Generic import recovery (cheap ImpRec style) #1448
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds:
ImpRecStrategy
object using a FSM to recover import table in memory using a naive strategy (null-byte terminated continuation of same module export addresses)unpack_generic.py
using this strategy before dumping withvm2pe
This example is running the sandbox until it can't no more (exception, unknown API, etc.). It is very likely the OEP is not the address where it stopped, but it could be either a wave or close to the OEP. That way, dumping the binary at this state could a good way to obtain a binary which can be analyzed.
If the user is using a trace, such as
-b
and found a candidate OEP, it can stop the execution using the--oep
argument.For instance:
box_upx.exe.dump
can be RE, with working import.This basic strategy has only been tested on UPX and Aspack.
In the future, this example could be used to generically implement in Miasm few common strategies, such as:
POPA
is reachedThe goal is not to replace the analyst work, but rather to gain some time on common and dummy samples.
Obviously, in the future the strategy used by Scylla would also been interesting to implement (using the jitter possibilities, faking import, etc.)