Very slow functioning (way more than normal QEMU emulation)

[dcdelia]

Hi! I tried running the current codebase on two machines with Ubuntu 18.04.2 and Debian 9.6. To get a taste of what I mean by extremely slow, it takes over 5 minutes to boot a freshly installed Windows 7 on an i7-3632QM machine compared to 1 minute in Ubuntu's QEMU 2.11.1 in emulation mode (no -enable-kvm and same switches used for ./pyrebox-i386 and vanilla qemu-system-i386). When I start a demo program within mw_monitor, say Al-Khaser or the standalone PuTTY client, I can see the agent transferring the file in the expected path and the entry point for the executable shown on screen, then I'll have to wait a few dozens of minutes to see any activity (say, for PuTTY it took about 20 minutes to reach the Executed first instruction + Successfully removed trigger stage, and then 5-10 minutes to show the GUI).

When I unload the monitor the function call log is generated apparently correctly (I only tried it in light mode). On the first run ever file symbols.Win7SP1x86 was generated with about three errors on missing files. I once let mw_monitor run Al-Khaser for about two days and it was still executing some of its checks when I killed it.

Any idea where the issue may lie? Could it be a wrong Volatility/QEMU setup/build?

Some details on the configuration. The guest is Windows 7 SP1 build 7601 running with 2 GB of RAM. For pyrebox.conf:

[MODULES]
plugins.guest_agent: False
mw_monitor.mw_monitor: False

[VOL]
profile: Win7SP1x86

[AGENT]
name: win_agent_32.exe
conf: win_agent_32.exe.conf 

[SYMBOL_CACHE]
path: symbols.Win7SP1x86

Command line to boot up QEMU (I get the same behavior w/ and w/o snapshot):

./pyrebox-i386 -m 2048 -monitor stdio -usb -drive file=images/win7sp1_x86.qcow2,index=0,media=disk,format=qcow2,cache=unsafe -device usb-tablet -loadvm cmd2 -vnc 127.0.0.1:0

Once the system is up I import the guest agent module, run its executable from a command prompt, and then proceed with mw_monitor:

import_module plugins.guest_agent
(run the agent from cmd.exe)
import_module mw_monitor.mw_monitor

I am using the default mw_monitor.conf updated to point to the SQLite DB shipped with the PyREBox repository, and customized mw_monitor_run.json as follows:

{
    "api_tracer": {
        "bin_log": false,
        "exclude_apis": [],
        "exclude_modules": ["ntdll.dll"],
        "exclude_origin_modules": [],
        "include_apis": [],
        "light_mode": true,
        "procs": null,
        "text_log": true
    },
    "coverage": {
        "procs": null
    },
    "dumper": {  
        "dump_at": "kernel32.dll!CopyFileA",
        "dump_on_exit": false
    },
    "general": {
        "files_path": "C:\\Users\\Dabura\\Desktop\\",
        "main_executable": "putty.exe",
        "files_bundle": "/mnt/data/malware/testing/putty.zip"
    },
    "interproc": {
        "basic_stats": true,
        "bin_log": true,
        "text_log": true
    },
    "modules": {
        "api_tracer": true,
        "coverage": false,
        "dumper": false,
        "interproc": false
    }
}

[xabiugarte]

Hi,

It seems there must be something going on as those times you report are just too much. 5 minutes to boot - up windows 7 could be ok-ish, but the times you report for sample execution are not normal.

First of all, can you confirm that KVM is not enabled (when running the image under qemu-system-i386) by running the "info kvm" monitor command?

Second, I cannot see anything wrong in the configuration, but I should debug this myself to understand the what's going on. I will reach out to you so that we can chat about it.