-
Notifications
You must be signed in to change notification settings - Fork 234
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update requirements.txt #235
base: master
Are you sure you want to change the base?
Conversation
Derekt2
commented
Sep 6, 2023
- Relaxes requirement to have a specific version of unicorn installed.
- Allows downstream apps relying on the project to upgrade/downgrade unicorn as needed.
- addresses several CVEs impacting current unicorn version
i don't believe speakeasy works with Unicorn 2.0. have you found differently? therefore, this update should pin the unicorn version to less than 2.0. |
It still work with unicorn >= 2.0 |
great, then let's also enable CI testing for both versions so we can demonstrate this. |
i'm surprised that Speakeasy does not rely upon any Unicorn APIs or behaviors that changed in 2.0 |
Unless something is changed from pull #216, I don't think it is fully compatible. |
Just did the same tests, but I have the same behavior (payloads are "standard" Metasploit generated shellcodes) With
With
The emulation stops after |
Odd, I'm not seeing that same behavior on my system, I haven't run into a difference yet running with unicorn 2+, and was able to emulate without a segfault from VirtualAlloc using what I believe is the same payload? Are you running this on a M1 @cecio ? Here's my setup: OS: Ubuntu 20.04 x86_64 |
Very strange. No, I'm not on a M1 btw. I just retried on a completely different system (VM created on a cloud environment Ubuntu 20.04.1 LTS).
May be I'm doing something wrong...or different from you. This is the base64 of the payload if you want to try:
I'm curios about the result. |
@Derekt2 I edited my previous comment with new payload to be consistent with previous test. Try this last one in case |
My OS: Windows 10.19041 My result:
During handling of the above exception, another exception occurred: Traceback (most recent call last): During handling of the above exception, another exception occurred: Traceback (most recent call last):
I will review, debug and fix temporarily |
From my testing, it appears that the CLI works with Unicorn >= 2.0.0 but not from a Python script. Running from a Python script will cause a segmentation fault. |
Adding a little more context to my previous comment. I tested this using Unicorn 2.0.1 running in Ubuntu 22.04. It appears that the segfault occurs when running the emulation in the current process rather than a child process. The shellcode used was the sample posted by
|
mmmmh... I'm not sure: if you are using the same shellcode, even the second run is not working: you don't see the Segementation Fault, but the execution stops, since you don't see the subsequent call:
|
First impression for the shellcode provided by @cecio; the hook over here: https://github.com/binref/speakeasy/blob/master/speakeasy/windows/win32.py#L688 fires a lot more often for unicorn v2; here is a screenshot of a side-by-side comparison of logpoint messages from that function between versions 1 and 2: PS: I can also confirm that the shellcode executes fine unless |
I have traced the execution with a tool of mine under both unicorn versions; here is a trace with version 2:
and then here is one with version 1:
So it looks like it's happening at that |
The crash occurs immediately after handling
After returning from the hook, however, we lose visibility again and the next thing we see is an
Very notably, That said, all I have are these observations; I do not understand why exactly Unicorn is throwing an exception here, or how exactly that could be avoided. |
When using Unicorn v1, |
At this point, I feel like we'd really need someone who developed the Speakeasy core to weigh in on this. I know too little about the interaction between Speakeasy and Unicorn to have a good way forward. However, I also conclude that Speakeasy doesn't appear to be compatible with Unicorn v2 right now. |
@drewvis is the author, but has moved on from their role at Mandiant and may or may not be interested contributing here. Since the project occasionally provides value to people, I've preferred to keep it non-archived here on GitHub. However, if the lack of maintenance/development becomes too big of a hurdle, maybe it's better to archive and/or recommend a hard fork elsewhere? Totally open to discussion and feedback from everyone out there. |
I think there is quite a bit of value in it, I do use it regularly for triage analysis. To underline this: I did end up massaging all other dependencies in my toolkit to make it work with Unicorn v1, primarily so I can use Speakeasy as one of the emulation backends. The Speakeasy code base has around 30kloc, so taking it over from scratch is certainly not a small task and I couldn't find any already existing fork that looks like it wants to carry the torch. I'll give @drewvis some time to respond here; some support from the original author would certainly be the best case scenario. |
hey! Approach what I'm going to say with caution, because I investigated this some time ago, but I think the issue is somehow related to QEMU: Unicorn 2 switched to a new QEMU version under the hood, and I remember that I inspected the differences between the implementations and noticed that the new QEMU is now issuing SIGABRT in case of certain errors instead of trying to handle them. This leaves less space for interception and handling. TBH I don't recall if we were exactly in this situation here, but I think this can be related. If I can take some time in the next days, I'll take a look again. |