Add new APIs mpengine.dll requires. #119
Conversation
|
I've just tested it with eicar.com and it successfully detects it. Good job! I'm getting a segfault with another testcase tho: Have you encountered this behavior with some of your testcases? I can also see different APIs that need to be implemented. For example, right before the the SEH chain gets triggered, I can see the following: and also: I have to investigate this and try to implement what's missing. |
|
Just tested a few more binaries. A couple that definitely should be picked up by Defender as malicious were not, and another did end up segfaulting in the same way mentioned here. Even stranger, the segfault occurred within RW heap memory, not the mapped DLL's memory. That seems, at least to me, indicative that the VirtualProtect call should get a bit of attention first. |
|
I agree with you this is most likely related to Defender's behavioural
analysis. I wouldn't be surprised by knowing that it uses RWX memory to
emulate the samples.
…On Thu, 27 Mar 2025, 14:58 WaffleSec, ***@***.***> wrote:
Just tested a few more binaries. A couple that definitely should be picked
up by Defender as malicious were not, and another did end up segfaulting in
the same way mentioned here. Even stranger, the segfault occurred within RW
heap memory, not the mapped DLL's memory. That seems, at least to me,
indicative that the VirtualProtect call should get a bit of attention first.
I'll try to dig into this more later today if I have time. I'm curious if
this has to do with Defender's behavioral analysis, I'm not sure why else
it would be trying to execute from the heap, unless there's a logic error
happening due to the unimplemented calls.
—
Reply to this email directly, view it on GitHub
<#119 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABGW4SPLSGXZNY5H3RGHMDL2WPYV5AVCNFSM6AAAAABZV6IDW2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDONJXHE2DGNZSHA>
.
You are receiving this because you commented.Message ID:
***@***.***>
[image: WaffleSec]*WaffleSec* left a comment (taviso/loadlibrary#119)
<#119 (comment)>
Just tested a few more binaries. A couple that definitely should be picked
up by Defender as malicious were not, and another did end up segfaulting in
the same way mentioned here. Even stranger, the segfault occurred within RW
heap memory, not the mapped DLL's memory. That seems, at least to me,
indicative that the VirtualProtect call should get a bit of attention first.
I'll try to dig into this more later today if I have time. I'm curious if
this has to do with Defender's behavioral analysis, I'm not sure why else
it would be trying to execute from the heap, unless there's a logic error
happening due to the unimplemented calls.
—
Reply to this email directly, view it on GitHub
<#119 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABGW4SPLSGXZNY5H3RGHMDL2WPYV5AVCNFSM6AAAAABZV6IDW2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDONJXHE2DGNZSHA>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
A little update on the 64-bit branch: I managed to debug a nasty uninitialized memory issue, that root cause of which was that loadlibrary/peloader/winapi/Locale.c Line 62 in c739d23 This meant that the compiler clobbered a register that The point is that this PR should probably be updated so all mock API's are declared as (This comment was made possible by rr and ASAN) |
|
Ok, thanks for pointing this out. I merged @WaffleSec PR to this branch for testing and fixed the APIs that were missing the I still get the same behavior tho ( |
|
I've mocked a couple of the missing API's in this commit: v-p-b@37866a4 |
Newer versions of mpengine.dll require some additional APIs not included in the current iteration of loadlibrary. This PR addresses missing API stubs.