Import reconstruction is not working

[shuiyc]

I attempted to unpack a simple UPX sample, but I found that the resulting file of dump-on-api could not run because the IAT was not fixed. After reading the code, I noticed that the related functionality in ScyllaHarness.cpp is disabled by default, so I enabled it.

Additionally, I found that the DumpImageInCurrentProcess function in CAPE.c calls the DumpProcess function, where the FixImport parameter is set to FALSE. I changed it to TRUE, but unfortunately, the IAT still could not be fixed. The related debugging information is shown in the attached image.

Could you please advise on what further modifications I need to make to enable the IAT repair functionality of capemon? Also, I am curious why this IAT repair feature is disabled by default. Thank you very much for your assistance!

[kevoreilly]

It shouldn't be necessary to use dump-on-api to unpack a UPX-packed sample - there exists a specific unpacker yara for that. It looks like from the logs this is working fine - the first payload with hash bd88cd... will have the correct entry point and will
be dumped before any unpacked code has executed... However this doesn't address the import reconstruction failure.

That is something that I haven't tested in years, you may be the first to notice it's broken for a similar time period. The reason it's not enabled by default for all jobs is that it adds complexity and risk of crashing, which itself might impact detonation quality. But like anything with cape - if it was proven to be be solid enough it might be something that could be switched on in future.

If you can supply a bit more info such as whether it's any UPX samples or a specific one, whether it's a 32-bit or 64-bit sample, etc. If it's a specific sample please share it.

[shuiyc]

I used the dump-on-api feature because I think it has the capability of a generic unpacker.Therefore, I wanted to test it

The test sample is very simple, and the source code is as follows:

#include <stdio.h>
#include <Windows.h>

int main() {
	WinExec("calc.exe", SW_SHOWNORMAL);
	return 0;
}

I compiled it into a 32-bit sample and packed it using UPX. Then, I set the option to dump-on-api=WinExec, so that when the WinExec API is hooked, the correct image can be dumped. To prevent any unexpected issues, I even disabled the ASLR during compilation. In fact, everything worked well until I discovered that the resulting file has a broken IAT.

If I force the FixImport parameter to TRUE, the first payload will be recognized as an "Invalid PE file", which causes the IAT reconstruction to stop.And no files are uploaded to my host

[kevoreilly]

While I used the dump-on-api feature because I think it has the capability of a generic unpacker is a perfectly reasonable assumption, it is not correct.

Let's consider into two stages - unpacking and import reconstruction. These stages are independent. So if a PE payload is dumped using any mechanism in capemon, without import reconstruction enabled it will be 'fixed' or 'unmapped' but it won't have imports reconstructed.

So you don't need this dump-on-api mechanism. It's technically inferior to the unpacking mechanism that is already happening automatically. To wait until after the unpacked sample has unpacked and has begun executing is less optimal. To add to this, the entry point in the PE header for your dump will be wrong, whereas the entry point resulting from the proper UPX unpacker yara is correct. So let me just reiterate this so that we don't waste any more time discussing the unpacking mechanism and can focus on the real issue which is that import reconstruction is broken!

I have enough info now thanks - I can see for myself that it is indeed not working. So let me have a proper look into fixing it and I will get back to you.

[shuiyc]

Thanks for your explanation! I'll be waiting for your reply.

[kevoreilly]

Import reconstruction is hopefully now fixed! Please do test with your sample(s) and let me know if there are any issues.

For what it's worth, if you would like to enable import reconstruction for all UPX-packed samples then you can simply add the import_reconstruction=1 option to the existing options in the UPX unpacker YARA:

analyzer/windows/data/yara/UPX.yar

rule UPX
{
    meta:
        author = "kevoreilly"
        description = "UPX dump on OEP (original entry point)"
        cape_options = "bp0=$upx32*,bp0=$upx64*,hc0=1,action0=step2oep,import_reconstruction=1"
    strings:
        $upx32 = {6A 00 39 C4 75 FA 83 EC ?? E9}
        $upx64 = {6A 00 48 39 C4 75 F9 48 83 EC [1-16] E9}
    condition:
        uint16(0) == 0x5A4D and any of them
}

This is a change I will consider making in the main repo - however as I mentioned since any issues or bugs here could detrimentally affect detonation of relevant samples, the bar for testing a universal change like this is quite high.

[kevoreilly]

Just re-reading your original post I wanted to just make sure you knew that you can enable import reconstruction as an advanced submission option:

An alternative is to put import_reconstruction=1 in the submission options:

You shouldn't need to touch the source or compile anything to access any feature in capemon!