search

x64dbg / x64dbgpylib

Port of windbglib to x64dbgpy, in an effort to support mona.py in x64dbg.
BSD 3-Clause "New" or "Revised" License
51 stars 23 forks source link

Might be reading wrong value from ImageBase in NT Header #7

Closed wangray closed 6 years ago

wangray commented 6 years ago

To determine whether a module has been rebased, mona checks whether ntHeader.OptionalHeader.ImageBase is equal to the actual base address in memory. However, for all the Microsoft DLLs, it seems the ImageBase field is changed to its base address in memory?

Somehow, Immunity gets the ImageBase field of the DLLs before they're changed, correctly marking all the Microsoft DLLs as rebased.

x64dbg:

 Module info :
-----------------------------------------------------------------------------------------------------------------------------------------
 Base       | Top        | Size       | Rebase | SafeSEH | ASLR  | NXCompat | OS Dll | Version, Modulename & Path
-----------------------------------------------------------------------------------------------------------------------------------------
 0x00020000 | 0x0002e000 | 0x0000e000 | True   | False   | False |  False   | False  | -1.0- [DLL2.dll] (dll2.dll)
 0x6b130000 | 0x6b139000 | 0x00009000 | False  | False   | True  |  True    | False  | -1.0- [SCHEDCLI.DLL] (schedcli.dll)
 0x00400000 | 0x00409000 | 0x00009000 | False  | False   | False |  False   | False  | -1.0- [Lab09-03.exe] (lab09-03.exe)
 0x6b7c0000 | 0x6b7ca000 | 0x0000a000 | False  | False   | True  |  True    | False  | -1.0- [netutils.dll] (netutils.dll)
 0x74d10000 | 0x74de7000 | 0x000d7000 | False  | False   | True  |  True    | False  | -1.0- [KERNELBASE.dll] (kernelbase.dll)
 0x74ca0000 | 0x74cf4000 | 0x00054000 | False  | False   | True  |  True    | False  | -1.0- [bcryptPrimitives.dll] (bcryptprimitives.dll)
 0x6b440000 | 0x6b45d000 | 0x0001d000 | False  | False   | True  |  True    | False  | -1.0- [srvcli.dll] (srvcli.dll)
 0x755d0000 | 0x75710000 | 0x00140000 | False  | False   | True  |  True    | False  | -1.0- [KERNEL32.DLL] (kernel32.dll)
 0x75ab0000 | 0x75b73000 | 0x000c3000 | False  | False   | True  |  True    | False  | -1.0- [msvcrt.dll] (msvcrt.dll)
 0x74d00000 | 0x74d0a000 | 0x0000a000 | False  | True    | True  |  True    | False  | -1.0- [CRYPTBASE.dll] (cryptbase.dll)
 0x75b80000 | 0x75b9e000 | 0x0001e000 | False  | False   | True  |  True    | False  | -1.0- [SspiCli.dll] (sspicli.dll)
 0x77520000 | 0x7768f000 | 0x0016f000 | False  | False   | True  |  True    | True   | -1.0- [ntdll.dll] (ntdll.dll)
 0x750b0000 | 0x7516a000 | 0x000ba000 | False  | False   | True  |  True    | False  | -1.0- [RPCRT4.dll] (rpcrt4.dll)
 0x6b140000 | 0x6b153000 | 0x00013000 | False  | False   | True  |  True    | False  | -1.0- [NETAPI32.dll] (netapi32.dll)
 0x75330000 | 0x75371000 | 0x00041000 | False  | False   | True  |  True    | False  | -1.0- [sechost.dll] (sechost.dll)
 0x6b5f0000 | 0x6b601000 | 0x00011000 | False  | False   | True  |  True    | False  | -1.0- [wkscli.dll] (wkscli.dll)
 0x10000000 | 0x1000e000 | 0x0000e000 | False  | False   | False |  False   | False  | -1.0- [DLL1.dll] (dll1.dll)
-----------------------------------------------------------------------------------------------------------------------------------------

Immunity: 

0BADF0   Module info :
0BADF0  -----------------------------------------------------------------------------------------------------------------------------------------
0BADF0   Base       | Top        | Size       | Rebase | SafeSEH | ASLR  | NXCompat | OS Dll | Version, Modulename & Path
0BADF0  -----------------------------------------------------------------------------------------------------------------------------------------
0BADF0   0x00020000 | 0x0002e000 | 0x0000e000 | True   | False   | False |  False   | False  | -1.0- [DLL2.dll] (C:\Users\raywang\Documents\Practical Malware Analysis Labs\BinaryCollection\Chapter_9L\DLL2.dll)
0BADF0   0x71620000 | 0x71634000 | 0x00014000 | True   | False   | True  |  True    | True   | 6.3.9600.17415 [cryptdll.dll] (C:\Windows\SYSTEM32\cryptdll.dll)
0BADF0   0x00400000 | 0x00409000 | 0x00009000 | False  | False   | False |  False   | False  | -1.0- [Lab09-03.exe] (C:\Users\raywang\Documents\Practical Malware Analysis Labs\BinaryCollection\Chapter_9L\Lab09-03.exe)
0BADF0   0x6b7c0000 | 0x6b7ca000 | 0x0000a000 | True   | False   | True  |  True    | True   | 6.3.9600.17415 [netutils.dll] (C:\Windows\SYSTEM32\netutils.dll)
0BADF0   0x74d10000 | 0x74de7000 | 0x000d7000 | True   | False   | True  |  True    | True   | 6.3.9600.18217 [KERNELBASE.dll] (C:\Windows\SYSTEM32\KERNELBASE.dll)
0BADF0   0x74ca0000 | 0x74cf4000 | 0x00054000 | True   | False   | True  |  True    | True   | 6.3.9600.18344 [bcryptPrimitives.dll] (C:\Windows\SYSTEM32\bcryptPrimitives.dll)
0BADF0   0x6b440000 | 0x6b45d000 | 0x0001d000 | True   | False   | True  |  True    | True   | 6.3.9600.17415 [srvcli.dll] (C:\Windows\SYSTEM32\srvcli.dll)
0BADF0   0x00030000 | 0x0003e000 | 0x0000e000 | True   | False   | False |  False   | False  | -1.0- [DLL3.dll] (C:\Users\raywang\Documents\Practical Malware Analysis Labs\BinaryCollection\Chapter_9L\DLL3.dll)
0BADF0   0x755d0000 | 0x75710000 | 0x00140000 | True   | False   | True  |  True    | True   | 6.3.9600.18217 [KERNEL32.DLL] (C:\Windows\SYSTEM32\KERNEL32.DLL)
0BADF0   0x71640000 | 0x71692000 | 0x00052000 | True   | False   | True  |  True    | True   | 6.3.9600.16384 [msv1_0.DLL] (C:\Windows\SYSTEM32\msv1_0.DLL)
0BADF0   0x6b130000 | 0x6b139000 | 0x00009000 | True   | False   | True  |  True    | True   | 6.3.9600.17415 [SCHEDCLI.DLL] (C:\Windows\SYSTEM32\SCHEDCLI.DLL)
0BADF0   0x75ab0000 | 0x75b73000 | 0x000c3000 | True   | False   | True  |  True    | True   | 7.0.9600.17415 [msvcrt.dll] (C:\Windows\SYSTEM32\msvcrt.dll)
0BADF0   0x75b80000 | 0x75b9e000 | 0x0001e000 | True   | False   | True  |  True    | True   | 6.3.9600.18454 [SspiCli.dll] (C:\Windows\SYSTEM32\SspiCli.dll)
0BADF0   0x750b0000 | 0x7516a000 | 0x000ba000 | True   | False   | True  |  True    | True   | 6.3.9600.16384 [RPCRT4.dll] (C:\Windows\SYSTEM32\RPCRT4.dll)
0BADF0   0x77520000 | 0x7768f000 | 0x0016f000 | True   | False   | True  |  True    | True   | 6.3.9600.18217 [ntdll.dll] (C:\Windows\SYSTEM32\ntdll.dll)
0BADF0   0x74d00000 | 0x74d0a000 | 0x0000a000 | True   | True    | True  |  True    | True   | 6.3.9600.17415 [CRYPTBASE.dll] (C:\Windows\SYSTEM32\CRYPTBASE.dll)
0BADF0   0x6b140000 | 0x6b153000 | 0x00013000 | True   | False   | True  |  True    | True   | 6.3.9600.17415 [NETAPI32.dll] (C:\Windows\SYSTEM32\NETAPI32.dll)
0BADF0   0x75330000 | 0x75371000 | 0x00041000 | True   | False   | True  |  True    | True   | 6.3.9600.16384 [sechost.dll] (C:\Windows\SYSTEM32\sechost.dll)
0BADF0   0x6b5f0000 | 0x6b601000 | 0x00011000 | True   | False   | True  |  True    | True   | 6.3.9600.17415 [wkscli.dll] (C:\Windows\SYSTEM32\wkscli.dll)
0BADF0   0x10000000 | 0x1000e000 | 0x0000e000 | False  | False   | False |  False   | False  | -1.0- [DLL1.dll] (C:\Users\raywang\Documents\Practical Malware Analysis Labs\BinaryCollection\Chapter_9L\DLL1.dll)
0BADF0  -----------------------------------------------------------------------------------------------------------------------------------------
0BADF0
0BADF0
0BADF0  [+] This mona.py action took 0:00:00.282000

How do we get the same behavior as Immunity?

mrexodia commented 6 years ago

I believe that CreateFileMapping with SEC_IMAGE will always set the rebased address in OptionalHeader.ImageBase so it's rather magical that Immunity would give back a different value there (perhaps a cache?). I think the only real way to find if a module is rebased is to read the original file and compare the in-memory value with that...

wangray commented 6 years ago

Ugh, they never seem to be reading the file from disk. There's a ModuleCache but it doesn't seem be for this purpose. https://github.com/corelan/mona/blob/69ab1abf2640e0d287f58531fc1bd2becf7e21c9/mona.py#L5717

wangray commented 6 years ago

Seems like mona for WinDBG has the same issue. I'm going to just read the header off of disk with the pefile module.

wangray commented 6 years ago

See https://github.com/x64dbg/x64dbgpylib/pull/6/commits/f23d9622ec14e9a1a9a327221f0d50ef0bf0cc31 for my proposed solution.

mrexodia commented 6 years ago

Looks good to me! I think if this is the only thing we will use pefile for that we should write our own implementation though, it should be rather simple...

wangray commented 6 years ago

Sure, I can do that.