radare2
radare2 copied to clipboard
radareorg
Simulating Windows API calls while emulating in Linux with ESIL
Hello,
Following #13720, I'm trying to extract the first 50 emulated instructions starting from the entry point, using ESIL of radar2.
However, I tested it on a binary packed with MEW SE 11. Unfortunately, after the first jump, I go directly on invalid instructions (ff invalid instructions).
What is the cause of that ? Is MEW packer loading a section dynamically containing its code, and for which ESIL is not able to emulate ?
The commands I use for emulating the 50 first instructions are: e dbg.trace=true aeim dr PC=entry0 50aes dtd
I've attached the binary here.
So, could you explain me what is the cause of that and how it could be resolved ?
Thanks in advance for your help
thats because r2 is setting the maps incorrectly, seems like a bug in the PE parser
On 21 Apr 2019, at 19:35, lamin3 [email protected] wrote:
Hello,
Following #13720 https://github.com/radare/radare2/issues/13720, I'm trying to extract the first 50 emulated instructions starting from the entry point, using ESIL of radar2.
However, I tested it on a binary packed with MEW SE 11. Unfortunately, after the first jump, I go directly on invalid instructions (ff invalid instructions).
What is the cause of that ? Is MEW packer loading a section dynamically containing its code, and for which ESIL is not able to emulate ?
I've attached the binary here.
So, could you explain me what is the cause of that and it could be resolved ?
Thanks in advance for your help
MEW_aitstatic.exe.zip https://github.com/radare/radare2/files/3101441/MEW_aitstatic.exe.zip — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/radare/radare2/issues/13853, or mute the thread https://github.com/notifications/unsubscribe-auth/AAG75FVNYMOCX42OKIBMPP3PRSQV3ANCNFSM4HHMCMUA.
@radare Thanks a lot for your reply.
Ok, so what is the solution, is it possible to load another PE parser into radar2 ?
Also, by the way, how can I map system calls ? Because I have the same problem (it jumps towards invalid instructions ff) when a windows system-call is called
Thanks in advance.
my solution is fixing the pe parser. and yes you can use the lief-pe plugin for r2. is not much maintained, but fiixing that shouldnt be hard.
what do you mean by map syscalls? syscalls are not mapped, they live in another ring. the function library calls iis whta i guess you are refering to. and this is something the runtime linker do. r2 doesnt handle that by default, but have the tools to let you reimplement any API call or load any library in there, but i dont think you want to run real native code in your malware
On 23 Apr 2019, at 21:25, lamin3 [email protected] wrote:
@radare https://github.com/radare Thanks a lot for your reply.
Ok, so what is the solution, is it possible to load another PE parser into radar2 ?
Also, by the way, how can I map system calls ? Because I have the same problem (it jumps towards invalid instructions ff) when a windows system-call is called
Thanks in advance.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/radare/radare2/issues/13853#issuecomment-485941022, or mute the thread https://github.com/notifications/unsubscribe-auth/AAG75FTOTQRYROKUQL3LEZLPR5PDNANCNFSM4HHMCMUA.
@radare : Thanks a lot for your replies. And I hope I'm disturbing a lot :-)
Yes, indeed I don't want to emulate to native code of the api system call. As said before, I just want to emulate the first 50 mnemonics of the PE packed binary,starting from the entry point, then get back the traces using the "dtd" comamnd. I want something like [push, mov, mov, call, call, ...., till the 50th mnemonic].
The problem is, sometimes there is an API system call in the first mnemoincs (LoadLIbrary, or GetVersion, or VirtualAlloc) and then when I try to emulate using the command "50aes", it emulates just till the first api system call it meets, and then just after it goes to invalid instructions (ff invalid instructions)
So, what is the solution to that ? Just skipping the api system call would be a solution ? But I don't want to skip all the calls, I would like to skip only Windows api calls and not a simple call like "call, offset"
and please, for the parser plugin, how sould I add it ? is there a command similar to changing the debugger dL= ?
Just for information: all what I'm doing is under Fedora.
Thanks a lot for your help
aht ret @@ imp*
Will make all improts return withiut falling in ffff places
But there r are many other ways to do that
On 24 Apr 2019, at 16:16, lamin3 [email protected] wrote:
@radare : Thanks a lot for your replies. And I hope I'm disturbing a lot :-)
Yes, indeed I don't want to emulate to native code of the api system call. As said before, I just want to emulate the first 50 mnemonics of the PE packed binary,starting from the entry point, then get back the traces using the "dtd" comamnd. I want something like [push, mov, mov, call, call, ...., till the 50th mnemonic].
The problem is, sometimes there is an API system call in the first mnemoincs (LoadLIbrary, or GetVersion, or VirtualAlloc) and then when I try to emulate using the command "50aes", it emulates just till the first api system call it meets, and then just after it goes to invalid instructions (ff invalid instructions)
So, what is the solution to that ? Just skipping the api system call would be a solution ? But I don't want to skip all the calls, I would like to skip only Windows api calls and not a simple call like "call, offset"
and please, for the parser plugin, how sould I add it ? is there a command similar to changing the debugger dL= ?
Thanks a lot for your help
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.
@radare : Thanks for the reply.
I've just tested it, unfortunately it didn't work. It still stops at the first system call and goes to ff instructions. I've attached you here the packed binary (a PE binary packed with Armadillo) i'm testing with.
It stop at call dword [sym.imp.KERNEL32.dll_GetVersion] the 14 th instruction from the entrypoint.
The commands I'm using are: e.dbg.trace=true aei aeim aht ret @@ imp* 50aes dtd
Thanks Armadillo_aitagent.exe.zip
@radare : Please, the command "aht ret @@ imp*" didn't work, it still stops at call dword [sym.imp.KERNEL32.dll_GetVersion] as showed above.
Is there another way to simulate the api calls without going to ff instructions ?
I've attached you the packed binary in the previous message.
Thanks a lot for your help
@radare : Thanks for the reply.
I've just tested it, unfortunately it didn't work. It still stops at the first system call and goes to ff instructions. I've attached you here the packed binary (a PE binary packed with Armadillo) i'm testing with.
It stop at call dword [sym.imp.KERNEL32.dll_GetVersion] the 14 th instruction from the entrypoint.
The commands I'm using are: e.dbg.trace=true aei aeim aht ret @@ imp* 50aes dtd
Thanks Armadillo_aitagent.exe.zip
@lamin3 note this file isn't actually packed with Armadillo. https://www.zscaler.com/blogs/research/your-windows-8-packed
PEiD sig detections for Armadillo v1.71 and v1.xx - v2.xx are false positives.
@wesinator Thanks for the notification. But have you checked the unzipped file ? The file to check is not the zipped one, I had to zip it just for uploading it here. You should first unzip it and then check it with PEiD or ideally with DiE. And it is a file that I packed my self with Armadillo v2.52.
@wesinator Thanks for the notification. But have you checked the unzipped file ? The file to check is not the zipped one, I had to zip it just for uploading it here. You should first unzip it and then check it with PEiD or ideally with DiE. And it is a file that I packed my self with Armadillo v2.52.
Oh, yes of course I checked the exe, I assumed it wasn't modified. Ok, makes sense
very good idea !
win peb is not even emulated on windows.
the issue is there are many many version of windows see at least for win10: https://www.vergiliusproject.com/kernels/x86/Windows%2010
I how 2 implementation design ideas:
1- brute force all the versions from vergilius project (long but working on linux) 2- calulating teb address from register dynamically from any windows process. (fast to implement but could work only on windows).
