glacierw / mba Goto Github PK
View Code? Open in Web Editor NEWMalware Behavior Analyzer
License: Other
mba's People
Contributors
Stargazers
Watchers
Forkers
dennisieur misterlihao bletchley13 jeffreyjao redteamcaliber lovesuae wflk techlord-rce vest12385 akpotter lucabongiorni deki0r chubbymaggie jack51706 yang123vc changeyourname amohanta 0thm4n3 fatgle mike1026915 miaoski gk1026 chaojianhu ioanlongjing a2wharrison ylqian1912 5up3rc shadowliangliang thenson81 sswares knownact th3cyb3rc0p hecg119 kaganisildak gmh5225 noorahsmithmba's Issues
Is it possible to support Windows 32-bit guest OS?
Thanks for the great project. I wonder is it possible to support Windows 32-bit guest OS? What should I do if I want to implement it?
Code offset between QEMU host code and DIFT pre-generated code exceed 32 bits value
DIFT instrument the QEMU TCG host code generation to call DIFT pre-generated binary code on demands. However, the call instruction used in the instrumentation only supports a 32 bits value as the relative offset. Thereby, when the offset exceed 4G, a segfault fatal error occurs.
libcfile errors due to "error Missing file remove function"
The compilation of libqcow fails, due to the new feature of sub-component libcfile.
libcfile_support.c:742:2: error: #error Missing file remove function
#error Missing file remove function
^
make[2]: *** [libcfile_support.lo] Error 1
make[2]: Leaving directory `/tmp/MBA/ext/tsk/sleuthkit/libqcow/libcfile'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/tmp/MBA/ext/tsk/sleuthkit/libqcow'
make: *** [ext/tsk/sleuthkit/libqcow/libqcow/.libs/libqcow.a] Error 2
A Dockerfile for MBA?
I think a Dockerfile will be nice
Even nicer if we can pull the latest docker image of MBA from dockerhub :)
What do you guys think ?
Fix dift_contaminate_memory_and() and dift_contaminate_memory_or() to support contaminate memory more than 4G
dift_contaminate_memory_* functions have a while loop to process taint contaminate for each len_pt_max size.
But the base address addr never added in the while loop, so the taint contaminate will not work when len > len_pt_max.
https://github.com/GlacierW/MBA/commit/93ac6367739cba848e6f2c6a59bf21c958b85030#diff-1af4ba10d419d9b4c994b320c09e4e87R1022
while( len > 0 ) {
len_pt = (len > len_pt_max)? len_pt_max : len;
*((uint64_t*)&rec) |= ((0x00000000000000ff & tag) << 8);
*((uint64_t*)&rec) |= ((0x00000000ffffffff & len_pt) << 16);
dift_rec_enqueue( *((uint64_t*)&rec) );
dift_rec_enqueue( addr );
len -= len_pt;
}
remove `(len == 0)?` check in `dift_contaminate_memory_or()`, `dift_contaminate_memory_and()`
Here is the structure of the code,
int dift_contaminate_memory_or( ..., uint64_t len, ... ) {
...
while( len > 0 ) {
...
}
return (len == 0)? DIFT_SUCCESS : DIFT_ERR_FAIL;
}The check is not needed, because len must be 0 after the program leaves the loop.
fix is_valid_mem_range() and is_valid_disk_range()
Here is the code,
static int is_valid_mem_range( uint64_t addr, uint64_t len ) {
if( phys_ram_size - addr < len )
return false;
return true;
}When addr is larger than phys_ram_size,
the function returns true, whether it should return false.
There is a same problem in is_valid_disk_range() too.
[Bug] The connection to the agent server is broken while reading
Expected behavior
I was about to use mba_wexec cmd.exe to check the Dekstop in the guest OS (Win10) after I imported an img to the guest OS by using the following command :
mba_wimpo /home/bruce30262/MBA-workspace/test-sample/789.PNG C:\Users\dsns\Desktop\789.PNG
I was expecting MBA will give me a shell to interact with the guest OS.
Actual behavior
It print out the following error message:
The connection to the agent server is broken while reading
Then the whole sandbox was stuck at the (agent-exec) prompt. The only thing I can do is kill the MBA process and restart the whole sandbox.
Steps to reproduce the problem
$ cat run_mba.sh
#!/bin/bash
$HOME/MBA/x86_64-softmmu/qemu-system-x86_64 -vnc :2 -monitor stdio -m 2048 -netdev user,id=mynet -device rtl8139,netdev=mynet $HOME/MBA-workspace/win10.qcow2 -loadvm ready
$ ./run_mba.sh
QEMU 2.3.50 monitor - type 'help' for more information
(qemu) mba_load_structures type_definition
(qemu) KPCR found fffff801a9173000
(qemu) mba_load_structures network_type_definition
(qemu) mba_load_global_variable global_type_definition
(qemu) mba_winit
Agent thread starting
(qemu) mba_wexec cmd.exe
(agent-exec) Microsoft Windows [Version 10.0.10240]
(c) 2015 Microsoft Corporation. All rights reserved.
C:\Users\dsns>
(agent-exec)
C:\Users\dsns>dir
(agent-exec) dir
Volume in drive C has no label.
Volume Serial Number is 3E03-29AC
Directory of C:\Users\dsns
2016/11/12 �W�06:09 <DIR> .
2016/11/12 �W�06:09 <DIR> ..
2016/06/30 �W�04:19 <DIR> Contacts
2016/06/30 �W�04:19 <DIR> Desktop
2016/07/14 �W�04:52 <DIR> Documents
2016/06/30 �W�04:19 <DIR> Downloads
2016/06/30 �W�04:19 <DIR> Favorites
2016/06/30 �W�04:19 <DIR> Links
2016/06/30 �W�04:19 <DIR> Music
2016/11/05 �W�06:10 <DIR> OneDrive
2016/06/30 �W�04:19 <DIR> Pictures
2016/06/30 �W�04:19 <DIR> Saved Games
2016/06/30 �W�04:19 <DIR> Searches
2016/06/30 �W�04:19 <DIR> Videos
2016/11/12 �W�06:07 159,454 win_agent.exe
1 File(s) 159,454 bytes
14 Dir(s) 4,785,410,048 bytes free
C:\Users\dsns>
(agent-exec)
C:\Users\dsns>exit
(agent-exec) exit
System Receive : exec cmd.exe
(qemu) mba_wimpo /home/bruce30262/MBA-workspace/test-sample/789.PNG C:\Users\dsns\Desktop\789.PNG
(qemu) System Receive : impo C:\Users\dsns\Desktop\789.PNG
(qemu) mba_wexec cmd.exe
(agent-exec) The connection to the agent server is broken while reading
(agent-exec) exit
(agent-exec)
(agent-exec)
(agent-exec) ./run_mba.sh: line 2: 3192 Killed $HOME/MBA/x86_64-softmmu/qemu-system-x86_64 -vnc :2 -monitor stdio -m 2048 -netdev user,id=mynet -device rtl8139,netdev=mynet $HOME/MBA-work
space/win10.qcow2 -loadvm ready
I've used RealVNC to make sure that the image has been imported to the guest OS:
Specification on the environment
I'm running a Linux VM (Ubuntu 14.04 64 bit) on a Windows 10 x64 OS
$ uname -a
Linux ubuntu 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:07:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04.5 LTS
Release: 14.04
Codename: trusty
Inside the VM I run the MBA sandbox, which was built with the latest version of source code:
$ git clone https://github.com/GlacierW/MBA.git
$ ./configure --enable-mba-all --target-list=x86_64-softmmu
$ make -j8
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.