miasm
miasm copied to clipboard
cea-sec
error struct.error: 'I' format requires 0 <= number <= 4294967295 when using -y
I have the following stack trace when using the "-y" option with the Sandbox_Win_x86_32 parser:
python sandboxed_powershell.py -j gcc -l -s -y powershell.exe
[INFO]: Loading module 'ntdll.dll'
[INFO]: Loading module 'kernel32.dll'
[INFO]: Loading module 'user32.dll'
[INFO]: Loading module 'ole32.dll'
[INFO]: Loading module 'urlmon.dll'
[INFO]: Loading module 'ws2_32.dll'
[INFO]: Loading module 'advapi32.dll'
[INFO]: Loading module 'psapi.dll'
[WARNING]: Create dummy entry for 'iertutil.dll'
[WARNING]: Create dummy entry for 'msvcrt.dll'
[WARNING]: Create dummy entry for 'oleaut32.dll'
[WARNING]: Create dummy entry for 'rpcrt4.dll'
[WARNING]: Create dummy entry for 'shlwapi.dll'
[WARNING]: Create dummy entry for 'atl.dll'
[WARNING]: Create dummy entry for 'mscoree.dll'
[WARNING]: Create dummy entry for 'gdi32.dll'
[WARNING]: Create dummy entry for 'ws2help.dll'
Traceback (most recent call last):
File "sandboxed_powershell.py", line 31, in <module>
sb = Sandbox_Win_x86_32(options.filename, options, globals())
File "/usr/local/lib/python2.7/dist-packages/miasm2/analysis/sandbox.py", line 447, in __init__
Sandbox.__init__(self, *args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/miasm2/analysis/sandbox.py", line 55, in __init__
cls.__init__(self, custom_methods, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/miasm2/analysis/sandbox.py", line 246, in __init__
win_api_x86_32_seh.init_seh(self.jitter)
File "/usr/local/lib/python2.7/dist-packages/miasm2/os_dep/win_api_x86_32_seh.py", line 414, in init_seh
build_peb(jitter, peb_address)
File "/usr/local/lib/python2.7/dist-packages/miasm2/os_dep/win_api_x86_32_seh.py", line 132, in build_peb
Peb.ImageBaseAddress = main_pe.NThdr.ImageBase
File "/usr/local/lib/python2.7/dist-packages/miasm2/core/types.py", line 1472, in <lambda>
lambda self, val, name=name: self.set_field(name, val)
File "/usr/local/lib/python2.7/dist-packages/miasm2/core/types.py", line 1408, in set_field
return self._type.set_field(self._vm, self.get_addr(), name, val)
File "/usr/local/lib/python2.7/dist-packages/miasm2/core/types.py", line 643, in set_field
field.set(vm, addr + offset, val)
File "/usr/local/lib/python2.7/dist-packages/miasm2/core/types.py", line 283, in set
raw = self._pack(val)
File "/usr/local/lib/python2.7/dist-packages/miasm2/core/types.py", line 381, in _pack
return super(Num, self)._pack([number])
File "/usr/local/lib/python2.7/dist-packages/miasm2/core/types.py", line 354, in _pack
return struct.pack(self._fmt, *fields)
struct.error: 'I' format requires 0 <= number <= 4294967295
powershell.exe is the executable from windows (852d67a27e454bd389fa7f02a8cbe23f) The code I am using is very basic:
import os
from pdb import pm
from miasm2.analysis.sandbox import Sandbox_Win_x86_32
from miasm2.jitter.csts import PAGE_READ, PAGE_WRITE
ADDR = 0x1000
# Python auto completion
filename = os.environ.get('PYTHONSTARTUP')
if filename and os.path.isfile(filename):
execfile(filename)
parser = Sandbox_Win_x86_32.parser(description="PE sandboxer")
parser.add_argument("filename", help="PE Filename")
options = parser.parse_args()
sb = Sandbox_Win_x86_32(options.filename, options, globals())
sb.jitter.jit.log_mn = True
f = open('file.bin', 'rb')
sb.jitter.vm.add_memory_page(ADDR, PAGE_READ|PAGE_WRITE, f.read(), "whatever")
f.close()
sb.run(ADDR)
assert(sb.jitter.run is False)
Any idea on how to fix that?
Hi sarcarx,
it looks like that you are running a 64bit binary (according to virustotal) in a 32bit sandbox.
Hi itsacoderepo,
Ok I have tried using a Sandbox_Win_x86_64 instead of Sandbox_Win_x86_32, the output seems to be the same.
Traceback (most recent call last):
File "sandboxed_powershell.py", line 31, in <module>
sb = Sandbox_Win_x86_64(options.filename, options, globals())
File "/usr/local/lib/python2.7/dist-packages/miasm2/analysis/sandbox.py", line 479, in __init__
Sandbox.__init__(self, *args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/miasm2/analysis/sandbox.py", line 55, in __init__
cls.__init__(self, custom_methods, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/miasm2/analysis/sandbox.py", line 246, in __init__
win_api_x86_32_seh.init_seh(self.jitter)
File "/usr/local/lib/python2.7/dist-packages/miasm2/os_dep/win_api_x86_32_seh.py", line 414, in init_seh
build_peb(jitter, peb_address)
File "/usr/local/lib/python2.7/dist-packages/miasm2/os_dep/win_api_x86_32_seh.py", line 132, in build_peb
Peb.ImageBaseAddress = main_pe.NThdr.ImageBase
File "/usr/local/lib/python2.7/dist-packages/miasm2/core/types.py", line 1472, in <lambda>
lambda self, val, name=name: self.set_field(name, val)
File "/usr/local/lib/python2.7/dist-packages/miasm2/core/types.py", line 1408, in set_field
return self._type.set_field(self._vm, self.get_addr(), name, val)
File "/usr/local/lib/python2.7/dist-packages/miasm2/core/types.py", line 643, in set_field
field.set(vm, addr + offset, val)
File "/usr/local/lib/python2.7/dist-packages/miasm2/core/types.py", line 283, in set
raw = self._pack(val)
File "/usr/local/lib/python2.7/dist-packages/miasm2/core/types.py", line 381, in _pack
return super(Num, self)._pack([number])
File "/usr/local/lib/python2.7/dist-packages/miasm2/core/types.py", line 354, in _pack
return struct.pack(self._fmt, *fields)
struct.error: 'I' format requires 0 <= number <= 4294967295
Also I tried using the same code with a 32bits executable with the Sandbox_Win_x86_32 and it does seem to work. Maybe the problem comes indeed from me using a 64bit executable
It seems that process envrionnement structures (PEB, TEB, etc) are only implemented for 32bits, so it cannot work with 64 bits binaries for now
Hi guys! @itsacoderepo : Nice catch for the 32/64 bit :) @themaks: You are right! for the moment only windows 32 bits structures are in the public repo. @sarcarx: We have a test branch internally for the 64bit we will release in a near future!
