pyrebox
pyrebox copied to clipboard
Cisco-Talos
Malware_monitor RAM draining
Hi, I'm trying to get the malware monitor plugin working, but I'm running into some problems. The moment I enable the plugin in the "pyrebox.conf" file, everything starts as expected but from that moment the pc struggles to work. After a few minutes, the qemu process is killed, showing the following message:
The malware I'm testing the plugin on, is a completely harmless 32-bit program for educational purposes. However, the same result is also encountered using malware monitor on a native windows program like calc.exe in SysWOW64.
Furthermore, to give additional details, I compiled the commit with tag 75aca6ee6d9cb3bec32bfaf96ff8205dbba0de3b of the master branch on Github and the command line I use to start pyrebox is as follows: sudo ./pyrebox-x86_64 -m 4096 -monitor stdio -usb -drive file=/mnt/data/malware/VMI/pyrebox/images/win7-64.qcow2,index=0,media=disk,format=qcow2,cache=unsafe -device usb-tablet -vnc 127.0.0.1:0 -loadvm agent
Analyzing better the error, running the "sudo dmesg" command, it shows that the system is trying to use more than 36 gigs of ram as shown in the following screen:
Subsequently, I wanted to try the second version of malware monitor (mw_monitor2) which, however, lacked some files fundamental to the functioning of the plugin. Among these files there are: mw_monitor.py, mw_monitor_logging, mw_monitor_classes and dumper.py.
The operating system I am emulating is Windows professional english 64 bit Win7SP1x64, build 7601. The host operating system is Ubuntu 18.04.5 LTS with kernel version 5.4.0-77-generic. The machine technical specifications are: Dell XPS 13 7390, Intel Core i7-10510U CPU @ 1.80GHz, 16 gigs of ram 2133 MHz DDR3 Below I leave the screens of my malware monitor configuration files:
Hi LomarFelwinter24,
Malware monitor 2 is still not complete. In order to debug better this issue, could you reproduce your steps enabling the modules one by one and tell me the results? (api_tracer, coverage, dumper, interproc).
Thanks,
Hello, thank you for your reply. I ran the tests as you told me and a few things have changed. I enabled the modules one by one starting from api_tracer to interproc. With only api_tracer enabled, the situation didn't change much (pc struggling to run and 37 gigs of RAM consumed). Below the screen with the results:
Afterwards I disabled api_tracer again and enabled only the coverage module. Also in this case, the same results:
However, when I enable only the dumper module and the interproc module, the plugin would seem to "work" not consuming all that RAM. Dumper results:
Interproc results:
At this point, I wanted to test the plugin on my harmless malware by enabling both dumper and interproc. In the next two screens, you can see that the plugin actually dumped something, saving those files to the pre-determined destination folder.
So apparently, the real problem lies in the api_tracer and coverage modules.
Ok, let's go module by module. Could you tell me a log is generated while running the coverage module alone? What is the size of that log? Could you share that file?
Hello, I apologize for the delay in replying. According to my "mw_monitor.conf" file, the coverage module should generate two types of files: coverage.bin and coverage.log. However, perhaps due to the fact that the process is terminated earlier, no coverage.log is generated. The only files that are generated are the following:
but checking them, they are all empty. Currently, I do not have any other kind of log file. With what follows, perhaps I anticipate the next discussion. By enabling only the apitracer module instead, the only log file generated is "api_tracer_warnings.log". The "function_calls.log" and "function_calls.bin" files are missing as files to be generated according to the mw_monitor.conf. I attach the warnings file with its contents below.