UnAutoIt icon indicating copy to clipboard operation
UnAutoIt copied to clipboard

Published 20 hours ago verified publisher icon x0r19x91

Some AutoIt Binary just have empty return. - listing fails

Open JL1829 opened this issue 3 years ago • 14 comments

Hi:

The UnAutoIt tool is cool, it do help my research and study a lot, really appreciate it.

recently I found there's some AutoIt Binary that UnAutoIt just return empty stdout and empty stderr, but the returncode is 0.

The binary hash is: 0D3987D155A6259422A13E11789E231EDD3653E12A591E00981804FDF8DF959A

When I list this AutoIt binary, it return like this:

UnAutoIt list Downloads/bin-2/0D3987D155A6259422A13E11789E231EDD3653E12A591E00981804FDF8DF959A
+----+------+------+------+------+
| ID | NAME | PATH | SIZE | TYPE |
+----+------+------+------+------+
+----+------+------+------+------+

In [14]: command = [
    ...:     bin_path,
    ...:     'extract-all',
    ...:     '--output-dir',
    ...:     out_path,
    ...:     source_path]

In [15]: stdout = subprocess.run(command, timeout=90, capture_output=True)

In [23]: stdout
Out[23]: CompletedProcess(args=['PycharmProjects/autoit/UnAutoIt/UnAutoIt', 'extract-all', '--output-dir', 'Downloads/bin-2/output', 'Downloads/bin-2/0D3987D155A6259422A13E11789E231EDD3653E12A591E00981804FDF8DF959A'], returncode=0, stdout=b'', stderr=b'')

Is this a limitation? any way to debug it?

JL1829 avatar Apr 23 '21 04:04 JL1829

Thanks for the review You can debug from source using vscode. Or you can send me the binary, I will check if there's any bug in the tool that gets triggered by the binary

x0r19x91 avatar Apr 23 '21 09:04 x0r19x91

mli_sample.zip Hi, Thanks for the reply. Sorry so far my Golang's capabilities not good enough to debug your code.

Here is the binary, it's malicious, really appreciate you can take a look

Thanks //Johnny

JL1829 avatar Apr 23 '21 09:04 JL1829

@x0r19x91 Hi:

Do you have any finding? recently I have parsed some samples that have the same problem, if you need it, I can send it over here.

Thanks //Johnny

JL1829 avatar May 24 '21 06:05 JL1829

Thanks for identifying the bug! I will be fixing it shortly

x0r19x91 avatar May 24 '21 06:05 x0r19x91

The issue has been fixed. Please checkout the latest release

x0r19x91 avatar May 27 '21 01:05 x0r19x91

Thanks, I will check, do you still need some more samples?

JL1829 avatar May 27 '21 02:05 JL1829

Yes sure, I can look for if there are any other bugs

x0r19x91 avatar May 27 '21 03:05 x0r19x91

Hi I have tried, still lot's of empty extraction.

here I have packed around 160 samples: download here

some of them are malicious, please work in isolated env

JL1829 avatar May 27 '21 08:05 JL1829

Did you use extract-all command. If yes, could you try using list command to get the id's of the artifacts and then use the extract command with id

x0r19x91 avatar May 27 '21 11:05 x0r19x91

Hi, actually I just use list command to see the new fix works or not, I see it return an empty table, then I didn't process to extract-all

JL1829 avatar May 27 '21 13:05 JL1829

Hi I have tried, still lot's of empty extraction.

here I have packed around 160 samples: download here

some of them are malicious, please work in isolated env

It seems the link is not usable. Can you please use mega.nz

x0r19x91 avatar May 27 '21 14:05 x0r19x91

Try this mega.nz link

JL1829 avatar Jun 01 '21 09:06 JL1829

Hi Bro:

The link accessible? Any finding of the samples?

JL1829 avatar Jun 08 '21 13:06 JL1829

yes, Thanks. There are many samples. and some of them are non standard

x0r19x91 avatar Jun 08 '21 13:06 x0r19x91