binee
binee copied to clipboard
Published
20 hours ago •
carbonblack
carbonblack
Various issues running malware samples
I have installed binee on my FreeBSD box and as far as I can tell it's running fine I get all the same result from the test files as the demo, but as soon as I start running malware samples most of the time the process halts somewhere down the road.
binee 33/ba/33ba8cd251512f90b7249930aee22d3f47255420a8d41e1326169e0f948cc7d0
[1] 0x289d78c0: F SetErrorMode(uMode = 0x8001) = 0x0
[1] 0x289da410: F GetVersion() = 0x40000
[1] 0x289d91c0: F GetModuleHandleA(lpModuleName = 'KERNEL32') = 0x0
[1] 0x289d96e0: F GetSystemDirectoryA(lpBuffer = 0xb7fefd34, uSize = 0x104) = 0x13
[1] 0x26c40df0: P wsprintfA(lpstr = 0xb7fefd47, lpcstr = '%s%s.dll') = 0xb7fefd47
[1] 0x26c40e10: P wvsprintfA(lpstr = 0xb7fefd47, lpcstr = '%s%s.dll', arglist = 0xb7fefd2c) = 0xb7fefd2c
[1] 0x289d97a0: F LoadLibraryExA(lpFileName = 'c:\windows\system32\KERNEL32.dll', hFile = 0x0, dwFlags = 0x8) = 0x289b1000
[1] 0x289d6060: F GetProcAddress(hModule = 0x289b1000, lpProcName = 'SetDefaultDllDirectories') = 0x28a343ff
[1] 0x28a343ff: **SetDefaultDllDirectories**() = 0x28a343ff
interupt 5
interupt 5
interupt 5
interupt 5
This one just keeps throwing interupt5
binee da/23/da232fa1e63e6f2efb1d9550dad8984798a7d22cbf12150778c45c35f2fa0105
[1] 0x213b7330: P _CorExeMain() = 0xb0010000
[1] 0x21590020: F GetEnvironmentVariableW(lpName = 'COMPlus_Version', lpBuffer = 0x0, nSize = 0x0) = 0x0
[1] 0x21590020: F GetEnvironmentVariableW(lpName = 'COMPlus_InstallRoot', lpBuffer = 0x0, nSize = 0x0) = 0x0
[1] 0x2158ce40: P GetLastError() = 0xb7fefd8c
[1] 0x201039b0: P GetLastError() = 0xb7fefd8c
[1] 0x2158ce40: P GetLastError() = 0xcb
[1] 0x201039b0: P GetLastError() = 0xcb
[1] 0x2158ce40: P GetLastError() = 0xb7fefd8c
[1] 0x201039b0: P GetLastError() = 0xb7fefd8c
[1] 0x2158ce40: P GetLastError() = 0xcb
[1] 0x201039b0: P GetLastError() = 0xcb
[1] 0x215e56e0: F AcquireSRWLockExclusive(SRWLock = 0x213eca34) = 0x213ef004
[1] 0x21590590: F VirtualQuery(lpAddress = 0x213ef000, lpBuffer = 0xb7fefc60, dwLength = 0x1c) = 0x1
[1] 0x2158f160: F VirtualProtect(lpAddress = 0x213ef000, dwSize = 0x74, flNewProtect = 0x4, lpflOldProtect = 0x213edba8) = 0x1
[1] 0x215ecadb: F ReleaseSRWLockExclusive(SRWLock = 0x213eca34) = 0x1
[1] 0x215927a0: F LoadLibraryExA(lpFileName = 'ADVAPI32.dll', hFile = 0x0, dwFlags = 0x0) = 0x21835000
[1] 0x2158f060: F GetProcAddress(hModule = 0x21835000, lpProcName = 'RegOpenKeyExW') = 0x21852ea0
[1] 0x215e56e0: F AcquireSRWLockExclusive(SRWLock = 0x213eca34) = 0x213ef004
[1] 0x2158f160: F VirtualProtect(lpAddress = 0x213ef000, dwSize = 0x74, flNewProtect = 0x0, lpflOldProtect = 0xb7fefca4) = 0x1
[1] 0x215ecadb: F ReleaseSRWLockExclusive(SRWLock = 0x213eca34) = 0x1
[1] 0x21852ea0: F RegOpenKeyExW(hKey = 'HKEY_LOCAL_MACHINE', lpSubKey = 'Software\Microsoft\.NETFramework\Policy\', ulOptions = 0x0, samDesired = 0x20019, phkResult = 0xb7fefd68) = 0x1
[1] 0x21590020: F GetEnvironmentVariableW(lpName = 'COMPlus_DefaultVersion', lpBuffer = 0x0, nSize = 0x0) = 0x0
[1] 0x21590e30: F GetModuleFileNameW(hModule = 0x0, lpFilename = 0xb7fef93c, nSize = 0x104) = 0x52
[1] 0x21596810: F GetFileAttributesW(lpFileName = 'C:\Users\tbrady\da232fa1e63e6f2efb1d9550dad8984798a7d22cbf12150778c45c35f2fa0105.local') = 0x80
[1] 0x21590e30: F GetModuleFileNameW(hModule = 0x0, lpFilename = 0xb7fef288, nSize = 0x104) = 0x52
[1] 0x215968a0: F GetFullPathNameW(lpFileName = 'C:\Users\tbrady\da232fa1e63e6f2efb1d9550dad8984798a7d22cbf12150778c45c35f2fa0105', nBufferLength = 0x104, lpBuffer = 0xb7fef490, lpFilePart = 0xb7fef284) = 0x80
[1] 0x2158ce40: P GetLastError() = 0xb7fef24c
[1] 0x201039b0: P GetLastError() = 0xb7fef24c
[1] 0x2158d050: F GetProcessHeap() = 0x123456
[1] 0x215ea7fa: F HeapAlloc(hHeap = 0x123456, dwFlags = 0x0, dwBytes = 0x48010b72) = 0xa0000730
[1] 0x2158ce40: P GetLastError() = 0xa0000730
[1] 0x201039b0: P GetLastError() = 0xa0000730
[1] 0x21590020: F GetEnvironmentVariableW(lpName = 'COMPlus_CLRLoadLogDir', lpBuffer = 0x0, nSize = 0x0) = 0x0
[1] 0x21852ea0: F RegOpenKeyExW(hKey = 'HKEY_LOCAL_MACHINE', lpSubKey = 'Software\Microsoft\.NETFramework', ulOptions = 0x0, samDesired = 0x20019, phkResult = 0xb7feec38) = 0x1
[1] 0x2158ce40: P GetLastError() = 0xb7fef000
[1] 0x201039b0: P GetLastError() = 0xb7fef000
[1] 0x215ea7fa: F HeapAlloc(hHeap = 0x123456, dwFlags = 0x0, dwBytes = 0x2) = 0xe80112b2
[1] 0x2158ce40: P GetLastError() = 0xe80112b2
[1] 0x201039b0: P GetLastError() = 0xe80112b2
Invalid Write: address = 0xe80112b2, size = 0x2, value = 0x0
This one stops after an Invalid Write
my mock folder is as follows
ls -b os/win10_32/windows/system32
advapi32.dll cryptsp.dll mscoree.dll powrprof.dll shlwapi.dll version.dll
apisetschema.dll gdi32.dll msvbvm60.dll profapi.dll ucrtbase_clr0400.dll win32u.dll
bcryptprimitives.dll gdi32full.dll msvcp_win.dll psapi.dll ucrtbase.dll windows.storage.dll
cfgmgr32.dll iphlpapi.dll msvcrt.dll rpcrt4.dll umpdc.dll wininet.dll
combase.dll kernel.appcore.dll mswsock.dll sechost.dll user32.dll winmm.dll
comctl32.dll kernel32.dll ntdll.dll secur32.dll userenv.dll winmmbase.dll
comdlg32.dll kernelbase.dll ole32.dll shcore.dll uxtheme.dll ws2_32.dll
crypt32.dll mpr.dll oleaut32.dll shell32.dll vcruntime140.dll
Generally malware will not execute until termination, our goal is to emulate as much as we can until we can no longer mock out the OS properly. The end goal is to mock out the OS as close as possible and as much as possible which allows malware to emulate for as long as possible giving us a decent understanding of whats going on, or at least more than we would get via static analysis, but in more "constant" time.
Our pipeline will stop the malware when any one of 3 events occur: 1) timeout 6 seconds, 2) process calls TerminateProcess, Exit, etc... or 3) reach the limits of the mock os and emulation. The above samples are examples of 3 in this case.
However, at least the first sample 33ba8cd251512f90b7249930aee22d3f47255420a8d41e1326169e0f948cc7d0 was hitting a function we have not implemented yet ([1] 0x28a343ff: **SetDefaultDllDirectories**() = 0x28a343ff). The ** indicate the function has neither a partial hook or full hook within binee. I have pushed an implementation for this function which is basically a NOP with a successful return, because we don't need this function to run exactly as it does on Windows. The output I now get is below:
go build && ./binee ~/malware/33ba8cd251512f90b7249930aee22d3f47255420a8d41e1326169e0f948cc7d0
[1] 0x22200d30: F SetErrorMode(uMode = 0x8001) = 0x0
[1] 0x22203600: F GetVersion() = 0x40000
[1] 0x22201720: F GetModuleHandleA(lpModuleName = 'KERNEL32') = 0x0
[1] 0x222001a0: F GetSystemDirectoryA(lpBuffer = 0xb7fefd34, uSize = 0x104) = 0x13
[1] 0x26397ca0: P wsprintfA(lpstr = 0xb7fefd47, lpcstr = '%s%s.dll') = 0xb7fefd47
[1] 0x26397cc0: P wvsprintfA(lpstr = 0xb7fefd47, lpcstr = '%s%s.dll', arglist = 0xb7fefd2c) = 0xb7fefd2c
[1] 0x222027b0: F LoadLibraryExA(lpFileName = 'c:\windows\system32\KERNEL32.dll', hFile = 0x0, dwFlags = 0x8) = 0x221da000
[1] 0x221fe670: F GetProcAddress(hModule = 0x221da000, lpProcName = 'SetDefaultDllDirectories') = 0x2225dc5f
[1] 0x2225dc5f: F SetDefaultDllDirectories(DirectoryFlags = 0xc00) = 0x1
[1] 0x222001a0: F GetSystemDirectoryA(lpBuffer = 0xb7fefd44, uSize = 0x104) = 0x13
[1] 0x26397ca0: P wsprintfA(lpstr = 0xb7fefd57, lpcstr = '%s%s.dll') = 0xb7fefd57
[1] 0x26397cc0: P wvsprintfA(lpstr = 0xb7fefd57, lpcstr = '%s%s.dll', arglist = 0xb7fefd3c) = 0xb7fefd3c
[1] 0x222027b0: F LoadLibraryExA(lpFileName = 'c:\windows\system32\UXTHEME.dll', hFile = 0x0, dwFlags = 0x8) = 0x0
[1] 0x221fee00: P lstrlenA(lpString = 'UXTHEME') = 0x0
[1] 0x22582b40: P lstrlenA(lpString = 'UXTHEME') = 0x0
[1] 0x222001a0: F GetSystemDirectoryA(lpBuffer = 0xb7fefd44, uSize = 0x104) = 0x13
[1] 0x26397ca0: P wsprintfA(lpstr = 0xb7fefd57, lpcstr = '%s%s.dll') = 0xb7fefd57
[1] 0x26397cc0: P wvsprintfA(lpstr = 0xb7fefd57, lpcstr = '%s%s.dll', arglist = 0xb7fefd3c) = 0xb7fefd3c
[1] 0x222027b0: F LoadLibraryExA(lpFileName = 'c:\windows\system32\USERENV.dll', hFile = 0x0, dwFlags = 0x8) = 0x2b91a000
[1] 0x221fee00: P lstrlenA(lpString = 'USERENV') = 0x2b91a000
[1] 0x22582b40: P lstrlenA(lpString = 'USERENV') = 0x2b91a000
[1] 0x222001a0: F GetSystemDirectoryA(lpBuffer = 0xb7fefd44, uSize = 0x104) = 0x13
[1] 0x26397ca0: P wsprintfA(lpstr = 0xb7fefd57, lpcstr = '%s%s.dll') = 0xb7fefd57
[1] 0x26397cc0: P wvsprintfA(lpstr = 0xb7fefd57, lpcstr = '%s%s.dll', arglist = 0xb7fefd3c) = 0xb7fefd3c
[1] 0x222027b0: F LoadLibraryExA(lpFileName = 'c:\windows\system32\SETUPAPI.dll', hFile = 0x0, dwFlags = 0x8) = 0x2b9cb000
[1] 0x221fee00: P lstrlenA(lpString = 'SETUPAPI') = 0x2b9cb000
[1] 0x22582b40: P lstrlenA(lpString = 'SETUPAPI') = 0x2b9cb000
[1] 0x222001a0: F GetSystemDirectoryA(lpBuffer = 0xb7fefd44, uSize = 0x104) = 0x13
[1] 0x26397ca0: P wsprintfA(lpstr = 0xb7fefd57, lpcstr = '%s%s.dll') = 0xb7fefd57
[1] 0x26397cc0: P wvsprintfA(lpstr = 0xb7fefd57, lpcstr = '%s%s.dll', arglist = 0xb7fefd3c) = 0xb7fefd3c
[1] 0x222027b0: F LoadLibraryExA(lpFileName = 'c:\windows\system32\APPHELP.dll', hFile = 0x0, dwFlags = 0x8) = 0x0
[1] 0x221fee00: P lstrlenA(lpString = 'APPHELP') = 0x0
[1] 0x22582b40: P lstrlenA(lpString = 'APPHELP') = 0x0
[1] 0x222001a0: F GetSystemDirectoryA(lpBuffer = 0xb7fefd44, uSize = 0x104) = 0x13
[1] 0x26397ca0: P wsprintfA(lpstr = 0xb7fefd57, lpcstr = '%s%s.dll') = 0xb7fefd57
[1] 0x26397cc0: P wvsprintfA(lpstr = 0xb7fefd57, lpcstr = '%s%s.dll', arglist = 0xb7fefd3c) = 0xb7fefd3c
[1] 0x222027b0: F LoadLibraryExA(lpFileName = 'c:\windows\system32\PROPSYS.dll', hFile = 0x0, dwFlags = 0x8) = 0x0
[1] 0x221fee00: P lstrlenA(lpString = 'PROPSYS') = 0x0
[1] 0x22582b40: P lstrlenA(lpString = 'PROPSYS') = 0x0
[1] 0x222001a0: F GetSystemDirectoryA(lpBuffer = 0xb7fefd44, uSize = 0x104) = 0x13
[1] 0x26397ca0: P wsprintfA(lpstr = 0xb7fefd57, lpcstr = '%s%s.dll') = 0xb7fefd57
[1] 0x26397cc0: P wvsprintfA(lpstr = 0xb7fefd57, lpcstr = '%s%s.dll', arglist = 0xb7fefd3c) = 0xb7fefd3c
[1] 0x222027b0: F LoadLibraryExA(lpFileName = 'c:\windows\system32\DWMAPI.dll', hFile = 0x0, dwFlags = 0x8) = 0x0
[1] 0x221fee00: P lstrlenA(lpString = 'DWMAPI') = 0x0
[1] 0x22582b40: P lstrlenA(lpString = 'DWMAPI') = 0x0
[1] 0x222001a0: F GetSystemDirectoryA(lpBuffer = 0xb7fefd44, uSize = 0x104) = 0x13
[1] 0x26397ca0: P wsprintfA(lpstr = 0xb7fefd57, lpcstr = '%s%s.dll') = 0xb7fefd57
[1] 0x26397cc0: P wvsprintfA(lpstr = 0xb7fefd57, lpcstr = '%s%s.dll', arglist = 0xb7fefd3c) = 0xb7fefd3c
[1] 0x222027b0: F LoadLibraryExA(lpFileName = 'c:\windows\system32\CRYPTBASE.dll', hFile = 0x0, dwFlags = 0x8) = 0x2c5f2000
[1] 0x221fee00: P lstrlenA(lpString = 'CRYPTBASE') = 0x2c5f2000
[1] 0x22582b40: P lstrlenA(lpString = 'CRYPTBASE') = 0x2c5f2000
[1] 0x222001a0: F GetSystemDirectoryA(lpBuffer = 0xb7fefd44, uSize = 0x104) = 0x13
[1] 0x26397ca0: P wsprintfA(lpstr = 0xb7fefd57, lpcstr = '%s%s.dll') = 0xb7fefd57
[1] 0x26397cc0: P wvsprintfA(lpstr = 0xb7fefd57, lpcstr = '%s%s.dll', arglist = 0xb7fefd3c) = 0xb7fefd3c
[1] 0x222027b0: F LoadLibraryExA(lpFileName = 'c:\windows\system32\OLEACC.dll', hFile = 0x0, dwFlags = 0x8) = 0x2c61c000
[1] 0x221fee00: P lstrlenA(lpString = 'OLEACC') = 0x2c61c000
[1] 0x22582b40: P lstrlenA(lpString = 'OLEACC') = 0x2c61c000
[1] 0x222001a0: F GetSystemDirectoryA(lpBuffer = 0xb7fefd44, uSize = 0x104) = 0x13
[1] 0x26397ca0: P wsprintfA(lpstr = 0xb7fefd57, lpcstr = '%s%s.dll') = 0xb7fefd57
[1] 0x26397cc0: P wvsprintfA(lpstr = 0xb7fefd57, lpcstr = '%s%s.dll', arglist = 0xb7fefd3c) = 0xb7fefd3c
[1] 0x222027b0: F LoadLibraryExA(lpFileName = 'c:\windows\system32\CLBCATQ.dll', hFile = 0x0, dwFlags = 0x8) = 0x0
[1] 0x221fee00: P lstrlenA(lpString = 'CLBCATQ') = 0x0
[1] 0x22582b40: P lstrlenA(lpString = 'CLBCATQ') = 0x0
[1] 0x22201720: F GetModuleHandleA(lpModuleName = 'VERSION') = 0x0
[1] 0x222001a0: F GetSystemDirectoryA(lpBuffer = 0xb7fefd34, uSize = 0x104) = 0x13
[1] 0x26397ca0: P wsprintfA(lpstr = 0xb7fefd47, lpcstr = '%s%s.dll') = 0xb7fefd47
[1] 0x26397cc0: P wvsprintfA(lpstr = 0xb7fefd47, lpcstr = '%s%s.dll', arglist = 0xb7fefd2c) = 0xb7fefd2c
[1] 0x222027b0: F LoadLibraryExA(lpFileName = 'c:\windows\system32\VERSION.dll', hFile = 0x0, dwFlags = 0x8) = 0x2c7d6000
[1] 0x221fe670: F GetProcAddress(hModule = 0x2c7d6000, lpProcName = 'GetFileVersionInfoA') = 0x2c7d74c0
[1] 0x22201720: F GetModuleHandleA(lpModuleName = 'SHFOLDER') = 0x0
[1] 0x222001a0: F GetSystemDirectoryA(lpBuffer = 0xb7fefd34, uSize = 0x104) = 0x13
[1] 0x26397ca0: P wsprintfA(lpstr = 0xb7fefd47, lpcstr = '%s%s.dll') = 0xb7fefd47
[1] 0x26397cc0: P wvsprintfA(lpstr = 0xb7fefd47, lpcstr = '%s%s.dll', arglist = 0xb7fefd2c) = 0xb7fefd2c
[1] 0x222027b0: F LoadLibraryExA(lpFileName = 'c:\windows\system32\SHFOLDER.dll', hFile = 0x0, dwFlags = 0x8) = 0x2c7f2000
[1] 0x221fe670: F GetProcAddress(hModule = 0x2c7f2000, lpProcName = 'SHGetFolderPathA') = 0x2c7f3350
[1] 0x22201720: F GetModuleHandleA(lpModuleName = 'SHLWAPI') = 0x0
[1] 0x222001a0: F GetSystemDirectoryA(lpBuffer = 0xb7fefd34, uSize = 0x104) = 0x13
[1] 0x26397ca0: P wsprintfA(lpstr = 0xb7fefd47, lpcstr = '%s%s.dll') = 0xb7fefd47
[1] 0x26397cc0: P wvsprintfA(lpstr = 0xb7fefd47, lpcstr = '%s%s.dll', arglist = 0xb7fefd2c) = 0xb7fefd2c
[1] 0x222027b0: F LoadLibraryExA(lpFileName = 'c:\windows\system32\SHLWAPI.dll', hFile = 0x0, dwFlags = 0x8) = 0x2c803000
[1] 0x221fe670: F GetProcAddress(hModule = 0x2c803000, lpProcName = '') = 0x0
hi @kgwinnup , I've also bumped into an unimplemented hook: [1] 0x27e5ae70: DoEnvironmentSubstW() = 0x481378 (using sample 5aa7b931f566f63fd55c5f26402632a108a9539b42b4dba95256d1a0f97f6a10)
is it possible to define all (*) unimplemented functions to return the same success code? as in: emu.AddHook("", "SetDefaultDllDirectories", &Hook{ Parameters: []string{"DirectoryFlags"}, Fn: SkipFunctionStdCall(true, 0x1), })
Thanks, Nir
they can be defined individually with a NOP like instruction (just returning "success"). I don't want to do that globally, however, because we have partial hooks which do jump into the DLL and continue emulation of the real dll