Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potentially unreliable feature extraction on ELF sample #1268

Open
mr-tz opened this issue Jan 6, 2023 · 10 comments
Open

Potentially unreliable feature extraction on ELF sample #1268

mr-tz opened this issue Jan 6, 2023 · 10 comments
Labels
blocked-on-viv blocked on a vivisect bug/release bug Something isn't working viv-bug

Comments

@mr-tz
Copy link
Collaborator

mr-tz commented Jan 6, 2023

When running below rule on 294b8db1f2702b60fb2e42fdc50c2cee6a5046112da9a5703a548a4fa50477bc vivisect sometimes extract the localtime api feature and sometimes it doesn't. Is there a bug in the extractor, vivisect, or elsewhere?

rule:
  meta:
    name: get system time on Linux
    namespace: host-interaction/os/info
    authors:
      - "@ramen0x3f"
    scope: function
    examples:
      - 294b8db1f2702b60fb2e42fdc50c2cee6a5046112da9a5703a548a4fa50477bc:0x404970
  features:
    - and:
      - os: linux
      - or:
        - api: localtime

ref: mandiant/capa-rules#654
@mr-tz mr-tz added the bug Something isn't working label Jan 6, 2023
@williballenthin
Copy link
Collaborator

agree that the feature is not extracted:
image

image

viv doesn't seem to be finding the surrounding function (sub_404970):
image

@williballenthin
Copy link
Collaborator

image

image

viv doesnt recognize the reference to function sub_40BB10 (that calls sub_404970)

@williballenthin
Copy link
Collaborator

prolog of that function is quite standard:
image

@mr-tz
Copy link
Collaborator Author

mr-tz commented Jan 9, 2023

Sometimes it does though?! I'm pretty sure I saw runs where vivisect worked...

@williballenthin
Copy link
Collaborator

i haven't seen it work on my machine, but if it's an issue of timing or something, that's maybe not surprising. if you can try a few more times and confirm that it sometimes works then i'll dive more into viv.

@williballenthin
Copy link
Collaborator

williballenthin commented Jan 9, 2023
edited
Loading

it seems like the emucode analyzer is supposed to work here. digging into why it doesn't work as expected.

@mr-tz
Copy link
Collaborator Author

mr-tz commented Jan 9, 2023

Interesting! No match on new workspace every time:

> while true; do rm ../tests/data/294b8db1f2702b60fb2e42fdc50c2cee6a5046112da9a5703a548a4fa50477bc.elf_.viv; ~/venv/bin/python ../scripts/show-features.py ../tests/data/294b8db1f2702b60fb2e42fdc50c2cee6a5046112da9a5703a548a4fa50477bc.elf_ | grep "api(localtime)"; done

Match, when resusing existing workspace!?

> while true; do ~/venv/bin/python ../scripts/show-features.py ../tests/data/294b8db1f2702b60fb2e42fdc50c2cee6a5046112da9a5703a548a4fa50477bc.elf_ | grep -a "api(localtime)"; done
  insn: 0x404A45: api(localtime)
  insn: 0x404A45: api(localtime)
  insn: 0x404A45: api(localtime)

@mr-tz
Copy link
Collaborator Author

mr-tz commented Jan 9, 2023

All exported features for a run that includes api(localtime):
feats.txt

@williballenthin

This comment was marked as outdated.

Sign in to view
@williballenthin williballenthin mentioned this issue Jan 9, 2023
Closed
@williballenthin
Copy link
Collaborator

root cause reported upstream. we'll be blocked on viv here, unless we want to introduce our own viv passes with capa to better handle things like this.

@williballenthin williballenthin added the blocked-on-viv blocked on a vivisect bug/release label Jan 9, 2023
This was referenced Jan 9, 2023
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
blocked-on-viv blocked on a vivisect bug/release bug Something isn't working viv-bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@williballenthin @mr-tz