-
Notifications
You must be signed in to change notification settings - Fork 496
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
performance issues with some samples #1989
Comments
on first brief glance... 39a91796fafe9d2efc2cea0de239179a3a2d406ea482af310710e6f5fed00083 hangs early:
and it's similar for 359f1f07a9d037c5d4ab95e56285d46c0c106a970235bbbcacdf06851626fabd |
39a91796fafe9d2efc2c...39a91796fafe9d2efc2cea0de239179a3a2d406ea482af310710e6f5fed00083 avfilter-7.dll Size like @mr-tz mentioned, loading the workspace is taking a long time:
note that this is not a dedicated FLIRT matching phase; FLIRT matching happens while the workspace is loaded, and the stack trace below shows its not an issue with python-flirt. CPU is pegged and RAM is growing: stack trace at time of kill:
It looks to me like viv is taking a really long time to analyze this sample. If there are MBs of code, then this is a reasonable outcome. Binary Ninja takes 208 seconds to find 12,344 functions over 0x4C0E00 code (about 4.9MB, a lot). takeaways:
|
a0ca23f56230fc857f1246a5f8e9cb4742e90ce78122f7393de00a017028cbbdhttps://www.virustotal.com/gui/file/a0ca23f56230fc857f1246a5f8e9cb4742e90ce78122f7393de00a017028cbbd loads pretty quickly in Binary Ninja, but there are only two local functions. size of code is 0x583000, which is very large. the two huge sections have entropy 8, so this seems mostly encrypted: so in summary, there's almost nothing usable here, but viv probably thinks it needs to disassemble 10MB or more. takeaways:
|
a4f906f671f02b2cec47a8706e8b042f3cea0739dad15f24b92449a932203972https://www.virustotal.com/gui/file/a4f906f671f02b2cec47a8706e8b042f3cea0739dad15f24b92449a932203972 Binary Ninja loads in about 5 seconds. viv is taking a long time to load the workspace: initially spends a lot of time (many seconds) running cxxfilt to demangle names, but during this time, CPU/mem usage is low:
when viv is allocating all that memory (which spikes up and down, up to around 100GB at least), the program doesn't respond to ctrl-c, so i dont have a stacktrace yet. can use so it seems symboliks is taking a lot of memory? after following the stacktrace a bit, it seems that there are either very complex or very many symbolic expressions being tracked, and this eats time and CPU. if this is a prevalent bug, then we can look into disabling symboliks. or, we can rely on the user/system to kill capa when it takes too many resources. i don't immediately see any tricks to guessing this will happen. looks like its: looks like this is enabled for ELF, but not PE: which we could disable with when this is disabled, analysis completes in a reasonable amount of time. takeaways:
|
a1c3dcb87b243005ed3bb2b88998adfb54b2cba01d92b401afd99f2027b7ef1ehttps://www.virustotal.com/gui/file/a1c3dcb87b243005ed3bb2b88998adfb54b2cba01d92b401afd99f2027b7ef1e Binary Ninja takes only a few seconds to load. no imports or exports. thats about 900 MB. and note that the subsequent sections overlap, so its definitely corrupt. and, if a naive PE loader tries to map this, it will create that 900MB section. sure enough capa tries to allocate a large amount of memory: takeaways:
|
359f1f07a9d037c5d4ab95e56285d46c0c106a970235bbbcacdf06851626fabdhttps://www.virustotal.com/gui/file/359f1f07a9d037c5d4ab95e56285d46c0c106a970235bbbcacdf06851626fabd there's a weird initial section that (1) overlaps and is therefore invalid, and (2) is huge (1.4GB). takeaways:
|
Investigate CPU and memory usage for the following samples. If it's something we're doing wrong, let's optimize that behavior. If its an issue with viv or other dependency, perhaps we can introduce heuristics to detect difficult samples and bail early (opt-in).
Tasks
consolidated takeaways:
vivisect.analysis.generic.symswitchcase
function analysis modulein #1499 and #1500 we discuss adding a section scope and associated features. these could be used to match the first three points above. or, we could hardcode the logic into the viv workspace loader and have it raise an exception.
The text was updated successfully, but these errors were encountered: