Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible false positive origins of "calls" #5

Closed
Dump-GUY opened this issue Jul 18, 2020 · 3 comments
Closed

Possible false positive origins of "calls" #5

Dump-GUY opened this issue Jul 18, 2020 · 3 comments

Comments

@Dump-GUY
Copy link

Dump-GUY commented Jul 18, 2020
edited by hasherezade
Loading

I found some wrong RVA origin of calls traced in .tag. I found out that many traced api saved in .tag file have RVA origin in many assembler instructions (not call).. Like mov, push... So I can't figure it out where is problem... The code is not self modyfing and also not packed...
I used pin version 3.15, tiny tracer 1.3.2 and compiled it in Visual studio 2019. Tested on win7 Pro 64bit.
Tested sample: RemcosRAT - pass:infected (https://www105.zippyshare.com/v/FGP4Yhw5/file.html) ; dd488af61f792c89265fd783f3ec4a18

bookmarks_showing_not_call_origins2

bookmarks_showing_not_call_origins
@Dump-GUY
Copy link
Author

After some tests win 10 64bit 1909 produced same results as on win7 64bit. But I tested another samples and from 15 samples there was only issue with the Remcosrat (link included before), where as I said all origins of real calls/jmps are resolved right only few another assembler instructions are wrong.. But this was reproducible only with Remcosrat sample. I also tried to compile it on win7 64 bit with same results. It would be probably some pin issue relevant on rare sample.

@hasherezade
Copy link
Owner

hasherezade commented Jul 19, 2020
edited
Loading

Thank you for reporting. I spent full day trying to debug it and making experiments.
First I tried to reproduce it on my main machine, using different VMs: Windows 7 32 bit, and Windows 10 64 bit - but I got clean traces:

  1. The trace from Windows 7
  2. The trace from Windows 10

Then, after many attempts, I found a machine where I managed to reproduce it (Windows 7 32 bit, real machine). The glitches are consistent with what you observed, so i can rather exclude concurrency issues from possible reasons.

Also, I used exactly the same package (PIN + Tiny Tracer), the same builds - on both machines, and on one it was working well, but not on the other. Interestingly, the results from the same physical machine seems to be the same, no matter what VMs we are using. So maybe it is related with how PIN handles some differences in a processor?

For now I am catching up with my work to meet some close deadlines, but once I am done, I will dig through it again.

hasherezade added a commit that referenced this issue Jul 23, 2020
@hasherezade
Redesigned and cleaned the code. Fixed stability issues (Issue #5)
9a727bf
@hasherezade
Copy link
Owner

It seems that it is fixed now. Feel free to close this issue if you think all tests are passed. Thank you for your contribution in improving TinyTracer!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hasherezade @Dump-GUY