capesandbox / sflock Goto Github PK

View Code? Open in Web Editor NEW

This project forked from hatching/sflock

10.0 10.0 14.0 16.01 MB

Sample staging & detonation utility to be used in combination with Cuckoo Sandbox.

Python 65.92% HTML 29.41% JavaScript 0.06% PowerShell 0.04% VBScript 0.19% YARA 4.38%

sflock's People

Contributors

Stargazers

Watchers

Forkers

threathive nbargnesi xzwl233 raw-data wmetcalf conitrade kevoreilly avihayst n1nesun antelox cccs-kevin ironmna georgeneokq

sflock's Issues

exceldna extract

https://github.com/augustoproiete/exceldna-unpack

Whether this judgment will cause some files to be unpacked incorrect？

https://github.com/doomedraven/sflock/blob/98962eab780e42956c58d2b1f72358ea9bcf1f67/sflock/pick.py#L73
Should we judge all magic before using endswith?

unace is blocked by sflock

Working: Reading archive. Please wait. Blocked system call occurred during sandboxing!
ip=0x7f0382c1274d sp=0x7ffeb9b97010 abi=0 nr=270 syscall=pselect6

7z file extraction killed by zipjail due to clone limit

Hi
Ive been looking this 7z file:
14b95edd6f41e96cf8fe2e40e348ac1878b0f7734ed12fd1eabd4916a140328b

sflock was failing to unpack it but 7z on the command line was working fine.

Ive found bumping -c=2 up to -c=3 here solves the issue.
I've seen that bumping up to 2 weakens the protection due to race conditions. I'm not sure how much more it's weakend going from 2 to 3 or how many files would actually cause this condition.

I can provide full verbose output from zipjail if it is useful, but here is a heavily cut-down version.
clones set to 2:

/home/pete/gits/local-lab/venv/lib/python3.8/site-packages/sflock/data/zipjail.elf test.7z /home/pete/tmp/output -v -c=2 -- /usr/bin/7z x -mmt=off -p -o/home/pete/tmp/output test.7z
openat(4294967196, /home/pete/tmp/output/Pasw0rd_2024_With_Setup/Patch.css)
openat(4294967196, /home/pete/tmp/output/Pasw0rd_2024_With_Setup/Patch.css)
clone(0x3d0f00, ...)
clone(0x3d0f00, ...)
clone(0x3d0f00, ...)
clone(0x3d0f00, ...)
clone(0x3d0f00, ...)
Killing child 27491

clones set to 3:

/home/pete/gits/local-lab/venv/lib/python3.8/site-packages/sflock/data/zipjail.elf test.7z /home/pete/tmp/output -v -c=3 -- /usr/bin/7z x -mmt=off -p -o/home/pete/tmp/output test.7z
futex(94240458351676, 129, 0x7fffffff)
futex(94240458351592, 129, 0x1)
futex(94240458351592, 129, 0x1)
Everything is Ok

Folders: 4
Files: 14
Size:       26974926
Compressed: 9190596

sflock_identify incorrectly identifies Danabot DLL as EXE file

The "file" utility clearly shows it's a DLL:

$ file /tmp/danabot/7493a5ff39fc5421c4e8ef9e45a19b8530991d3cef0be5ecdc1d74c19cd9c63e 
/tmp/danabot/7493a5ff39fc5421c4e8ef9e45a19b8530991d3cef0be5ecdc1d74c19cd9c63e: MS-DOS executable PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, MZ for MS-DOS

Sflock incorrectly sees it as an EXE file:

>>> import sflock
>>> sflock.__version__
'0.3.23'
>>> from sflock.ident import identify as sflock_identify
>>> from sflock.abstracts import File as SflockFile
>>> f = SflockFile.from_path(b'/tmp/danabot/7493a5ff39fc5421c4e8ef9e45a19b8530991d3cef0be5ecdc1d74c19cd9c63e')
>>> f.contents[:16]
b'MZ\x90\x00\x03\x00\x00\x00\x04\x00\x00\x00\xff\xff\x00\x00'
>>> sflock_identify(f)
'exe'

Sample hash: 7493a5ff39fc5421c4e8ef9e45a19b8530991d3cef0be5ecdc1d74c19cd9c63e (not available on VT)

SIGABRT crash when JPEG file is contained in archive

Hi! We've noticed the following issue while examining karton-archive-extractor crash on some eml/msg files:

sflock runs sflock.main.ident on all unpacked files coming from Unpacker.single
One of ident rules is shellcode detection. sflock tries to run every unpacked file as a possible shellcode using Unicorn emulator (https://github.com/doomedraven/sflock/blob/622641dbd08a78a34a00d9266fc9eefd063a3c52/sflock/ident.py#L137)
Unicorn crashes while trying to emulate \xff\xd8\xff\xe0\x00\x10JFIF\x00\x01\x01\x01\x00 as x86-64.

In [4]: sflock.unpack(contents=b'\xff\xd8')
Aborted

>>> emulate(b'\xff\xd8\xff\xe0\x00\x10JFIF\x00\x01\x01\x01\x00', UC_MODE_64)
fish: Job 1, 'python' terminated by signal SIGABRT (Abort)

msg/eml case with karton-archive-extractor under gdb:

Program received signal SIGABRT, Aborted.
__pthread_kill_implementation (no_tid=0, signo=6, threadid=140737350258688) at ./nptl/pthread_kill.c:44
44    ./nptl/pthread_kill.c: No such file or directory.
(gdb) x/i $rip
=> 0x7ffff7ce4a7c <__GI___pthread_kill+300>:    mov    %eax,%r13d
(gdb) info threads
  Id   Target Id                                    Frame 
* 1    Thread 0x7ffff7c4d000 (LWP 217993) "python3" __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737350258688) at ./nptl/pthread_kill.c:44
(gdb) info stack
#0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737350258688) at ./nptl/pthread_kill.c:44
#1  __pthread_kill_internal (signo=6, threadid=140737350258688) at ./nptl/pthread_kill.c:78
#2  __GI___pthread_kill (threadid=140737350258688, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3  0x00007ffff7c90476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4  0x00007ffff7c767f3 in __GI_abort () at ./stdlib/abort.c:79
#5  0x00007ffff391d249 in temp_load[cold] () from /home/psrok1/karton-archive-extractor/venv/lib/python3.10/site-packages/unicorn/lib/libunicorn.so.2
#6  0x00007ffff395c459 in tcg_gen_code_x86_64 () from /home/psrok1/karton-archive-extractor/venv/lib/python3.10/site-packages/unicorn/lib/libunicorn.so.2
#7  0x00007ffff3983fbc in tb_gen_code_x86_64 () from /home/psrok1/karton-archive-extractor/venv/lib/python3.10/site-packages/unicorn/lib/libunicorn.so.2
#8  0x00007ffff396832b in cpu_exec_x86_64 () from /home/psrok1/karton-archive-extractor/venv/lib/python3.10/site-packages/unicorn/lib/libunicorn.so.2
#9  0x00007ffff392ded4 in resume_all_vcpus_x86_64 () from /home/psrok1/karton-archive-extractor/venv/lib/python3.10/site-packages/unicorn/lib/libunicorn.so.2
#10 0x00007ffff392189e in uc_emu_start () from /home/psrok1/karton-archive-extractor/venv/lib/python3.10/site-packages/unicorn/lib/libunicorn.so.2
#11 0x00007ffff5e10e2e in ?? () from /lib/x86_64-linux-gnu/libffi.so.8
#12 0x00007ffff5e0d493 in ?? () from /lib/x86_64-linux-gnu/libffi.so.8
#13 0x00007ffff5e31451 in ?? () from /usr/lib/python3.10/lib-dynload/_ctypes.cpython-310-x86_64-linux-gnu.so
#14 0x00007ffff5e3ace2 in ?? () from /usr/lib/python3.10/lib-dynload/_ctypes.cpython-310-x86_64-linux-gnu.so
#15 0x00005555556a630b in _PyObject_MakeTpCall ()
#16 0x000055555569ec67 in _PyEval_EvalFrameDefault ()
#17 0x00005555556affbc in _PyFunction_Vectorcall ()
#18 0x00005555556985c9 in _PyEval_EvalFrameDefault ()

Installed version of unicorn is unicorn==2.0.0. I'm actually pretty surprised that Unicorn can be killed with two random bytes...

Identification for UDF Files

Hey there!

Can you please add identification for UDF files to the identify() method so that when it is called in CAPE here the tmp_package is udf?

Some samples of UDF files:

We are identifying UDF files in Assemblyline with the following YARA rule https://github.com/CybercentreCanada/assemblyline-base/blob/f0d254126c64f73c57b1435f4f66471afdb58811/assemblyline/common/custom.yara#L872:L891, if that helps

Some PE files get JS package result in ident

Especially Golang files:
for example influx db : https://dl.influxdata.com/influxdb/releases/influxdb2-2.0.7-windows-amd64.zip

capesandbox / sflock Goto Github PK

sflock's People

Contributors

Stargazers

Watchers

Forkers

sflock's Issues

exceldna extract

Whether this judgment will cause some files to be unpacked incorrect？

unace is blocked by sflock

7z file extraction killed by zipjail due to clone limit

sflock_identify incorrectly identifies Danabot DLL as EXE file

SIGABRT crash when JPEG file is contained in archive

Identification for UDF Files

Some PE files get JS package result in ident

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent