Code Monkey home page Code Monkey logo

glacierw / mba Goto Github PK

View Code? Open in Web Editor NEW
157.0 25.0 38.0 25.28 MB

Malware Behavior Analyzer

License: Other

Makefile 1.75% C 87.34% C++ 5.36% Objective-C 0.26% Haxe 0.47% Assembly 0.36% Python 1.24% NSIS 0.01% Shell 1.15% Perl 0.25% GLSL 0.01% HTML 0.08% Java 0.60% M4 1.00% PowerShell 0.02% GDB 0.01% CMake 0.03% Batchfile 0.01% Yacc 0.04% Lex 0.02%
malware qemu sandbox virtual-machine-introspection forensics taint-analysis program-analysis dynamic-binary-analysis

mba's Issues

A Dockerfile for MBA?

I think a Dockerfile will be nice
Even nicer if we can pull the latest docker image of MBA from dockerhub :)
What do you guys think ?

Fix dift_contaminate_memory_and() and dift_contaminate_memory_or() to support contaminate memory more than 4G

dift_contaminate_memory_* functions have a while loop to process taint contaminate for each len_pt_max size.
But the base address addr never added in the while loop, so the taint contaminate will not work when len > len_pt_max.
https://github.com/GlacierW/MBA/commit/93ac6367739cba848e6f2c6a59bf21c958b85030#diff-1af4ba10d419d9b4c994b320c09e4e87R1022

while( len > 0 ) {

        len_pt = (len > len_pt_max)? len_pt_max : len;

        *((uint64_t*)&rec) |= ((0x00000000000000ff & tag)    << 8);
        *((uint64_t*)&rec) |= ((0x00000000ffffffff & len_pt) << 16);

        dift_rec_enqueue( *((uint64_t*)&rec) );
        dift_rec_enqueue( addr );

        len -= len_pt;
    }

libcfile errors due to "error Missing file remove function"

The compilation of libqcow fails, due to the new feature of sub-component libcfile.

libcfile_support.c:742:2: error: #error Missing file remove function
#error Missing file remove function
  ^ 
make[2]: *** [libcfile_support.lo] Error 1 
make[2]: Leaving directory `/tmp/MBA/ext/tsk/sleuthkit/libqcow/libcfile'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/tmp/MBA/ext/tsk/sleuthkit/libqcow' 
make: *** [ext/tsk/sleuthkit/libqcow/libqcow/.libs/libqcow.a] Error 2

fix is_valid_mem_range() and is_valid_disk_range()

Here is the code,

static int is_valid_mem_range( uint64_t addr, uint64_t len ) {

    if( phys_ram_size - addr < len )
        return false;
    return true;
}

When addr is larger than phys_ram_size,
the function returns true, whether it should return false.

There is a same problem in is_valid_disk_range() too.

[Bug] The connection to the agent server is broken while reading

Expected behavior

I was about to use mba_wexec cmd.exe to check the Dekstop in the guest OS (Win10) after I imported an img to the guest OS by using the following command :
mba_wimpo /home/bruce30262/MBA-workspace/test-sample/789.PNG C:\Users\dsns\Desktop\789.PNG

I was expecting MBA will give me a shell to interact with the guest OS.

Actual behavior

It print out the following error message:

The connection to the agent server is broken while reading

Then the whole sandbox was stuck at the (agent-exec) prompt. The only thing I can do is kill the MBA process and restart the whole sandbox.

Steps to reproduce the problem

$ cat run_mba.sh 
#!/bin/bash
$HOME/MBA/x86_64-softmmu/qemu-system-x86_64 -vnc :2 -monitor stdio -m 2048 -netdev user,id=mynet -device rtl8139,netdev=mynet $HOME/MBA-workspace/win10.qcow2 -loadvm ready  

$ ./run_mba.sh
QEMU 2.3.50 monitor - type 'help' for more information
(qemu) mba_load_structures type_definition
(qemu) KPCR found fffff801a9173000

(qemu) mba_load_structures network_type_definition
(qemu) mba_load_global_variable global_type_definition
(qemu) mba_winit
Agent thread starting
(qemu) mba_wexec cmd.exe
(agent-exec) Microsoft Windows [Version 10.0.10240]
(c) 2015 Microsoft Corporation. All rights reserved.

C:\Users\dsns>
(agent-exec) 
C:\Users\dsns>dir
(agent-exec) dir
 Volume in drive C has no label.
 Volume Serial Number is 3E03-29AC

 Directory of C:\Users\dsns

2016/11/12  �W�06:09    <DIR>          .
2016/11/12  �W�06:09    <DIR>          ..
2016/06/30  �W�04:19    <DIR>          Contacts
2016/06/30  �W�04:19    <DIR>          Desktop
2016/07/14  �W�04:52    <DIR>          Documents
2016/06/30  �W�04:19    <DIR>          Downloads
2016/06/30  �W�04:19    <DIR>          Favorites
2016/06/30  �W�04:19    <DIR>          Links
2016/06/30  �W�04:19    <DIR>          Music
2016/11/05  �W�06:10    <DIR>          OneDrive
2016/06/30  �W�04:19    <DIR>          Pictures
2016/06/30  �W�04:19    <DIR>          Saved Games
2016/06/30  �W�04:19    <DIR>          Searches
2016/06/30  �W�04:19    <DIR>          Videos
2016/11/12  �W�06:07           159,454 win_agent.exe
               1 File(s)        159,454 bytes
              14 Dir(s)   4,785,410,048 bytes free

C:\Users\dsns>
(agent-exec) 
C:\Users\dsns>exit
(agent-exec) exit
System Receive : exec cmd.exe

(qemu) mba_wimpo /home/bruce30262/MBA-workspace/test-sample/789.PNG C:\Users\dsns\Desktop\789.PNG
(qemu) System Receive : impo C:\Users\dsns\Desktop\789.PNG
(qemu) mba_wexec cmd.exe
(agent-exec) The connection to the agent server is broken while reading

(agent-exec) exit
(agent-exec) 
(agent-exec) 
(agent-exec) ./run_mba.sh: line 2:  3192 Killed                  $HOME/MBA/x86_64-softmmu/qemu-system-x86_64 -vnc :2 -monitor stdio -m 2048 -netdev user,id=mynet -device rtl8139,netdev=mynet $HOME/MBA-work
space/win10.qcow2 -loadvm ready

I've used RealVNC to make sure that the image has been imported to the guest OS:
555

Specification on the environment

I'm running a Linux VM (Ubuntu 14.04 64 bit) on a Windows 10 x64 OS

$ uname -a
Linux ubuntu 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:07:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 14.04.5 LTS
Release:        14.04
Codename:       trusty

Inside the VM I run the MBA sandbox, which was built with the latest version of source code:

$ git clone https://github.com/GlacierW/MBA.git
$ ./configure --enable-mba-all --target-list=x86_64-softmmu
$ make -j8

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.