Break infinite loops by limiting the # of iterations of a while loop.#54
Break infinite loops by limiting the # of iterations of a while loop.#54kirk-sayre-work wants to merge 20 commits intoDissectMalware:masterfrom
Conversation
Eval cells reached via goto_handler().
|
Thank you Kirk, Regarding breaking the infinite loop, that's an awesome feature. However, I think the reason that the emulator caught in an infinite loop is because some of the feature for implementing aliases are not complete. I will try to implement those and then add your prevention logic. |
|
Commit fe6eeb4 has the infinite loop fix. Yesterday I made some additional changes to scan intermediate evaluation results and pull out URL IOCs as they are generated (commit 3d7168f). I added the intermediate IOC functionality because I found ~500 Trickbot XLM files for which xlmdeobfudcator does not get a full analysis (they have weird IF() function usage where there are missing END.IF() functions), but I was seeing the download URL being generated as part of the intermediate emulation of the XLM. The intermediate IOC functionality let me dump these download URLs even though the XLM was not fully analyzed. I added this sort of intermediate IOC functionality to ViperMonkey a while back and it has been helpful in picking out IOCs from maldocs with gating or that don't get completely processed. I also added a handler function for DEFINE.NAME and changed things so that the target cell of a goto is evaluated. Finally I also added a bunch of janky conditional debug print statements. Those could be safely eliminated. |
Dridex - 7ff991fdfd6dbbceace1331e9f52bb2d
|
(apologies for the long overdue) The real issue in v0.1.5 is the way the code is fetching the next macro. I tried to change it in version-2.0 branch, this should solve the problem; however, it needs more testing. The code has a loop detection logic that was purposefully disabled for while. I try to add your logic with the current one (if it is different). I think it would be better to merge it with version-2.0 instead of the master. Do you still see many samples that fall in infinite loops? |
fix unassigned use of next_cell
repro file: 8a868633be770dc26525884288c34ba0621170af62f0e18c19b25a17db36726a
[Loading Cells]
--with-ms-excel switch is now deprecated (by default, MS-Excel is not used)
If you want to use MS-Excel, use --with-ms-excel
auto_open: auto_open->K9YZ!$E$829
[Starting Deobfuscation]
CELL:E829 , FullBranching , IF(OR(AND(AND(OR(MAX(APP.MAXIMIZE(),FALSE),MAX(GET.WORKSPACE(13.0),-1.0)>770.0,MIN(GET.WORKSPACE(14.0),10000.0)>390.0,OR(GET.WORKSPACE(31.0)=FALSE),AND(GET.WORKSPACE(19.0),TRUE))))),MIN(50.0),HALT())
CELL:E829 , PartialEvaluation , [TRUE] MIN(50)
CELL:E830 , FullEvaluation , SET.NAME(ndrlm,$E$812)
CELL:E831 , FullEvaluation , SET.NAME(aclhzdly,$I$2023:$I$2043)
CELL:E832 , FullEvaluation , SET.NAME(sghdee,$T$4063:$T$4072)
CELL:E833 , FullEvaluation , SET.NAME(czenbevaq,836)
CELL:E834 , FullEvaluation , SET.NAME(garwogus,5)
CELL:E835 , FullEvaluation , NdRLM()
CELL:E812 , PartialEvaluation , SET.NAME("EIZNh",MAX(0.0,-1.0))
CELL:E813 , PartialEvaluation , SET.NAME("dOzPccZhvxtk",MIN(0.0,1.0))
CELL:E814 , PartialEvaluation , WHILE(AND(EIZNh<ROWS(aClHzdLY)))
Traceback (most recent call last):
File "c:\anaconda3\lib\runpy.py", line 194, in _run_module_as_main
return _run_code(code, main_globals, None,
File "c:\anaconda3\lib\runpy.py", line 87, in _run_code
exec(code, run_globals)
File "c:\Anaconda3\Scripts\xlmdeobfuscator.exe\__main__.py", line 7, in <module>
File "c:\anaconda3\lib\site-packages\XLMMacroDeobfuscator\deobfuscator.py", line 2143, in main
process_file(**vars(args))
File "c:\anaconda3\lib\site-packages\XLMMacroDeobfuscator\deobfuscator.py", line 2021, in process_file
for step in interpreter.deobfuscate_macro(interactive, start_point):
File "c:\anaconda3\lib\site-packages\XLMMacroDeobfuscator\deobfuscator.py", line 1610, in deobfuscate_macro
evaluation_result = self.evaluate_parse_tree(current_cell, parse_tree, interactive)
File "c:\anaconda3\lib\site-packages\XLMMacroDeobfuscator\deobfuscator.py", line 1445, in evaluate_parse_tree
child_eval_result = self.evaluate_parse_tree(current_cell, child_node, interactive)
File "c:\anaconda3\lib\site-packages\XLMMacroDeobfuscator\deobfuscator.py", line 1361, in evaluate_parse_tree
result = self.evaluate_function(current_cell, parse_tree_root, interactive)
File "c:\anaconda3\lib\site-packages\XLMMacroDeobfuscator\deobfuscator.py", line 583, in evaluate_function
eval_result = self._handlers[function_name](arguments, current_cell, interactive, parse_tree_root)
File "c:\anaconda3\lib\site-packages\XLMMacroDeobfuscator\deobfuscator.py", line 1135, in next_handler
if next_cell is None:
UnboundLocalError: local variable 'next_cell' referenced before assignment
Update deobfuscator.py
Update xls_wrapper_2.py
Eval cells reached via goto_handler().
|
Small note, this is wrong, the proper link is https://github.com/kevoreilly/CAPEv2/ |
4 participants
Current SLoad Excel XLM samples contain several while loops which never terminate during XLMMacroDeobfuscator emulation (ex. https://www.virustotal.com/gui/file/f7c577d377eae268913717937f792cca3f5bf7a802559f146ef5fba45f3f4605/detection). This pull request contains one potential method for handling infinite while loops. It limits the number of iterations that a while loop can take. If the iteration limit is exceeded the loop is exited.