Unpack Error/Freezing
57 views
Skip to first unread message
Kenneth Hamlin
May 31, 2012, 1:23:02 PM5/31/12
to ether-devel
I am still having problems getting Ether to unpack my malware samples.
I know someone posted something similar to this problem before but
they made it much farther than I am able to before they had problems.
Heres whats happening:
1. I mount the .img file in order to copy the malware sample to the
desktop using mount -t ntfs-3g -o loop,force,offset=35562 <.img file>
mnt
2. I copy the malware sample from my thumbdrive to the mounted image
3. I unmount the image using umount mnt
4. I create the virtual machine using the .hvm config file that points
to that .img file aka. xm create <.hvm file>
5. xm list to get the ID number of the virtual machine
6. open a vnc session to the Windows XP machine using vncviewer
127.0.0.1
7. use F8 to send a ctrl+alt+del to the VM in order to see the task
manage to see if the malware.exe is running and to kill it in the
future
8. I cd into ether/ether_ctl and run the ./prepare_domains.sh <id>.
This gives the appropriate text about it increasing the memory size.
9. Now I run ./ether <id> unpack_userspace malware.exe and I see the
following text:
After init:
shared_page_ptr: 0xffff8300001d5000
shared_page_mfn: 0x1d5
domid_source: 0
event_channel_port: 31
Shared Page va: 0x7fa93f87f000
Shared Page test:
Page-Sharing is A-OK!
Trying to bind to local port...
Success, bound to local port: 32
Trying to get first pending notification...
Taking off suprious pending notification...
Setting filter by name to: malware.exe
10. Now I switch back to the VNC and execute the malware.exe, task
manager shows the process starts and the CPU usage jumps up to 99% so
I know its running.
11. The Ether shell shows:
Execution of Target detected:
Image Base: 0x400000
Image Size: 0x1d000
Entry Point: 0x41031d
Thats it, nothing is created in the ether_ctl/images/ directory and no
other information is given from Ether. I've even let it sit and run
for 2 hours with no results, well after the VM cpu usage drops back to
normal and the process stops consuming memory.
I have tried several samples all of which I know are packed, including
the netbull.exe example used in the the DefCon video about Ether and
the same thing happens each time.
Any ideas what is causing this, or are there any log files I can look
into to get more detail as to whats happening?
I know someone posted something similar to this problem before but
they made it much farther than I am able to before they had problems.
Heres whats happening:
1. I mount the .img file in order to copy the malware sample to the
desktop using mount -t ntfs-3g -o loop,force,offset=35562 <.img file>
mnt
2. I copy the malware sample from my thumbdrive to the mounted image
3. I unmount the image using umount mnt
4. I create the virtual machine using the .hvm config file that points
to that .img file aka. xm create <.hvm file>
5. xm list to get the ID number of the virtual machine
6. open a vnc session to the Windows XP machine using vncviewer
127.0.0.1
7. use F8 to send a ctrl+alt+del to the VM in order to see the task
manage to see if the malware.exe is running and to kill it in the
future
8. I cd into ether/ether_ctl and run the ./prepare_domains.sh <id>.
This gives the appropriate text about it increasing the memory size.
9. Now I run ./ether <id> unpack_userspace malware.exe and I see the
following text:
After init:
shared_page_ptr: 0xffff8300001d5000
shared_page_mfn: 0x1d5
domid_source: 0
event_channel_port: 31
Shared Page va: 0x7fa93f87f000
Shared Page test:
Page-Sharing is A-OK!
Trying to bind to local port...
Success, bound to local port: 32
Trying to get first pending notification...
Taking off suprious pending notification...
Setting filter by name to: malware.exe
10. Now I switch back to the VNC and execute the malware.exe, task
manager shows the process starts and the CPU usage jumps up to 99% so
I know its running.
11. The Ether shell shows:
Execution of Target detected:
Image Base: 0x400000
Image Size: 0x1d000
Entry Point: 0x41031d
Thats it, nothing is created in the ether_ctl/images/ directory and no
other information is given from Ether. I've even let it sit and run
for 2 hours with no results, well after the VM cpu usage drops back to
normal and the process stops consuming memory.
I have tried several samples all of which I know are packed, including
the netbull.exe example used in the the DefCon video about Ether and
the same thing happens each time.
Any ideas what is causing this, or are there any log files I can look
into to get more detail as to whats happening?
Artem Dinaburg
Jun 2, 2012, 4:59:24 PM6/2/12
to ether...@googlegroups.com
Hmm, I am not sure what is going on; everything seems like its working. What are the outputs of the Xen dmesg (sudo xm dm) ?
Artem
Kenneth Hamlin
Jun 7, 2012, 11:53:17 AM6/7/12
to ether-devel
Below is a copy of xm dm. Xen trace buffers: disabled looks like it
could be a problem, and it says Errors and warnings in the logs, but
not sure where they are located in order to check them.
__ __ _____ _ ___
\ \/ /___ _ __ |___ / / | / _ \
\ // _ \ '_ \ |_ \ | || | | |
/ \ __/ | | | ___) || || |_| |
/_/\_\___|_| |_| |____(_)_(_)___/
http://www.cl.cam.ac.uk/netos/xen
University of Cambridge Computer Laboratory
Xen version 3.1.0 (ro...@example.org) (gcc version 4.3.2 (Debian
4.3.2-1.1) ) Thu May 3 14:43:23 EDT 2012 (Ether Patch 0.1)
Latest ChangeSet: unavailable
(XEN) Command line: /xen-ether.gz dom0_mem=756M
(XEN) 0000000000000000 - 000000000009a000 (usable)
(XEN) 000000000009ac00 - 00000000000a0000 (reserved)
(XEN) 00000000000e0000 - 0000000000100000 (reserved)
(XEN) 0000000000100000 - 00000000cf1fa000 (usable)
(XEN) 00000000cf1fa000 - 00000000cf23e000 (reserved)
(XEN) 00000000cf23e000 - 00000000cf5b7000 (usable)
(XEN) 00000000cf5b7000 - 00000000cf5e7000 (reserved)
(XEN) 00000000cf5e7000 - 00000000cf7e7000 (ACPI NVS)
(XEN) 00000000cf7e7000 - 00000000cf7ff000 (ACPI data)
(XEN) 00000000cf7ff000 - 00000000cf800000 (usable)
(XEN) 00000000fed1c000 - 00000000fed20000 (reserved)
(XEN) 00000000ffc00000 - 00000000ffc20000 (reserved)
(XEN) 0000000100000000 - 000000012e000000 (usable)
(XEN) System RAM: 4053MB (4150328kB)
(XEN) Xen heap: 13MB (14092kB)
(XEN) Domain heap initialised: DMA width 32 bits
(XEN) Processor #0 6:10 APIC version 21
(XEN) Processor #2 6:10 APIC version 21
(XEN) Processor #4 6:10 APIC version 21
(XEN) Processor #6 6:10 APIC version 21
(XEN) IOAPIC[0]: apic_id 2, version 32, address 0xfec00000, GSI 0-23
(XEN) Enabling APIC mode: Flat. Using 1 I/O APICs
(XEN) Using scheduler: SMP Credit Scheduler (credit)
(XEN) Detected 3093.030 MHz processor.
(XEN)
(XEN) HVM: VMX enabled
(XEN) VMX: MSR intercept bitmap enabled
(XEN) CPU0: Intel(R) Core(TM) i5-2400 CPU @ 3.10GHz stepping 07
(XEN) Mapping cpu 0 to node 255
(XEN) Booting processor 1/2 eip 90000
(XEN) Mapping cpu 1 to node 255
(XEN)
(XEN) CPU1: Intel(R) Core(TM) i5-2400 CPU @ 3.10GHz stepping 07
(XEN) Booting processor 2/4 eip 90000
(XEN) Mapping cpu 2 to node 255
(XEN)
(XEN) CPU2: Intel(R) Core(TM) i5-2400 CPU @ 3.10GHz stepping 07
(XEN) Booting processor 3/6 eip 90000
(XEN) Mapping cpu 3 to node 255
(XEN)
(XEN) CPU3: Intel(R) Core(TM) i5-2400 CPU @ 3.10GHz stepping 07
(XEN) Total of 4 processors activated.
(XEN) ENABLING IO-APIC IRQs
(XEN) -> Using new ACK method
(XEN) Platform timer is 14.318MHz HPET
(XEN) Brought up 4 CPUs
(XEN) *** LOADING DOMAIN 0 ***
(XEN) Xen kernel: 64-bit, lsb, compat32
(XEN) Dom0 kernel: 64-bit, lsb, paddr 0x200000 -> 0x631898
(XEN) PHYSICAL MEMORY ARRANGEMENT:
(XEN) Dom0 alloc.: 0000000128000000->000000012a000000 (185344 pages
to be allocated)
(XEN) VIRTUAL MEMORY ARRANGEMENT:
(XEN) Loaded kernel: ffffffff80200000->ffffffff80631898
(XEN) Init. ramdisk: ffffffff80632000->ffffffff81b6a400
(XEN) Phys-Mach map: ffffffff81b6b000->ffffffff81ce5000
(XEN) Start info: ffffffff81ce5000->ffffffff81ce549c
(XEN) Page tables: ffffffff81ce6000->ffffffff81cf9000
(XEN) Boot stack: ffffffff81cf9000->ffffffff81cfa000
(XEN) TOTAL: ffffffff80000000->ffffffff82000000
(XEN) ENTRY ADDRESS: ffffffff80200000
(XEN) Dom0 has maximum 4 VCPUs
(XEN) Initrd len 0x1538400, start at 0xffffffff80632000
(XEN) Scrubbing Free RAM: ................................done.
(XEN) Xen trace buffers: disabled
(XEN) Std. Loglevel: Errors and warnings
(XEN) Guest Loglevel: Nothing (Rate-limited: Errors and warnings)
(XEN) Xen is relinquishing VGA console.
(XEN) *** Serial input -> DOM0 (type 'CTRL-a' three times to switch
input to Xen).
could be a problem, and it says Errors and warnings in the logs, but
not sure where they are located in order to check them.
__ __ _____ _ ___
\ \/ /___ _ __ |___ / / | / _ \
\ // _ \ '_ \ |_ \ | || | | |
/ \ __/ | | | ___) || || |_| |
/_/\_\___|_| |_| |____(_)_(_)___/
http://www.cl.cam.ac.uk/netos/xen
University of Cambridge Computer Laboratory
Xen version 3.1.0 (ro...@example.org) (gcc version 4.3.2 (Debian
4.3.2-1.1) ) Thu May 3 14:43:23 EDT 2012 (Ether Patch 0.1)
Latest ChangeSet: unavailable
(XEN) Command line: /xen-ether.gz dom0_mem=756M
(XEN) 0000000000000000 - 000000000009a000 (usable)
(XEN) 000000000009ac00 - 00000000000a0000 (reserved)
(XEN) 00000000000e0000 - 0000000000100000 (reserved)
(XEN) 0000000000100000 - 00000000cf1fa000 (usable)
(XEN) 00000000cf1fa000 - 00000000cf23e000 (reserved)
(XEN) 00000000cf23e000 - 00000000cf5b7000 (usable)
(XEN) 00000000cf5b7000 - 00000000cf5e7000 (reserved)
(XEN) 00000000cf5e7000 - 00000000cf7e7000 (ACPI NVS)
(XEN) 00000000cf7e7000 - 00000000cf7ff000 (ACPI data)
(XEN) 00000000cf7ff000 - 00000000cf800000 (usable)
(XEN) 00000000fed1c000 - 00000000fed20000 (reserved)
(XEN) 00000000ffc00000 - 00000000ffc20000 (reserved)
(XEN) 0000000100000000 - 000000012e000000 (usable)
(XEN) System RAM: 4053MB (4150328kB)
(XEN) Xen heap: 13MB (14092kB)
(XEN) Domain heap initialised: DMA width 32 bits
(XEN) Processor #0 6:10 APIC version 21
(XEN) Processor #2 6:10 APIC version 21
(XEN) Processor #4 6:10 APIC version 21
(XEN) Processor #6 6:10 APIC version 21
(XEN) IOAPIC[0]: apic_id 2, version 32, address 0xfec00000, GSI 0-23
(XEN) Enabling APIC mode: Flat. Using 1 I/O APICs
(XEN) Using scheduler: SMP Credit Scheduler (credit)
(XEN) Detected 3093.030 MHz processor.
(XEN)
(XEN) HVM: VMX enabled
(XEN) VMX: MSR intercept bitmap enabled
(XEN) CPU0: Intel(R) Core(TM) i5-2400 CPU @ 3.10GHz stepping 07
(XEN) Mapping cpu 0 to node 255
(XEN) Booting processor 1/2 eip 90000
(XEN) Mapping cpu 1 to node 255
(XEN)
(XEN) CPU1: Intel(R) Core(TM) i5-2400 CPU @ 3.10GHz stepping 07
(XEN) Booting processor 2/4 eip 90000
(XEN) Mapping cpu 2 to node 255
(XEN)
(XEN) CPU2: Intel(R) Core(TM) i5-2400 CPU @ 3.10GHz stepping 07
(XEN) Booting processor 3/6 eip 90000
(XEN) Mapping cpu 3 to node 255
(XEN)
(XEN) CPU3: Intel(R) Core(TM) i5-2400 CPU @ 3.10GHz stepping 07
(XEN) Total of 4 processors activated.
(XEN) ENABLING IO-APIC IRQs
(XEN) -> Using new ACK method
(XEN) Platform timer is 14.318MHz HPET
(XEN) Brought up 4 CPUs
(XEN) *** LOADING DOMAIN 0 ***
(XEN) Xen kernel: 64-bit, lsb, compat32
(XEN) Dom0 kernel: 64-bit, lsb, paddr 0x200000 -> 0x631898
(XEN) PHYSICAL MEMORY ARRANGEMENT:
(XEN) Dom0 alloc.: 0000000128000000->000000012a000000 (185344 pages
to be allocated)
(XEN) VIRTUAL MEMORY ARRANGEMENT:
(XEN) Loaded kernel: ffffffff80200000->ffffffff80631898
(XEN) Init. ramdisk: ffffffff80632000->ffffffff81b6a400
(XEN) Phys-Mach map: ffffffff81b6b000->ffffffff81ce5000
(XEN) Start info: ffffffff81ce5000->ffffffff81ce549c
(XEN) Page tables: ffffffff81ce6000->ffffffff81cf9000
(XEN) Boot stack: ffffffff81cf9000->ffffffff81cfa000
(XEN) TOTAL: ffffffff80000000->ffffffff82000000
(XEN) ENTRY ADDRESS: ffffffff80200000
(XEN) Dom0 has maximum 4 VCPUs
(XEN) Initrd len 0x1538400, start at 0xffffffff80632000
(XEN) Scrubbing Free RAM: ................................done.
(XEN) Xen trace buffers: disabled
(XEN) Std. Loglevel: Errors and warnings
(XEN) Guest Loglevel: Nothing (Rate-limited: Errors and warnings)
(XEN) Xen is relinquishing VGA console.
(XEN) *** Serial input -> DOM0 (type 'CTRL-a' three times to switch
input to Xen).
Reply all
Reply to author
Forward
0 new messages