Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generic import recovery (cheap ImpRec style) #1448

Merged
merged 2 commits into from
Apr 23, 2023
Merged

Generic import recovery (cheap ImpRec style) #1448

merged 2 commits into from
Apr 23, 2023

Conversation

commial
Copy link
Contributor

@commial commial commented Apr 23, 2023

This PR adds:

  • a ImpRecStrategy object using a FSM to recover import table in memory using a naive strategy (null-byte terminated continuation of same module export addresses)
  • an example, unpack_generic.py using this strategy before dumping with vm2pe

This example is running the sandbox until it can't no more (exception, unknown API, etc.). It is very likely the OEP is not the address where it stopped, but it could be either a wave or close to the OEP. That way, dumping the binary at this state could a good way to obtain a binary which can be analyzed.

If the user is using a trace, such as -b and found a candidate OEP, it can stop the execution using the --oep argument.

For instance:

# First run
$ python unpack_generic.py ../samples/box_upx.exe -b -o
...
POPAD      
LEA        EAX, DWORD PTR [ESP + 0xFFFFFF80]
PUSH       0x0
CMP        ESP, EAX
JNZ        loc_4076f2
->	c_next:loc_4076f8 	c_to:loc_4076f2 
loc_4076f2
PUSH       0x0
CMP        ESP, EAX
JNZ        loc_4076f2
->	c_next:loc_4076f8 	c_to:loc_4076f2 
loc_4076f8
SUB        ESP, 0xFFFFFF80
JMP        loc_401130
->	c_to:loc_401130 
loc_401130
PUSH       EBP                            <----------- THIS IS LIKELY THE OEP
MOV        EBP, ESP
SUB        ESP, 0x14

# Second run
$ python unpack_generic.py ../samples/box_upx.exe -b -o --oep 0x401130
...
Dump to ../samples/box_upx.exe.dump

box_upx.exe.dump can be RE, with working import.

This basic strategy has only been tested on UPX and Aspack.

In the future, this example could be used to generically implement in Miasm few common strategies, such as:

  • stopped when a previously written byte is executed
  • stopped when the code jump from a section to another
  • stopped when a POPA is reached
  • stopped if the entropy of memory section is lower
  • etc.

The goal is not to replace the analyst work, but rather to gain some time on common and dummy samples.
Obviously, in the future the strategy used by Scylla would also been interesting to implement (using the jitter possibilities, faking import, etc.)

@serpilliere serpilliere merged commit 49ec4bc into master Apr 23, 2023
4 checks passed
@serpilliere serpilliere deleted the generic-unpack branch April 23, 2023 19:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@commial @serpilliere