A Pelican Bloghttps://cuckoo.sh/blog/2016-09-14T20:00:00+02:00zer0m0n & ReactOS Build Environment2016-09-14T20:00:00+02:00Jurriaan Bremertag:cuckoo.sh,2016-09-14:blog/zer0m0n-rosbe.html<p>Many of you will know <a class="reference external" href="https://github.com/angelkillah/zer0m0n">zer0m0n</a>, a
<strong>kernel driver developed for Cuckoo Sandbox</strong> by Nicolas Correia, Adrien
Chevalier, and Cyril Moreau. In particular, <tt class="docutils literal">zer0m0n</tt> has been developed to
improve the analysis capabilities of Cuckoo as well as to further hide its presence.</p>
<p>After almost three years of part-time development by the French guys, the time
has come for the Cuckoo team to <strong>mainstream its integration and usage</strong>.
However, as most if not all Cuckoo developers (and users) run Linux-based
operating systems, it is preferable that we find a way to develop 32-bit and
64-bit Windows kernel drivers on Linux-based systems.</p>
<p>After reaching out to <a class="reference external" href="https://twitter.com/aionescu">Alex Ionescu</a>,
the Windows kernel guru himself, I was informed that
<a class="reference external" href="https://www.reactos.org/">ReactOS</a> has an entire
<a class="reference external" href="https://www.reactos.org/wiki/Build_Environment">ReactOS Build Environment</a>
(aka <tt class="docutils literal">RosBE</tt> from now on). This was all pretty easy to get started with and
I had built my own ReactOS kernel within the hour, or so. Unfortunately
though, based on <a class="reference external" href="https://www.reactos.org/wiki/AMD64">the</a>
<a class="reference external" href="https://www.dreimer.de/?p=1212">limited</a>
<a class="reference external" href="https://www.reactos.org/forum/viewtopic.php?p=79626">resources</a>
<a class="reference external" href="https://winehq.org.ru/ROS_Port_AMD64">available</a>
on this topic, currently it’s <strong>not possible to build a 64-bit ReactOS kernel
on non-Windows based systems</strong>. Naturally this needs to be investigated, as
ReactOS provides everything else that you will be needing for building Windows
kernel drivers (<span class="caps">API</span> definitions, header files, etc) without the use of <span class="caps">MSVC</span>.
(It is preferable not having to copy over all of the structure and function
definitions for your own little project when ReactOS already did all of the
hard work on that front).</p>
<div class="section" id="setting-up-the-initial-rosbe">
<h2>Setting up the initial RosBE</h2>
<p>For completeness sake - so that we can refer potential contributors of
<tt class="docutils literal">zer0m0n</tt> to this "setup" guide - we will be going through the build
environment setup here. This guide has been written with Ubuntu 14.04 in mind,
provided that’s also ReactOS’ goto operating system for development.</p>
<p>First of all, fetch <tt class="docutils literal"><span class="pre">RosBE-Unix-2.1.2.tar.bz2</span></tt> from SourceForge
(am I right?).. <a class="reference external" href="https://sourceforge.net/projects/reactos/files/RosBE-Unix/">https://sourceforge.net/projects/reactos/files/RosBE-Unix/</a></p>
<p>Install some required packages, unpack the <tt class="docutils literal">RosBE</tt> archive, and setup the
build environment.</p>
<div class="highlight"><pre><span></span><span class="c1"># Could be this list is incomplete.</span>
$ sudo apt-get install texinfo bison flex mingw-w64 libz-dev
<span class="c1"># Unpack archive.</span>
$ tar xfj RosBE-Unix-2.1.2.tar.bz2
<span class="c1"># Setup a local RosBE, not a global one.</span>
<span class="c1"># Type "yes" in the prompt and wait a bit.</span>
<span class="c1"># This is going to warm up your apartment.</span>
$ <span class="nb">cd</span> RosBE-Unix-2.1.2
$ ./RosBE-Builder.sh ~/rosbe
</pre></div>
<p>We now have the RosBE ready to be used. In fact, we’re just a couple commands
away from building the entire ReactOS kernel (and related files).</p>
</div>
<div class="section" id="building-reactos">
<h2>Building ReactOS</h2>
<p>Building ReactOS consists of starting the RosBE session, cloning the ReactOS
Git repository, and building it through the <tt class="docutils literal">ninja</tt> command.</p>
<div class="highlight"><pre><span></span><span class="c1"># Enter a RosBE session.</span>
$ ~/rosbe/RosBE.sh
<span class="c1"># Clone the repository.</span>
$ git clone https://github.com/reactos/reactos
<span class="c1"># Prepare ReactOS build.</span>
$ <span class="nb">cd</span> reactos/reactos
$ ./configure.sh
<span class="c1"># Build ReactOS (this will also heat your apartment).</span>
$ <span class="nb">cd</span> output-MinGW-i386/reactos
$ ninja
</pre></div>
<p>We can remove the ReactOS build by running the <tt class="docutils literal">clean</tt> command from the
correct directory.</p>
<div class="highlight"><pre><span></span>$ <span class="nb">cd</span> ../..
$ clean
</pre></div>
<p>Now onto the real goal of this blogpost, modifying ReactOS in such a way that
we can use it to compile 64-bit Windows kernel drivers on our Ubuntu system.</p>
</div>
<div class="section" id="what-s-in-a-compilation">
<h2>What’s in a compilation?</h2>
<p>Before building <tt class="docutils literal">zer0m0n</tt> or anything custom, we’re first going to take a
look under the hood when compiling a relatively simple ReactOS-related driver.
For no particular reason we settled with the <a class="reference external" href="https://github.com/reactos/reactos/tree/master/reactos/drivers/usb/usbd">usbd driver</a>. The <tt class="docutils literal">usbd</tt>
driver consists of the actual implementation file as well as a resource file
that defines its exported functions.</p>
<p>This is where it gets a little bit hairy. So, rather than delving into CMake
internals (of which I’m not an expert), I settled with using the following
<tt class="docutils literal">strace</tt> command to find all invocations of <tt class="docutils literal">mingw32</tt> (<span class="caps">GCC</span> for Windows, so
to say). Note that <tt class="docutils literal">ninja usbd</tt> only builds the <tt class="docutils literal">usbd</tt> driver rather than everything.</p>
<div class="highlight"><pre><span></span><span class="c1"># Follow children, show long strings, limit to execve(2), be quiet.</span>
$ strace -f -s <span class="m">999999</span> -e execve -qq ninja usbd
</pre></div>
<p>Copy and pasting the executed commands we get something like the following,
except that this snippet omits lots and lots of compiler switches, macro
definitions, and what have you.</p>
<div class="highlight"><pre><span></span>$ rm -rf drivers/usb/usbd/CMakeFiles/* drivers/usb/usbd/usbd.sys
$ mkdir -p drivers/usb/usbd/CMakeFiles/usbd.dir/
$ i686-w64-mingw32-gcc <span class="o">[</span> ... <span class="o">]</span> <span class="se">\</span>
-o drivers/usb/usbd/CMakeFiles/usbd.dir/usbd.c.obj <span class="se">\</span>
-c ../../drivers/usb/usbd/usbd.c
$ i686-w64-mingw32-windres -O coff <span class="o">[</span> ... <span class="o">]</span> <span class="se">\</span>
/home/jbr/reactos/reactos/drivers/usb/usbd/usbd.rc <span class="se">\</span>
drivers/usb/usbd/CMakeFiles/usbd.dir/usbd.rc.res
$ i686-w64-mingw32-gcc -E -xc-header <span class="o">[</span> ... <span class="o">]</span> <span class="se">\</span>
/home/jbr/reactos/reactos/drivers/usb/usbd/usbd.rc
$ i686-w64-mingw32-gcc <span class="o">[</span> ... <span class="o">]</span> -shared <span class="se">\</span>
-o drivers/usb/usbd/usbd.sys <span class="se">\</span>
drivers/usb/usbd/CMakeFiles/usbd.dir/usbd.c.obj <span class="o">[</span> ... <span class="o">]</span>
</pre></div>
<p>The point is the fact that, from a first sight, we should be able to trivially
modify these commands into building a 64-bit <tt class="docutils literal">usbd.sys</tt> file. This only
brings a couple of minor issues which we’ll delve into right now.</p>
</div>
<div class="section" id="bit-compilation">
<h2>64-bit Compilation</h2>
<p>Note that before running any of the next steps, you must have built some of
the related components with 32-bit as target (simply running <tt class="docutils literal">ninja</tt> will
literally compile over 9000 things rather than just a couple hundred for the
following command).</p>
<div class="highlight"><pre><span></span><span class="c1"># From the output-MingW32-i386/reactos directory.</span>
$ ninja ntoskrnl hal usbd xdk
</pre></div>
<p>Modifying the commands to represent 64-bit arguments requires only a couple of
changes to the commands that we had obtained earlier.</p>
<ul class="simple">
<li>Change of the <tt class="docutils literal">i686</tt> command prefixes into <tt class="docutils literal">x86_64</tt>.</li>
<li>Removal of the <tt class="docutils literal"><span class="pre">-march=pentium</span></tt>, <tt class="docutils literal"><span class="pre">-mtune=i686</span></tt>, and <tt class="docutils literal"><span class="pre">-mpreferred-stack-boundary=3</span></tt> arguments.</li>
<li>Removal of the <tt class="docutils literal"><span class="pre">-D__i386__</span></tt>, <tt class="docutils literal"><span class="pre">-Di386</span></tt>, <tt class="docutils literal"><span class="pre">-D_X86_</span></tt>, <tt class="docutils literal"><span class="pre">-D_M_IX86</span></tt>, and <tt class="docutils literal"><span class="pre">-D_USE_32BIT_TIME_T</span></tt> macro definitions.</li>
<li>Rewriting the entry function name parameter <tt class="docutils literal"><span class="pre">-Wl,-entry,_DriverEntry@8</span></tt> to <tt class="docutils literal"><span class="pre">-Wl,-entry,DriverEntry</span></tt>.</li>
</ul>
<p>Having these changes applied to our bash script, we can now try to build the
64-bit <tt class="docutils literal">usbd.sys</tt> driver. We will run into exactly two other issues.</p>
<ul class="simple">
<li>Incompatible <tt class="docutils literal">libntoskrnl.a</tt> and <tt class="docutils literal">libhal.a</tt> files.</li>
<li>A couple minor compilation issues.</li>
</ul>
<p>To be precise, we will be getting <tt class="docutils literal">symbol not defined</tt> and <tt class="docutils literal">undefined
reference</tt> errors.</p>
<div class="highlight"><pre><span></span>Cannot export USBD_CalculateUsbBandwidth@12: symbol not defined
Cannot export USBD_CreateConfigurationRequest@8: symbol not defined
</pre></div>
<div class="highlight"><pre><span></span>../../drivers/usb/usbd/usbd.c:77: undefined reference to `__imp_ExAllocatePoolWithTag'
../../drivers/usb/usbd/usbd.c:86: undefined reference to `__imp_ExFreePool'
</pre></div>
<p>These errors occur due to the definition of 32-bit <tt class="docutils literal">.def</tt> files. We already
changed one of such instance by renaming <tt class="docutils literal">_DriverEntry@8</tt> to <tt class="docutils literal">DriverEntry</tt>
and we will be doing so for the <tt class="docutils literal">libhal.a</tt>, <tt class="docutils literal">libntoskrnl.a</tt>, and
<tt class="docutils literal">usbd.sys</tt> related files as well. In particular, when compiling 32-bit
applications, the <tt class="docutils literal">@8</tt> part defines the amount of stack space that is
required for the arguments of this function - four bytes per argument. This is
part of the <tt class="docutils literal">__stdcall</tt> calling convention. When compiling for 64-bit,
however, there’s only one calling convention, and these declarations are not
needed for this calling convention - it is therefore a problem for the
compiler if you do explicitly specify the <tt class="docutils literal">@8</tt> etc.</p>
<p>Simply put, we will be stripping everything from the last <tt class="docutils literal">@</tt> token onwards
for the following files.</p>
<ul class="simple">
<li><tt class="docutils literal">hal/halx86/libhal_implib.def</tt></li>
<li><tt class="docutils literal">ntoskrnl/libntoskrnl_implib.def</tt></li>
<li><tt class="docutils literal">drivers/usb/usbd/usbd.def</tt></li>
</ul>
<p>As an example, we change the <tt class="docutils literal">libntoskrnl_implib.def</tt> file as follows.</p>
<div class="highlight"><pre><span></span>; File generated automatically, do not edit!
NAME ntoskrnl.exe
EXPORTS
- CcCanIWrite@16
- CcCopyRead@24
- CcCopyWrite@20
+ CcCanIWrite
+ CcCopyRead
+ CcCopyWrite
[ ... ]
</pre></div>
<p>After doing so it is required that we create new <tt class="docutils literal">libhal.a</tt> and
<tt class="docutils literal">libntoskrnl.a</tt> files, this may be done using the following commands.</p>
<div class="highlight"><pre><span></span><span class="c1"># From the output-MingW32-i386/reactos directory.</span>
$ x86_64-w64-mingw32-dlltool --def ntoskrnl/libntoskrnl_implib.def --kill-at --output-lib<span class="o">=</span>ntoskrnl/libntoskrnl.a
$ x86_64-w64-mingw32-dlltool --def hal/halx86/libhal_implib.def --kill-at --output-lib<span class="o">=</span>hal/halx86/libhal.a
</pre></div>
<p>We are also required to do a couple of minor header file modification, the
patch for that looks as follows (surely there are better workarounds).</p>
<div class="highlight"><pre><span></span><span class="n">diff</span> <span class="o">--</span><span class="n">git</span> <span class="n">a</span><span class="o">/</span><span class="n">reactos</span><span class="o">/</span><span class="n">sdk</span><span class="o">/</span><span class="n">include</span><span class="o">/</span><span class="n">crt</span><span class="o">/</span><span class="n">_mingw</span><span class="p">.</span><span class="n">h</span> <span class="n">b</span><span class="o">/</span><span class="n">reactos</span><span class="o">/</span><span class="n">sdk</span><span class="o">/</span><span class="n">include</span><span class="o">/</span><span class="n">crt</span><span class="o">/</span><span class="n">_mingw</span><span class="p">.</span><span class="n">h</span>
<span class="n">index</span> <span class="mi">203</span><span class="n">ac56</span><span class="p">..</span><span class="n">e72b1d0</span> <span class="mi">100644</span>
<span class="o">---</span> <span class="n">a</span><span class="o">/</span><span class="n">reactos</span><span class="o">/</span><span class="n">sdk</span><span class="o">/</span><span class="n">include</span><span class="o">/</span><span class="n">crt</span><span class="o">/</span><span class="n">_mingw</span><span class="p">.</span><span class="n">h</span>
<span class="o">+++</span> <span class="n">b</span><span class="o">/</span><span class="n">reactos</span><span class="o">/</span><span class="n">sdk</span><span class="o">/</span><span class="n">include</span><span class="o">/</span><span class="n">crt</span><span class="o">/</span><span class="n">_mingw</span><span class="p">.</span><span class="n">h</span>
<span class="err">@@</span> <span class="o">-</span><span class="mi">168</span><span class="p">,</span><span class="mi">7</span> <span class="o">+</span><span class="mi">168</span><span class="p">,</span><span class="mi">9</span> <span class="err">@@</span> <span class="n">allow</span> <span class="n">GCC</span> <span class="n">to</span> <span class="n">optimize</span> <span class="n">away</span> <span class="n">some</span> <span class="n">EH</span> <span class="n">unwind</span> <span class="n">code</span><span class="p">,</span> <span class="n">at</span> <span class="n">least</span> <span class="n">in</span> <span class="n">DW2</span> <span class="k">case</span><span class="p">.</span> <span class="err">*/</span>
<span class="cp">#define __int32 int</span>
<span class="cp">#define __int64 long long</span>
<span class="cp">#ifdef _WIN64</span>
<span class="o">+</span><span class="cm">/*</span>
<span class="cm"> typedef int __int128 __attribute__ ((mode (TI)));</span>
<span class="cm">+*/</span>
<span class="cp"># endif</span>
<span class="cp"># define __ptr32</span>
<span class="cp"># define __ptr64</span>
<span class="n">diff</span> <span class="o">--</span><span class="n">git</span> <span class="n">a</span><span class="o">/</span><span class="n">reactos</span><span class="o">/</span><span class="n">sdk</span><span class="o">/</span><span class="n">include</span><span class="o">/</span><span class="n">crt</span><span class="o">/</span><span class="n">mingw32</span><span class="o">/</span><span class="n">intrin_x86</span><span class="p">.</span><span class="n">h</span> <span class="n">b</span><span class="o">/</span><span class="n">reactos</span><span class="o">/</span><span class="n">sdk</span><span class="o">/</span><span class="n">include</span><span class="o">/</span><span class="n">crt</span><span class="o">/</span><span class="n">mingw32</span><span class="o">/</span><span class="n">intrin_x86</span><span class="p">.</span><span class="n">h</span>
<span class="n">index</span> <span class="n">e325785</span><span class="p">..</span><span class="n">d575465</span> <span class="mi">100644</span>
<span class="o">---</span> <span class="n">a</span><span class="o">/</span><span class="n">reactos</span><span class="o">/</span><span class="n">sdk</span><span class="o">/</span><span class="n">include</span><span class="o">/</span><span class="n">crt</span><span class="o">/</span><span class="n">mingw32</span><span class="o">/</span><span class="n">intrin_x86</span><span class="p">.</span><span class="n">h</span>
<span class="o">+++</span> <span class="n">b</span><span class="o">/</span><span class="n">reactos</span><span class="o">/</span><span class="n">sdk</span><span class="o">/</span><span class="n">include</span><span class="o">/</span><span class="n">crt</span><span class="o">/</span><span class="n">mingw32</span><span class="o">/</span><span class="n">intrin_x86</span><span class="p">.</span><span class="n">h</span>
<span class="err">@@</span> <span class="o">-</span><span class="mi">739</span><span class="p">,</span><span class="mi">6</span> <span class="o">+</span><span class="mi">739</span><span class="p">,</span><span class="mi">7</span> <span class="err">@@</span> <span class="n">__INTRIN_INLINE</span> <span class="kt">void</span> <span class="n">__movsd</span><span class="p">(</span><span class="kt">unsigned</span> <span class="kt">long</span> <span class="o">*</span> <span class="n">Destination</span><span class="p">,</span> <span class="k">const</span> <span class="kt">unsigned</span> <span class="kt">long</span> <span class="o">*</span>
<span class="p">}</span>
<span class="cp">#ifdef __x86_64__</span>
<span class="o">+</span><span class="cm">/*</span>
<span class="cm">__INTRIN_INLINE void __movsq(unsigned long * Destination, const unsigned long * Source, size_t Count)</span>
<span class="cm">{</span>
<span class="cm"> __asm__ __volatile__</span>
<span class="cm">@@ -748,6 +749,7 @@ __INTRIN_INLINE void __movsq(unsigned long * Destination, const unsigned long *</span>
<span class="cm"> "[Destination]" (Destination), "[Source]" (Source), "[Count]" (Count)</span>
<span class="cm"> );</span>
<span class="cm">}</span>
<span class="cm">+*/</span>
<span class="cp">#endif</span>
<span class="cp">#if defined(__x86_64__)</span>
<span class="err">@@</span> <span class="o">-</span><span class="mi">832</span><span class="p">,</span><span class="mi">10</span> <span class="o">+</span><span class="mi">834</span><span class="p">,</span><span class="mi">12</span> <span class="err">@@</span> <span class="n">__INTRIN_INLINE</span> <span class="kt">void</span> <span class="n">__addgsword</span><span class="p">(</span><span class="kt">unsigned</span> <span class="kt">long</span> <span class="n">Offset</span><span class="p">,</span> <span class="kt">unsigned</span> <span class="kt">short</span> <span class="n">Data</span><span class="p">)</span>
<span class="n">__asm__</span> <span class="n">__volatile__</span><span class="p">(</span><span class="s">"addw %w[Data], %%gs:%a[Offset]"</span> <span class="o">:</span> <span class="o">:</span> <span class="p">[</span><span class="n">Offset</span><span class="p">]</span> <span class="s">"ir"</span> <span class="p">(</span><span class="n">Offset</span><span class="p">),</span> <span class="p">[</span><span class="n">Data</span><span class="p">]</span> <span class="s">"ir"</span> <span class="p">(</span><span class="n">Data</span><span class="p">)</span> <span class="o">:</span> <span class="s">"memory"</span><span class="p">);</span>
<span class="p">}</span>
<span class="o">+</span><span class="cm">/*</span>
<span class="cm">__INTRIN_INLINE void __addgsdword(unsigned long Offset, unsigned int Data)</span>
<span class="cm">{</span>
<span class="cm"> __asm__ __volatile__("addl %k[Data], %%gs:%a[Offset]" : : [Offset] "ir" (Offset), [Data] "ir" (Data) : "memory");</span>
<span class="cm">}</span>
<span class="cm">+*/</span>
<span class="n">__INTRIN_INLINE</span> <span class="kt">void</span> <span class="n">__addgsqword</span><span class="p">(</span><span class="kt">unsigned</span> <span class="kt">long</span> <span class="n">Offset</span><span class="p">,</span> <span class="kt">unsigned</span> <span class="kt">long</span> <span class="kt">long</span> <span class="n">Data</span><span class="p">)</span>
<span class="p">{</span>
</pre></div>
<p>All of this leaves us with the following bash script that contains commands to
fully compile the 64-bit Windows <tt class="docutils literal">usbd.sys</tt> kernel driver.</p>
<div class="highlight"><pre><span></span><span class="ch">#!/bin/sh</span>
rm -rf ./drivers/usb/usbd/CMakeFiles/* drivers/usb/usbd/usbd.sys ntoskrnl/libntoskrnl.a hal/halx86/libhal.a
mkdir -p drivers/usb/usbd/CMakeFiles/usbd.dir/
x86_64-w64-mingw32-dlltool --def ntoskrnl/libntoskrnl_implib.def --kill-at --output-lib<span class="o">=</span>ntoskrnl/libntoskrnl.a
x86_64-w64-mingw32-dlltool --def hal/halx86/libhal_implib.def --kill-at --output-lib<span class="o">=</span>hal/halx86/libhal.a
x86_64-w64-mingw32-gcc -DDBG<span class="o">=</span><span class="m">1</span> -DKDBG<span class="o">=</span><span class="m">1</span> -DUSE_COMPILER_EXCEPTIONS -DWINVER<span class="o">=</span>0x502 -D_SEH_ENABLE_TRACE -D_SETUPAPI_VER<span class="o">=</span>0x502 -D_USE_PSEH3<span class="o">=</span><span class="m">1</span> -D_WIN32_IE<span class="o">=</span>0x600 -D_WIN32_WINDOWS<span class="o">=</span>0x502 -D_WIN32_WINNT<span class="o">=</span>0x502 -D__REACTOS__ -D_inline<span class="o">=</span>__inline -Dusbd_EXPORTS -Wa,--compress-debug-sections -pipe -fms-extensions -fno-strict-aliasing -nostdinc -mstackrealign -Wold-style-declaration -Wdeclaration-after-statement -fdebug-prefix-map<span class="o">=</span><span class="s2">"/home/jbr/reactos/reactos"</span><span class="o">=</span>ReactOS -gdwarf-2 -gstrict-dwarf -femit-struct-debug-detailed<span class="o">=</span>none -feliminate-unused-debug-symbols -Werror -Wall -Wpointer-arith -Wno-char-subscripts -Wno-multichar -Wno-unused-value -Wno-maybe-uninitialized -O1 -fno-optimize-sibling-calls -fno-omit-frame-pointer -fno-set-stack-executable -Winvalid-pch -Werror<span class="o">=</span>invalid-pch -Idrivers/usb/usbd -I../../drivers/usb/usbd -I../../sdk/include -I../../sdk/include/psdk -I../../sdk/include/dxsdk -Isdk/include -Isdk/include/psdk -Isdk/include/dxsdk -Isdk/include/ddk -Isdk/include/reactos -I../../sdk/include/crt -I../../sdk/include/ddk -I../../sdk/include/ndk -I../../sdk/include/reactos -I../../sdk/include/reactos/libs -MMD -MT drivers/usb/usbd/CMakeFiles/usbd.dir/usbd.c.obj -MF drivers/usb/usbd/CMakeFiles/usbd.dir/usbd.c.obj.d -o drivers/usb/usbd/CMakeFiles/usbd.dir/usbd.c.obj -c ../../drivers/usb/usbd/usbd.c
x86_64-w64-mingw32-windres -O coff -I/home/jbr/reactos/reactos/output-MinGW-i386/reactos/drivers/usb/usbd -I/home/jbr/reactos/reactos/drivers/usb/usbd -I/home/jbr/reactos/reactos/sdk/include -I/home/jbr/reactos/reactos/sdk/include/psdk -I/home/jbr/reactos/reactos/sdk/include/dxsdk -I/home/jbr/reactos/reactos/output-MinGW-i386/reactos/sdk/include -I/home/jbr/reactos/reactos/output-MinGW-i386/reactos/sdk/include/psdk -I/home/jbr/reactos/reactos/output-MinGW-i386/reactos/sdk/include/dxsdk -I/home/jbr/reactos/reactos/output-MinGW-i386/reactos/sdk/include/ddk -I/home/jbr/reactos/reactos/output-MinGW-i386/reactos/sdk/include/reactos -I/home/jbr/reactos/reactos/sdk/include/crt -I/home/jbr/reactos/reactos/sdk/include/ddk -I/home/jbr/reactos/reactos/sdk/include/ndk -I/home/jbr/reactos/reactos/sdk/include/reactos -I/home/jbr/reactos/reactos/sdk/include/reactos/libs --preprocessor <span class="s2">"x86_64-w64-mingw32-gcc -E -xc-header -MMD -MF drivers/usb/usbd/CMakeFiles/usbd.dir/usbd.rc.res.d -MT drivers/usb/usbd/CMakeFiles/usbd.dir/usbd.rc.res"</span> -DRC_INVOKED -D__WIN32__<span class="o">=</span><span class="m">1</span> -D__FLAT__<span class="o">=</span><span class="m">1</span> -DDBG<span class="o">=</span><span class="m">1</span> -DKDBG<span class="o">=</span><span class="m">1</span> -DUSE_COMPILER_EXCEPTIONS -DWINVER<span class="o">=</span>0x502 -D_SEH_ENABLE_TRACE -D_SETUPAPI_VER<span class="o">=</span>0x502 -D_USE_PSEH3<span class="o">=</span><span class="m">1</span> -D_WIN32_IE<span class="o">=</span>0x600 -D_WIN32_WINDOWS<span class="o">=</span>0x502 -D_WIN32_WINNT<span class="o">=</span>0x502 -D__REACTOS__ -D_inline<span class="o">=</span>__inline -Dusbd_EXPORTS /home/jbr/reactos/reactos/drivers/usb/usbd/usbd.rc drivers/usb/usbd/CMakeFiles/usbd.dir/usbd.rc.res
x86_64-w64-mingw32-gcc -E -xc-header -MMD -MF drivers/usb/usbd/CMakeFiles/usbd.dir/usbd.rc.res.d -MT drivers/usb/usbd/CMakeFiles/usbd.dir/usbd.rc.res -I/home/jbr/reactos/reactos/output-MinGW-i386/reactos/drivers/usb/usbd -I/home/jbr/reactos/reactos/drivers/usb/usbd -I/home/jbr/reactos/reactos/sdk/include -I/home/jbr/reactos/reactos/sdk/include/psdk -I/home/jbr/reactos/reactos/sdk/include/dxsdk -I/home/jbr/reactos/reactos/output-MinGW-i386/reactos/sdk/include -I/home/jbr/reactos/reactos/output-MinGW-i386/reactos/sdk/include/psdk -I/home/jbr/reactos/reactos/output-MinGW-i386/reactos/sdk/include/dxsdk -I/home/jbr/reactos/reactos/output-MinGW-i386/reactos/sdk/include/ddk -I/home/jbr/reactos/reactos/output-MinGW-i386/reactos/sdk/include/reactos -I/home/jbr/reactos/reactos/sdk/include/crt -I/home/jbr/reactos/reactos/sdk/include/ddk -I/home/jbr/reactos/reactos/sdk/include/ndk -I/home/jbr/reactos/reactos/sdk/include/reactos -I/home/jbr/reactos/reactos/sdk/include/reactos/libs -DRC_INVOKED -D__WIN32__<span class="o">=</span><span class="m">1</span> -D__FLAT__<span class="o">=</span><span class="m">1</span> -DDBG<span class="o">=</span><span class="m">1</span> -DKDBG<span class="o">=</span><span class="m">1</span> -DUSE_COMPILER_EXCEPTIONS -DWINVER<span class="o">=</span>0x502 -D_SEH_ENABLE_TRACE -D_SETUPAPI_VER<span class="o">=</span>0x502 -D_USE_PSEH3<span class="o">=</span><span class="m">1</span> -D_WIN32_IE<span class="o">=</span>0x600 -D_WIN32_WINDOWS<span class="o">=</span>0x502 -D_WIN32_WINNT<span class="o">=</span>0x502 -D__REACTOS__ -D_inline<span class="o">=</span>__inline -Dusbd_EXPORTS /home/jbr/reactos/reactos/drivers/usb/usbd/usbd.rc
x86_64-w64-mingw32-gcc -pipe -fms-extensions -fno-strict-aliasing -nostdinc -mstackrealign -Wold-style-declaration -Wdeclaration-after-statement -fdebug-prefix-map<span class="o">=</span><span class="s2">"/home/jbr/reactos/reactos"</span><span class="o">=</span>ReactOS -gdwarf-2 -gstrict-dwarf -femit-struct-debug-detailed<span class="o">=</span>none -feliminate-unused-debug-symbols -Werror -Wall -Wpointer-arith -Wno-char-subscripts -Wno-multichar -Wno-unused-value -Wno-maybe-uninitialized -O1 -fno-optimize-sibling-calls -fno-omit-frame-pointer -mpreferred-stack-boundary<span class="o">=</span><span class="m">3</span> -fno-set-stack-executable -nostdlib -Wl,--enable-auto-image-base,--disable-auto-import -Wl,--disable-stdcall-fixup -Wl,--subsystem,native -Wl,-entry,DriverEntry -Wl,--image-base,0x00010000 -Wl,--exclude-all-symbols,-file-alignment<span class="o">=</span>0x1000,-section-alignment<span class="o">=</span>0x1000 drivers/usb/usbd/usbd.def -shared -o drivers/usb/usbd/usbd.sys drivers/usb/usbd/CMakeFiles/usbd.dir/usbd.c.obj drivers/usb/usbd/CMakeFiles/usbd.dir/usbd.rc.res ntoskrnl/libntoskrnl.a hal/halx86/libhal.a -lgcc
</pre></div>
<p>Now as you can imagine this is only part of the story. I won’t be putting too
much effort into making a proper 64-bit RosBE for Ubuntu/Debian-based
platforms (unfortunately), but I’m sure that with some <em>grepping</em> and
additional configuration files one should be able to get quite far to merging
these steps in a proper way into the RosBE system.</p>
<p>For the remainder of this blogpost and the compilation of arbitrary 64-bit
Windows kernel drivers we’re going to need two "checkouts" of the same
<tt class="docutils literal"><span class="pre">output-MinGW-i386</span></tt> directory. Please obtain these as follows.</p>
<ul class="simple">
<li>Create one checkout (i.e., with the <tt class="docutils literal">./configure.sh</tt> command).</li>
<li>Apply all of the changes discussed above.</li>
<li>Rename this checkout to <tt class="docutils literal"><span class="pre">output-MinGW-x86_64</span></tt>.</li>
<li>Create a new checkout.</li>
<li>Run just <tt class="docutils literal">ninja ntoskrnl hal usbd xdk</tt> in this second checkout.</li>
</ul>
</div>
<div class="section" id="compiling-zer0m0n">
<h2>Compiling zer0m0n</h2>
<p>Getting back to the goal of this blogpost, we’re now going to take a look at
compiling 32-bit and 64-bit <tt class="docutils literal">zer0m0n.sys</tt> Windows kernel drivers. Naturally
switching from one compiler to another requires some code changes, especially
since <span class="caps">GCC</span> is a stricter than <span class="caps">MSVC</span> and thus raises more warnings and errors.</p>
<p>In this blogpost we’ll only be focusing on actually building the driver, but
we’d just like to point out that MinGW doesn’t support <a class="reference external" href="https://msdn.microsoft.com/en-us/library/windows/desktop/ms680657%28v=vs.85%29.aspx"><span class="caps">SEH</span></a> constructs for
64-bit targets as-is and as such, any <tt class="docutils literal">try</tt>/<tt class="docutils literal">catch</tt> blocks will have to be
rewritten using, e.g., <a class="reference external" href="https://msdn.microsoft.com/en-us/library/windows/hardware/ff554664%28v=vs.85%29.aspx">MmProbeAndLockPages</a> until we find a more appropriate
solution such as verifying thrown exceptions ourselves.</p>
<p>Actually, there’s not much to building the 32-bit and 64-bit kernel driver
<em>once all of the work has been done already</em>, of course ;-) Following is a
<strong>working Makefile for building a somewhat modified zer0m0n</strong> - in the sense
that all the <span class="caps">GCC</span> warnings and errors have been resolved and that the <span class="caps">SEH</span> usage
has been replaced by <tt class="docutils literal">MmProbeAndLockPages</tt> logic.</p>
<p>The <tt class="docutils literal">Makefile</tt> has a couple of dependencies, but other than that works out
of the box.</p>
<ul class="simple">
<li>The <tt class="docutils literal">.def</tt> files are located in the <tt class="docutils literal">defs/</tt> directory and for each
target two variants will be required, i.e., <tt class="docutils literal"><span class="pre">dummy-x86.def</span></tt> and
<tt class="docutils literal"><span class="pre">dummy-x64.def</span></tt>.</li>
<li>Two checkouts of the ReactOS source are required, as per the previous
chapter of this blogpost. By default the <tt class="docutils literal">Makefile</tt> will assume these
checkouts remain in the <tt class="docutils literal">~/reactos/</tt> directory, but one may decide to
modify the <tt class="docutils literal">Makefile</tt>, provide the <tt class="docutils literal">$<span class="caps">REACTOS</span></tt> environment variable, or
simply create a symbolic link at <tt class="docutils literal">~/reactos</tt>.</li>
</ul>
<p>And that’s all. Happy Windows kernel hacking from Ubuntu/Debian.
Stay tuned for more releases and blogposts!</p>
<div class="highlight"><pre><span></span><span class="c"># Only set if it does not already exist as environment variable.</span>
<span class="nv">REACTOS</span> <span class="o">?=</span> ~/reactos
<span class="nv">REACTOS86</span> <span class="o">=</span> <span class="k">$(</span>REACTOS<span class="k">)</span>/output-MinGW-i386/reactos
<span class="nv">REACTOS64</span> <span class="o">=</span> <span class="k">$(</span>REACTOS<span class="k">)</span>/output-MinGW-x86_64/reactos
<span class="nv">SRC</span> <span class="o">=</span> <span class="k">$(</span>wildcard *.c<span class="k">)</span>
<span class="nv">DEFS86</span> <span class="o">=</span> <span class="k">$(</span>wildcard defs/*-x86.def<span class="k">)</span>
<span class="nv">DEFS64</span> <span class="o">=</span> <span class="k">$(</span>wildcard defs/*-x64.def<span class="k">)</span>
<span class="nv">LIBS86</span> <span class="o">=</span> <span class="k">$(</span>DEFS86:defs/%.def<span class="o">=</span>obj/%.a<span class="k">)</span>
<span class="nv">LIBS64</span> <span class="o">=</span> <span class="k">$(</span>DEFS64:defs/%.def<span class="o">=</span>obj/%.a<span class="k">)</span>
<span class="nv">ZER0M0NSYS</span> <span class="o">=</span> bin/zer0m0n-x86.sys bin/zer0m0n-x64.sys
<span class="nv">OBJ86</span> <span class="o">=</span> <span class="k">$(</span>SRC:%.c<span class="o">=</span>obj/%-x86.obj<span class="k">)</span>
<span class="nv">OBJ64</span> <span class="o">=</span> <span class="k">$(</span>SRC:%.c<span class="o">=</span>obj/%-x64.obj<span class="k">)</span>
<span class="nv">HEADERS</span> <span class="o">=</span> <span class="k">$(</span>wildcard *.h<span class="k">)</span>
<span class="nv">CFLAGS</span> <span class="o">=</span> <span class="se">\</span>
-DDBG<span class="o">=</span><span class="m">1</span> -DKDBG<span class="o">=</span><span class="m">1</span> -DUSE_COMPILER_EXCEPTIONS -DWINVER<span class="o">=</span>0x601 <span class="se">\</span>
-D_SETUPAPI_VER<span class="o">=</span>0x601 -D_WIN32_IE<span class="o">=</span>0x601 -D_WIN32_WINDOWS<span class="o">=</span>0x601 <span class="se">\</span>
-D_WIN32_WINNT<span class="o">=</span>0x601 -D__REACTOS__ -D_inline<span class="o">=</span>__inline <span class="se">\</span>
-Wa,--compress-debug-sections -pipe -fms-extensions -fno-strict-aliasing <span class="se">\</span>
-nostdinc -mstackrealign -Wold-style-declaration <span class="se">\</span>
-Wdeclaration-after-statement -gdwarf-2 -gstrict-dwarf <span class="se">\</span>
-femit-struct-debug-detailed<span class="o">=</span>none -feliminate-unused-debug-symbols <span class="se">\</span>
-Werror -Wall -Wpointer-arith -Wno-char-subscripts -Wno-multichar <span class="se">\</span>
-Wno-unused-value -Wno-maybe-uninitialized -O1 <span class="se">\</span>
-fno-optimize-sibling-calls -fno-omit-frame-pointer <span class="se">\</span>
-fno-set-stack-executable -Winvalid-pch -Werror<span class="o">=</span>invalid-pch <span class="se">\</span>
-DNTDDI_VERSION<span class="o">=</span>NTDDI_WIN7 -std<span class="o">=</span>c99 -pie
<span class="cp">ifdef DEBUG</span>
CFLAGS +<span class="o">=</span> -DDEBUG<span class="o">=</span>1
<span class="cp">endif</span>
<span class="nv">CFLAGS86</span> <span class="o">=</span> -march<span class="o">=</span>pentium -mtune<span class="o">=</span>i686 -mpreferred-stack-boundary<span class="o">=</span>3
<span class="nv">CFLAGS64</span> <span class="o">=</span>
<span class="nv">LDFLAGS</span> <span class="o">=</span> <span class="se">\</span>
-nostdlib -Wl,--enable-auto-image-base,--disable-auto-import <span class="se">\</span>
-Wl,--disable-stdcall-fixup -Wl,--subsystem,native <span class="se">\</span>
-Wl,--image-base,0x00010000 -shared -pie -fPIE <span class="se">\</span>
-Wl,--exclude-all-symbols,-file-alignment<span class="o">=</span>0x1000,-section-alignment<span class="o">=</span>0x1000
<span class="nv">INCROSX86</span> <span class="o">=</span> <span class="se">\</span>
-I <span class="k">$(</span>REACTOS86<span class="k">)</span>/drivers/usb/usbd -I <span class="k">$(</span>REACTOS<span class="k">)</span>/drivers/usb/usbd <span class="se">\</span>
-I <span class="k">$(</span>REACTOS<span class="k">)</span>/sdk/include -I <span class="k">$(</span>REACTOS<span class="k">)</span>/sdk/include/psdk <span class="se">\</span>
-I <span class="k">$(</span>REACTOS<span class="k">)</span>/sdk/include/dxsdk -I <span class="k">$(</span>REACTOS86<span class="k">)</span>/sdk/include <span class="se">\</span>
-I <span class="k">$(</span>REACTOS86<span class="k">)</span>/sdk/include/psdk -I <span class="k">$(</span>REACTOS86<span class="k">)</span>/sdk/include/dxsdk <span class="se">\</span>
-I <span class="k">$(</span>REACTOS86<span class="k">)</span>/sdk/include/ddk -I <span class="k">$(</span>REACTOS86<span class="k">)</span>/sdk/include/reactos <span class="se">\</span>
-I <span class="k">$(</span>REACTOS<span class="k">)</span>/sdk/include/crt -I <span class="k">$(</span>REACTOS<span class="k">)</span>/sdk/include/ddk <span class="se">\</span>
-I <span class="k">$(</span>REACTOS<span class="k">)</span>/sdk/include/ndk -I <span class="k">$(</span>REACTOS<span class="k">)</span>/sdk/include/reactos <span class="se">\</span>
-I <span class="k">$(</span>REACTOS<span class="k">)</span>/sdk/include/reactos/libs
<span class="nv">INCROSX64</span> <span class="o">=</span> <span class="se">\</span>
-I <span class="k">$(</span>REACTOS64<span class="k">)</span>/drivers/usb/usbd -I <span class="k">$(</span>REACTOS<span class="k">)</span>/drivers/usb/usbd <span class="se">\</span>
-I <span class="k">$(</span>REACTOS<span class="k">)</span>/sdk/include -I <span class="k">$(</span>REACTOS<span class="k">)</span>/sdk/include/psdk <span class="se">\</span>
-I <span class="k">$(</span>REACTOS<span class="k">)</span>/sdk/include/dxsdk -I <span class="k">$(</span>REACTOS64<span class="k">)</span>/sdk/include <span class="se">\</span>
-I <span class="k">$(</span>REACTOS64<span class="k">)</span>/sdk/include/psdk -I <span class="k">$(</span>REACTOS64<span class="k">)</span>/sdk/include/dxsdk <span class="se">\</span>
-I <span class="k">$(</span>REACTOS64<span class="k">)</span>/sdk/include/ddk -I <span class="k">$(</span>REACTOS64<span class="k">)</span>/sdk/include/reactos <span class="se">\</span>
-I <span class="k">$(</span>REACTOS<span class="k">)</span>/sdk/include/crt -I <span class="k">$(</span>REACTOS<span class="k">)</span>/sdk/include/ddk <span class="se">\</span>
-I <span class="k">$(</span>REACTOS<span class="k">)</span>/sdk/include/ndk -I <span class="k">$(</span>REACTOS<span class="k">)</span>/sdk/include/reactos <span class="se">\</span>
-I <span class="k">$(</span>REACTOS<span class="k">)</span>/sdk/include/reactos/libs
<span class="nf">all</span><span class="o">:</span> <span class="k">$(</span><span class="nv">ZER</span>0<span class="nv">M</span>0<span class="nv">NSYS</span><span class="k">)</span>
<span class="nf">obj/%-x86.a</span><span class="o">:</span> <span class="n">defs</span>/%-<span class="n">x</span>86.<span class="n">def</span>
i686-w64-mingw32-dlltool --def $< --kill-at --output-lib<span class="o">=</span><span class="nv">$@</span>
<span class="nf">obj/%-x64.a</span><span class="o">:</span> <span class="n">defs</span>/%-<span class="n">x</span>64.<span class="n">def</span>
x86_64-w64-mingw32-dlltool --def $< --kill-at --output-lib<span class="o">=</span><span class="nv">$@</span>
<span class="nf">obj/%-x86.obj</span><span class="o">:</span> %.<span class="n">c</span> <span class="k">$(</span><span class="nv">HEADERS</span><span class="k">)</span> <span class="n">Makefile</span>
i686-w64-mingw32-gcc <span class="k">$(</span>CFLAGS<span class="k">)</span> <span class="k">$(</span>CFLAGS86<span class="k">)</span> <span class="k">$(</span>INCROSX86<span class="k">)</span> -c -o <span class="nv">$@</span> $<
<span class="nf">obj/%-x64.obj</span><span class="o">:</span> %.<span class="n">c</span> <span class="k">$(</span><span class="nv">HEADERS</span><span class="k">)</span> <span class="n">Makefile</span>
x86_64-w64-mingw32-gcc <span class="k">$(</span>CFLAGS<span class="k">)</span> <span class="k">$(</span>CFLAGS64<span class="k">)</span> <span class="k">$(</span>INCROSX64<span class="k">)</span> -c -o <span class="nv">$@</span> $<
<span class="nf">bin/zer0m0n-x86.sys</span><span class="o">:</span> <span class="k">$(</span><span class="nv">OBJ</span>86<span class="k">)</span> <span class="k">$(</span><span class="nv">LIBS</span>86<span class="k">)</span>
i686-w64-mingw32-gcc <span class="k">$(</span>CFLAGS<span class="k">)</span> <span class="k">$(</span>CFLAGS86<span class="k">)</span> <span class="k">$(</span>LDFLAGS<span class="k">)</span> <span class="se">\</span>
-Wl,-entry,_DriverEntry@8 -o <span class="nv">$@</span> $^ -static -nostdlib
<span class="nf">bin/zer0m0n-x64.sys</span><span class="o">:</span> <span class="k">$(</span><span class="nv">OBJ</span>64<span class="k">)</span> <span class="k">$(</span><span class="nv">LIBS</span>64<span class="k">)</span>
x86_64-w64-mingw32-gcc <span class="k">$(</span>CFLAGS<span class="k">)</span> <span class="k">$(</span>CFLAGS64<span class="k">)</span> <span class="k">$(</span>LDFLAGS<span class="k">)</span> <span class="se">\</span>
-Wl,-entry,DriverEntry -o <span class="nv">$@</span> $^ -static -nostdlib
<span class="nf">clean</span><span class="o">:</span>
rm -rf <span class="k">$(</span>LIBS86<span class="k">)</span> <span class="k">$(</span>LIBS64<span class="k">)</span> <span class="k">$(</span>OBJ86<span class="k">)</span> <span class="k">$(</span>OBJ64<span class="k">)</span> <span class="k">$(</span>ZER0M0NSYS<span class="k">)</span>
</pre></div>
</div>
Analysis of nested archives with Cuckoo Sandbox: SFlock 0.1 release2016-09-10T20:00:00+02:00Jurriaan Bremertag:cuckoo.sh,2016-09-10:blog/sflock01.html<p>It has been almost six years since <a class="reference external" href="http://cuckoosandbox.org/">Cuckoo Sandbox</a> started out. Ever since
then, it’s had the same, basic file submission capabilities. With the release
of the first version of the <a class="reference external" href="https://github.com/jbremer/sflock">SFlock</a> library and Cuckoo’s <strong>new and upcoming
Web Interface</strong> (still to be announced) this is about to change.</p>
<p>Those analyzing malicious documents attached to incoming emails with Cuckoo
may have noticed the <strong>lack of proper .zip support</strong>, let alone other popular
archive formats such as <tt class="docutils literal">.rar</tt>, <tt class="docutils literal">.7z</tt>, and <tt class="docutils literal">.ace</tt> (an ancient archive
format that’s been getting a lot of attention in spamruns in recent months).</p>
<p>Although we are still actively working on the new Web Interface, which has not
yet been finished off, we can already show some screenshots regarding the
<strong>new submission page</strong> that represent the functionality the <tt class="docutils literal">sflock</tt>
library exposes to Cuckoo Sandbox.</p>
<p>Following we have submitted a couple of files. Namely the following three:</p>
<ul class="simple">
<li><a class="reference external" href="https://github.com/jbremer/sflock/blob/master/tests/files/bup_test.bup?raw=true">eml_nested_eml.eml</a>, an email with another email as attachment containing
a <strong>Microsoft Office Word document</strong> as well as a <tt class="docutils literal">cuckoo.png</tt> image,
based on a sample by <a class="reference external" href="https://github.com/cuckoosandbox/cuckoo/pull/568">@edwincheese</a>.</li>
<li><a class="reference external" href="https://github.com/jbremer/sflock/blob/master/tests/files/msg_invoice.msg?raw=true">msg_invoice.msg</a>, an email with an <strong>embedded Microsoft Outlook Macro
object</strong> containing a <tt class="docutils literal">Firefox 43.0.1</tt> installer executable, based on a
sample by <a class="reference external" href="https://medium.com/@networksecurity/oleoutlook-bypass-almost-every-corporate-security-control-with-a-point-n-click-gui-37f4cbc107d0#.3h79nqc1u">Kevin Beaumont</a>.</li>
<li><a class="reference external" href="https://github.com/jbremer/sflock/blob/master/tests/files/bup_test.bup?raw=true">bup_test.bup</a>, a <strong>McAfee quarantine file</strong> containing a <tt class="docutils literal">.zip</tt> file
with an embedded <tt class="docutils literal">.scr</tt> file, based on a sample by <a class="reference external" href="https://twitter.com/herrcore">@herrcore</a>.</li>
</ul>
<p>As-is this looks as follows.</p>
<img alt="" src="https://cuckoo.sh/13b9936bf518d3ee/screenshot.png" />
<p>Or for those who work from home at night, the following theme might be of interest.</p>
<img alt="" src="https://cuckoo.sh/bab1eae9bf37c273/screenshot.png" />
<p>As may be seen on this pictures, there’s a couple of things going on with
regards to the file selection:</p>
<ul class="simple">
<li>By automatically <strong>unpacking any and all archive files</strong> <tt class="docutils literal">sflock</tt> and
Cuckoo are capable of selecting those embedded files that <strong>should be
analyzed</strong>, and <strong>ignoring</strong> the rest of the files (i.e., images and files
that are not executable on regular Windows machines). In the example shown
here you will see that <tt class="docutils literal">cuckoo.png</tt>, <tt class="docutils literal">image003.emz</tt>, and
<tt class="docutils literal">image004.png</tt> are not selected, as these are <strong>image files</strong> and/or other
non-executable files.</li>
<li>With this new technology, Cuckoo is able to make <strong>multiple analysis tasks</strong>
out of a single archive file. Submitting an archive with two javascript
files and one executable will from now on create <strong>three analysis tasks</strong>
(rather than one that fails, as it used to be the case).</li>
<li><strong>Duplicate files are submitted only once</strong>. In the screenshot this can be
seen as <tt class="docutils literal">att1</tt> has the exact same file contents as the <tt class="docutils literal">.doc</tt> image with
Chinese characters (?) as filename. Therefore the <tt class="docutils literal">att1</tt> file is not
selected to be submitted as an analysis task. (And, yes, with a filesize of
12 bytes, the <tt class="docutils literal">.doc</tt> file with not do much interesting).</li>
<li>There’s currently still a bug where the <tt class="docutils literal">Firefox Setup Stub 43.0.1.exe</tt>
file is selected in the Web Interface representation, but that shouldn’t be
the case (simply by analyzing the <tt class="docutils literal">oledata.mso</tt> file the
<tt class="docutils literal">Firefox Setup Stub 43.0.1.exe</tt> should be started automatically - as this
is the payload - with the <strong>correct parent process</strong> and, if that’s even
possible to define (I’m not sure), the correct command-line arguments, etc).</li>
<li>Finally the <tt class="docutils literal">efax_9057733019_pdf.scr</tt> file will be submitted as an
analysis task as expected, as it is an executable file.</li>
</ul>
<p>We’d like to stress the fact that even though specific files from these
various different archive files will be executed during an analysis, their
<strong>context</strong>, or related files, will be next to the analyzed files during the
analysis. As an example, in the case of an <tt class="docutils literal">oledata.mso</tt> analysis Cuckoo
will automatically drop the <tt class="docutils literal">image003.emz</tt> and <tt class="docutils literal">image004.png</tt> files in
the <strong>same directory</strong> as the <tt class="docutils literal">oledata.mso</tt> file during the analysis,
preventing any <tt class="docutils literal"><span class="pre">anti-analysis</span></tt> tricks based on the presence of related files.</p>
<p>Before finishing off this blogpost we’d like to mention that the <tt class="docutils literal">sflock</tt>
library is also perfectly capable of being used by <strong>other programs</strong>, so
please reach out to us if you intend to integrate it with other toolkit(s).
Its <span class="caps">API</span> has been designed to be as simple as possible and therefore may be
<strong>fully utilized</strong> simply by invoking the following line of code (which dumps
a Python dictionary that may be embedded directly as <span class="caps">JSON</span> blob):</p>
<div class="highlight"><pre><span></span><span class="kn">from</span> <span class="nn">sflock</span> <span class="kn">import</span> <span class="n">unpack</span>
<span class="k">print</span> <span class="n">unpack</span><span class="p">(</span><span class="s2">"archive.rar"</span><span class="p">)</span><span class="o">.</span><span class="n">astree</span><span class="p">()</span>
</pre></div>
<p>Naturally there are a couple of configurable options available, but by default
these have all been abstracted away by its basic interface.</p>
<p>Last but not least. SFlock has quite some <a class="reference external" href="https://github.com/jbremer/sflock/tree/master/tests">unittests</a> covering more than
<tt class="docutils literal">90%</tt> of the code, making sure we’re capable of implementing new features
without breaking current functionality. And naturally, due to the its usage of
<em>native tooling</em>, we have implemented a <strong>custom usermode Linux sandbox</strong> for
wrapping <tt class="docutils literal">rar</tt>, <tt class="docutils literal">7z</tt>, and <tt class="docutils literal">unace</tt> so that (in theory) all potential
security vulnerabilities have been mitigated. More can be read about this at
the <a class="reference external" href="https://github.com/jbremer/sflock">sflock</a> and <a class="reference external" href="https://github.com/jbremer/tracy/tree/master/src/zipjail">zipjail</a> GitHub pages. Naturally the <tt class="docutils literal">zipjail</tt> sandbox
contains plenty of unittests itself to ensure <em>basic</em> security practices are
in-place. I’ll personally hand out beers to whomever is able to break out of
the latest version of <tt class="docutils literal">zipjail</tt>. That said, thanks to <a class="reference external" href="https://thejh.net/">Jann Horn</a> for
<a class="reference external" href="https://github.com/jbremer/tracy/commit/73272d85c29b07d0e4eb3690fabe011a6ee2e017">reporting a couple of security issues</a>.</p>
<p>We hope you’re as stoked about these upcoming features in Cuckoo Sandbox as we
are. We’ll keep you posted as we put out new releases and blogposts. As
always, if there are any questions or suggestions, please
<a class="reference external" href="https://cuckoo.sh/blog/pages/contact.html">do reach out to us</a>.</p>
VMCloak 0.4.1 release2016-08-27T18:00:00+02:00Jurriaan Bremertag:cuckoo.sh,2016-08-27:blog/vmcloak41.html<p>Recently we, Rasmus Männa and myself, released the latest version for VMCloak,
an <strong>Automated Virtual Machine Generation and Cloaking</strong> utility tailored to
be used with Cuckoo Sandbox. This release brings a couple of really neat
features and enhancements:</p>
<ul class="simple">
<li>32-bit and 64-bit <strong>Windows 8.1</strong> and <strong>Windows 10</strong> support.</li>
<li>Improved command-line interface.</li>
<li>Start on basic unittesting.</li>
<li><span class="caps">ISO</span> mode installation (for non-VirtualBox targets).</li>
<li>VirtualBox 5.0 and 5.1 support.</li>
<li>Many more dependencies and versions.</li>
<li>Securely download dependencies over https.</li>
</ul>
<p>Other recent changes (from version <tt class="docutils literal">0.3.13</tt> and earlier) include the
following changes:</p>
<ul class="simple">
<li>32-bit and 64-bit <span class="caps">IE9</span>, <span class="caps">IE10</span>, and <span class="caps">IE11</span>.</li>
<li>Windows 7 upgrade to Windows 7 <span class="caps">SP1</span>.</li>
<li>Changing the desktop wallpaper (which
<a class="reference external" href="http://cuckoo.sh/vmcloak/doge1.jpg">defaults</a>
<a class="reference external" href="http://cuckoo.sh/vmcloak/doge2.jpg">to</a>
<a class="reference external" href="http://cuckoo.sh/vmcloak/doge3.jpg">doge</a>).</li>
<li>Office 2010 support alongside the Office 2007 support.</li>
</ul>
<p>A partial list of supported dependencies (packages that may be installed in
the <span class="caps">VM</span>) goes as follows:</p>
<ul class="simple">
<li>Adobe <span class="caps">PDF</span> Reader 9.0.0 (default), 9.1.0, 9.2.0, 9.3.0, 9.3.3, 9.3.4, 9.4.0,
9.5.0, 10.1.4, 11.0.2, 11.0.3, 11.0.4, 11.0.6, 11.0.7, 11.0.8, 11.0.9, and 11.0.10.</li>
<li>Chrome</li>
<li>CuteFTP 9.0.5</li>
<li>DotNet 4.0, 4.5.1, and 4.6.1.</li>
<li>Firefox 41.0.2.</li>
<li>Flash 11.4.402.287, 11.6.602.168, 11.7.700.169 (default), 11.8.800.94,
11.8.800.174, 11.9.900.117, 11.9.900.170, 12.0.0.38, 13.0.0.182, 13.0.0.214,
14.0.0.125, 15.0.0.167, 15.0.0.189, 16.0.0.235, 18.0.0.194, 18.0.0.203,
18.0.0.209, 19.0.0.207, 19.0.0.245, and 20.0.0.228.</li>
<li>Internet Explorer 9, 10, and 11.</li>
<li>Java 7 (default), 7u1-7, 7u9-11, 7u13, 7u15, 7u17, 7u21, 7u25, 7u40, 7u45,
7u51, 7u55, 7u60, 7u65, 7u67, 7u71, 7u72, 7u75, 7u76, 7u79, 7u80, 8, 8u5,
8u11, 8u20, 8u25, 8u31, 8u40, 8u45, 8u51, 8u60, 8u65, 8u66, 8u71, 8u72,
8u73, 8u74, 8u77, 8u91, 8u92, 8u101, and 8u102.</li>
<li>Knowledge Base 2729094, 2731771, 2533623, 2670838, 2786081, 2639308,
2834140, 2882822, and 2888049.</li>
<li>Office 2007 and 2010.</li>
<li>Pillow.</li>
<li>Silverlight.</li>
<li>vcredist 2005, 2008, 2010, 2012, 2013, and 2015.</li>
<li>Windows 7 <span class="caps">SP1</span> upgrade.</li>
<li>Winrar 5.31.</li>
</ul>
<p>Although a lot of things have been added, its usage hasn’t changed much since
VMCloak 0.3, and hence the following
<a class="reference external" href="http://jbremer.org/vmcloak3">quick guide</a> is still representative.</p>