Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Any Malware Compiled with PIE would Evade Dynamic Analysis #23

Open
ZhangZhuoSJTU opened this issue Jul 1, 2019 · 3 comments
Open

Any Malware Compiled with PIE would Evade Dynamic Analysis #23

ZhangZhuoSJTU opened this issue Jul 1, 2019 · 3 comments

Comments

@ZhangZhuoSJTU
Copy link

ZhangZhuoSJTU commented Jul 1, 2019

Current, HaboMalHunter uses file command output to check whether target is executable here. However, file command would regard any executable complied with PIE as shared object.

That means HoboMalHunter would not run dynamic analysis for any malware compiled with PIE.

Example

Following are two executables from the same source code and compiled w/ and w/o "-no-pie" flag.

$ cat test.c
#include<stdio.h>
int main() {
    puts("test pie");
}

$ gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/7/lto-wrapper
OFFLOAD_TARGET_NAMES=nvptx-none
OFFLOAD_TARGET_DEFAULT=1
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Ubuntu 7.3.0-27ubuntu1~18.04' --with-bugurl=file:///usr/share/doc/gcc-7/README.Bugs --enable-languages=c,ada,c++,go,brig,d,fortran,objc,obj-c++ --prefix=/usr --with-gcc-major-version-only --program-suffix=-7 --program-prefix=x86_64-linux-gnu- --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --with-default-libstdcxx-abi=new --enable-gnu-unique-object --disable-vtable-verify --enable-libmpx --enable-plugin --enable-default-pie --with-system-zlib --with-target-system-zlib --enable-objc-gc=auto --enable-multiarch --disable-werror --with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic --enable-offload-targets=nvptx-none --without-cuda-driver --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu
Thread model: posix
gcc version 7.3.0 (Ubuntu 7.3.0-27ubuntu1~18.04)

Compiled with PIE

pie.zip

$ gcc test.c -o pie
$ file pie
pie: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 3.2.0, BuildID[sha1]=1d677eb3a12c5b5fe6d135fe815efde29474e5ad, not stripped

Analysis result of Habo is available here

Compiled without PIE

nopie.zip

$ gcc test.c -no-pie -o nopie
$ file nopie
nopie: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 3.2.0, BuildID[sha1]=701f6befacfc89af3debea2ce2bfa4c3a74bb371, not stripped

Analysis result of Habo is available here

@ZhangZhuoSJTU ZhangZhuoSJTU changed the title Any Malware Compiled with PIE would Evasion from Dynamic Analysis Any Malware Compiled with PIE would Evade Dynamic Analysis Jul 1, 2019
@jingleyang
Copy link
Collaborator

Thank you very much.
And may I ask for your help to address this issues.
Could you please contribute a pull request to handle this bug?

@f0wl
Copy link

f0wl commented Oct 19, 2019

For Reference: With file 5.36 I'm getting this output

$ file -v
file-5.36
magic file from /etc/magic:/usr/share/misc/magic
$ file pie
pie: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=1d677eb3a12c5b5fe6d135fe815efde29474e5ad, not stripped

@NicoleG25
Copy link

Is there any plan to address this ?
Please note that CVE-2019-13125 was assigned to this issue.
Thanks in advance @f0wl @jingleyang

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants