-30 06:11:05,321 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 2088 EIP: WININET.DLL+2ec1a SEH: WININET.DLL+ae687 774bec1a, Fault Address: 000003e8, Esp: 0012fc20, Exception Code: c0000005,  cuckoomon.dll+601d cuckoomon.dll+601d SAMCLI.DLL+6e49 WININET.DLL+ae687 cuckoomon.dll+e04e WININET.DLL+177d3 ntdll.dll+12844 WININET.DLL+17a0f SHELL32.dll+b7bf8c WININET.DLL+117ba ntdll.dll+52d88 kernel32.dll+4ccfc KERNELBASE.dll+76a4 KERNELBASE.dll+76ba kernel32.dll+4ccfc KERNELBASE.dll+19f85 KERNELBASE.dll+76ba cuckoomon.dll+211a0 cuckoomon.dll+cf56 cuckoomon.dll+4469c cuckoomon.dll+4492c cuckoomon.dll+44925 cuckoomon.dll+448fc cuckoomon.dll+44654 cuckoomon.dll+4466c cuckoomon.dll+44660 ibd3.jpg.exe+f020 cuckoomon.dll+43370 ibd3.jpg.exe+37ac ibd3.jpg.exe+19e2 ibd3.jpg.exe+f020 ibd3.jpg.exe+f020 ibd3.jpg.exe+f020 ibd3.jpg.exe+f020 ibd3.jpg.exe+1153 kernel32.dll+4ee6c ntdll.dll+63ab3 SHELL32.dll+b7bd9c ntdll.dll+1e15d ntdll.dll+63a86 ibd3.jpg.exe+1000 ibd3.jpg.exe+1000, Bytes at EIP: 8b 33 89 75 9c c7 45 fc fe ff ff ff 85 c9 0f 85
2015-12-30 06:11:05,321 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 2088 EIP: cuckoomon.dll+e080 SEH: ntdll.dll+1e15d 7372e080, Fault Address: 000003e8, Esp: 0012fd28, Exception Code: c0000005,  WININET.DLL+177d3 ntdll.dll+12844 WININET.DLL+17a0f SHELL32.dll+b7bf8c WININET.DLL+117ba ntdll.dll+52d88 kernel32.dll+4ccfc KERNELBASE.dll+76a4 KERNELBASE.dll+76ba kernel32.dll+4ccfc KERNELBASE.dll+19f85 KERNELBASE.dll+76ba cuckoomon.dll+211a0 cuckoomon.dll+cf56 cuckoomon.dll+4469c cuckoomon.dll+4492c cuckoomon.dll+44925 cuckoomon.dll+448fc cuckoomon.dll+44654 cuckoomon.dll+4466c cuckoomon.dll+44660 ibd3.jpg.exe+f020 cuckoomon.dll+43370 ibd3.jpg.exe+37ac ibd3.jpg.exe+19e2 ibd3.jpg.exe+f020 ibd3.jpg.exe+f020 ibd3.jpg.exe+f020 ibd3.jpg.exe+f020 ibd3.jpg.exe+1153 kernel32.dll+4ee6c ntdll.dll+63ab3 SHELL32.dll+b7bd9c ntdll.dll+1e15d ntdll.dll+63a86 ibd3.jpg.exe+1000 ibd3.jpg.exe+1000, Bytes at EIP: ff 37 8b 45 08 68 d8 33 76 73 53 68 04 47 76 73
2015-12-30 06:11:05,322 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 2088 EIP: cuckoomon.dll+e080 SEH: kernel32.dll+aa122 7372e080, Fault Address: 000003e8, Esp: 0012fd28, Exception Code: c0000005,  WININET.DLL+177d3 ntdll.dll+12844 WININET.DLL+17a0f SHELL32.dll+b7bf8c WININET.DLL+117ba ntdll.dll+52d88 kernel32.dll+4ccfc KERNELBASE.dll+76a4 KERNELBASE.dll+76ba kernel32.dll+4ccfc KERNELBASE.dll+19f85 KERNELBASE.dll+76ba cuckoomon.dll+211a0 cuckoomon.dll+cf56 cuckoomon.dll+4469c cuckoomon.dll+4492c cuckoomon.dll+44925 cuckoomon.dll+448fc cuckoomon.dll+44654 cuckoomon.dll+4466c cuckoomon.dll+44660 ibd3.jpg.exe+f020 cuckoomon.dll+43370 ibd3.jpg.exe+37ac ibd3.jpg.exe+19e2 ibd3.jpg.exe+f020 ibd3.jpg.exe+f020 ibd3.jpg.exe+f020 ibd3.jpg.exe+f020 ibd3.jpg.exe+1153 kernel32.dll+4ee6c ntdll.dll+63ab3 SHELL32.dll+b7bd9c kernel32.dll+60781 kernel32.dll+60781 ntdll.dll+1e15d ntdll.dll+63a86 ibd3.jpg.exe+1000 ibd3.jpg.exe+1000, Bytes at EIP: ff 37 8b 45 08 68 d8 33 76 73 53 68 04 47 76 73

In this case, it says my exception offset is 0xe080. (for some reason my binary is also now about 30k larger when I compile it myself with exceptions turned on, 28k larger when just regularly compiling.) Which puts us in our InternetSetOptionA hook.

Here's the disassembly for that region:

.text:0000E030 ; =============== S U B R O U T I N E =======================================
.text:0000E030
.text:0000E030 ; Attributes: bp-based frame
.text:0000E030
.text:0000E030 ; int __stdcall New_InternetSetOptionA(void *hInternet, unsigned int dwOption, void *lpBuffer, unsigned int dwBufferLength)
.text:0000E030 _New_InternetSetOptionA@16 proc near    ; DATA XREF: .data:0004D124o
.text:0000E030
.text:0000E030 hInternet       = dword ptr  8
.text:0000E030 dwOption        = dword ptr  0Ch
.text:0000E030 lpBuffer        = dword ptr  10h
.text:0000E030 dwBufferLength  = dword ptr  14h
.text:0000E030
.text:0000E030                 push    ebp
.text:0000E031                 mov     ebp, esp
.text:0000E033                 and     esp, 0FFFFFFF8h
.text:0000E036                 push    ecx
.text:0000E037                 push    ebx
.text:0000E038                 mov     ebx, [ebp+dwOption]
.text:0000E03B                 push    esi
.text:0000E03C                 push    edi
.text:0000E03D                 push    [ebp+dwBufferLength]
.text:0000E040                 mov     edi, [ebp+lpBuffer]
.text:0000E043                 push    edi
.text:0000E044                 push    ebx
.text:0000E045                 push    [ebp+hInternet]
.text:0000E048                 call    _Old_InternetSetOptionA
.text:0000E04E                 mov     esi, eax
.text:0000E050                 test    edi, edi
.text:0000E052                 jz      loc_E131
.text:0000E058                 mov     eax, [ebp+dwBufferLength]
.text:0000E05B                 cmp     eax, 4
.text:0000E05E                 jnz     short loc_E0C7
.text:0000E060                 cmp     dword_52B00, 0
.text:0000E067                 jnz     short loc_E080
.text:0000E069                 push    offset _g_log_index ; lpAddend
.text:0000E06E                 call    ds:__imp__InterlockedIncrement@4 ; InterlockedIncrement(x)
.text:0000E074                 push    eax             ; Value
.text:0000E075                 push    offset dword_52B00 ; Target
.text:0000E07A                 call    ds:__imp__InterlockedExchange@8 ; InterlockedExchange(x,x)
.text:0000E080
.text:0000E080 loc_E080:                               ; CODE XREF: New_InternetSetOptionA(x,x,x,x)+37j
.text:0000E080                 push    dword ptr [edi]
.text:0000E082                 mov     eax, [ebp+hInternet]
.text:0000E085                 push    offset aBuffer  ; "Buffer"
.text:0000E08A                 push    ebx
.text:0000E08B                 push    offset aOption  ; "Option"
.text:0000E090                 push    eax
.text:0000E091                 push    offset aInternethandle ; "InternetHandle"
.text:0000E096                 xor     eax, eax
.text:0000E098                 test    esi, esi
.text:0000E09A                 push    offset aPhh     ; "phh"
.text:0000E09F                 push    esi             ; return_value
.text:0000E0A0                 setnz   al
.text:0000E0A3                 push    eax             ; is_success
.text:0000E0A4                 mov     eax, dword_52B00
.text:0000E0A9                 push    offset aInternetsetopt ; "InternetSetOptionA"
.text:0000E0AE                 push    offset aNetwork ; "network"
.text:0000E0B3                 push    eax             ; index
.text:0000E0B4                 call    _loq
.text:0000E0B9                 add     esp, 30h
.text:0000E0BC                 mov     eax, esi
.text:0000E0BE                 pop     edi
.text:0000E0BF                 pop     esi
.text:0000E0C0                 pop     ebx
.text:0000E0C1                 mov     esp, ebp
.text:0000E0C3                 pop     ebp
.text:0000E0C4                 retn    10h
spender-sandbox commented 8 years ago

Should be fixed now, thanks!

-Brad