New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

32-bit malware sample causes x64dbg crash when opening #2065

Open
rotateLeft opened this Issue Nov 2, 2018 · 7 comments

Comments

Projects
None yet
5 participants
@rotateLeft
Contributor

rotateLeft commented Nov 2, 2018

Open 32-bit sample

98ece1ba0e548ffb536fffa3e8ea75a2b9d6d8a27e55408d863c5e3d5414890c

With snapshot_2018-10-31_12-52.zip:

screen shot 2018-11-02 at 3 03 21 pm

@rotateLeft

This comment has been minimized.

Contributor

rotateLeft commented Nov 2, 2018

Malware sample attached. Usual password.
98ec-x86-gui.zip

@mrexodia

This comment has been minimized.

Member

mrexodia commented Nov 2, 2018

@rotateLeft

This comment has been minimized.

Contributor

rotateLeft commented Nov 2, 2018

"infected"

@balintf

This comment has been minimized.

Contributor

balintf commented Nov 7, 2018

I've checked this crash and it happens due to a bogus Debug Directory size in the PE headers. The sample contains a Debug Directory with the size 0xfffff000 which causes the while loop in ReadDebugDirectory to overrun the mapped file and crash.

It can be reproduced on a non-malware 32-bit sample (e.g. calc.exe) by using CFF Explorer to modify it's Debug Directory entry's size to 0xfffff000 and the entry's base address so it points to a valid address that's not a supported entry (e.g. to a random position after the original entries).

I have a fix for this and will send a PR shortly. PE reading doesn't seem very robust at the moment, there could be similar crashes with other malicious PE files. @mrexodia, do you have any suggestions on how to review and exercise this part of the code?
I was thinking of trying to setup AFL and/or libFuzzer for fuzzing this part of the code, and trying to find a collection of malformed PE files that could serve as further testcases.

@blaquee

This comment has been minimized.

Contributor

blaquee commented Nov 7, 2018

You could try and run a few of the corkami samples through it and see if any of the 'legal malformed' PE's crash the parser somehow. https://github.com/corkami/pocs

@balintf balintf referenced a pull request that will close this issue Nov 7, 2018

Open

DBG: Fix mapped area overrun in ReadDebugDirectory #2069

@balintf

This comment has been minimized.

Contributor

balintf commented Nov 7, 2018

Thanks! Those samples look promising, I tried running a few manually and no crashes so far, but I'll really have to automate it to properly check all of them.

@IssuehuntBot

This comment has been minimized.

IssuehuntBot commented Nov 7, 2018

@0maxxam0 funded this issue with $50. See it on IssueHunt

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment