DECAF icon indicating copy to clipboard operation
DECAF copied to clipboard

Published 20 hours ago verified publisher icon decaf-project

Unloading modules and emptying cache without having to unload plugin

Open dkfulp opened this issue 6 years ago • 5 comments

Hello,

I am trying to write a plugin that will involve running a process in the guest multiple times. The issue I am facing is that between guest runs the modules in decaf are not cleared. I have found the issue to be within the lm variable that is a _LoadModule_Params struct. Do you know of a way to clear out past lm modules so that decaf sees the program as new each time it runs?

Currently to do this we need to unload the plugin and then reload it.

dkfulp avatar Feb 26 '19 15:02 dkfulp

Hi Zhenxiao,

Can you look into this?

Heng

On Tue, Feb 26, 2019 at 7:57 AM Dakota Fulp [email protected] wrote:

Hello,

I am trying to write a plugin that will involve running a process in the guest multiple times. The issue I am facing is that between guest runs the modules in decaf are not cleared. I have found the issue to be within the lm variable that is a _LoadModule_Params struct. Do you know of a way to clear out past lm modules so that decaf sees the program as new each time it runs?

Currently to do this we need to unload the plugin and then reload it.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/sycurelab/DECAF/issues/61, or mute the thread https://github.com/notifications/unsubscribe-auth/ACydRnoJqkRh7nJogcwVSwgX3zFwRSPJks5vRVlegaJpZM4bSghf .

hengyin avatar Feb 26 '19 16:02 hengyin

Hi, The problem is, there is a global list module_name containing the module info and a local list module_list for each process, both store the pointers to the module info. In normal cases, we get the module info indexed by the process ID. So in some sense, when a process is dead, we only need to remove the process from the process_map, which is what DECAF does for now. however, sometimes the global list is also used to traverse the module info, which results in some issues. One possible solution is that in the VMI_remove_process function, where we delete the dead process info, try delete *mod_pointer and mod_pointer=NULL as well.

enlighten5 avatar Feb 27 '19 01:02 enlighten5

Hi, Could you give more details about how do you find that the modules in decaf are not cleared? As far as I'm concerned, the module info belonging to the process is indexed by the process PID, the previous process's module should not mess up with that of the running process.

enlighten5 avatar Mar 01 '19 00:03 enlighten5

Currently, when a module is loaded, we use the lm.name, lm.base, and lm.size. The issue we are having is that I will call a program say foo in the guest and decaf sees this as a new module that has not been seen before, but if I run foo again, it uses some kind of cached memory of sorts. If I wanted decaf to look at programs as brand new during each run, how would we go about that.

Would it be possible to clear all information that is related to the lm.cr3 of the program that we are running?

dkfulp avatar Mar 04 '19 20:03 dkfulp

It's normal that the module info has been seen before since the same module is loaded from the global module list and is reusable. If you run a program for multiple times, the cr3 and some other process info would be different and DECAF still recognizes the program as brand new during each run.

enlighten5 avatar Mar 07 '19 02:03 enlighten5