SentineLabs
MemZipLoader won't load
Hi, and THANK YOU VERY MUCH for that plugin, I also get annoyed by McAfee whenever reversing binaries, and popping a full VM just to unpack generic malware is annoying.
I downloaded the archive and ran the following script:
Expand-Archive .\BinaryPackage.zip
cp .\BinaryPackage\MemoryLoader.dll 'C:\Program Files\IDA Pro 7.5\'
cp .\BinaryPackage\MemoryLoader64.dll 'C:\Program Files\IDA Pro 7.5\'
cp .\BinaryPackage\MemZipLoader.dll 'C:\Program Files\IDA Pro 7.5\loaders\'
cp .\BinaryPackage\MemZipLoader64.dll 'C:\Program Files\IDA Pro 7.5\loaders\'
cp .\BinaryPackage\UrlLoader.dll 'C:\Program Files\IDA Pro 7.5\loaders\'
cp .\BinaryPackage\UrlLoader64.dll 'C:\Program Files\IDA Pro 7.5\loaders\'
Integrity check:
gci -r 'C:\Program Files\IDA Pro 7.5\' | ? Name -IMatch "(Memory|URL|MemZip)Loader(64|).dll" | % {Get-FileHash $_.fullname} | select hash, path
PS C:\tmp> gci -r 'C:\Program Files\IDA Pro 7.5\' | ? Name -IMatch "(Memory|URL|MemZip)Loader(64|).dll" | % {Get-FileHash $_.fullname} | select hash, path
Hash Path
---- ----
4DEC6D0FA09EABBC2358BEDC8B4E239198D78FAF96F4505846061F6CFA0B2DB3 C:\Program Files\IDA Pro 7.5\MemoryLoader.dll
330A217D92D3C1C39E4431C7ABC48D01C69F379960F6902FE36C9BE3C4F528C6 C:\Program Files\IDA Pro 7.5\MemoryLoader64.dll
786BF93D2500B47D3C3C3590EF9ED2AA40AEC2F2B39CC2939DE09B4E70C806A0 C:\Program Files\IDA Pro 7.5\loaders\MemZipLoader.dll
5E3A410ED5D6273C509D091D4D1FE386947E88B58C0A2722A1FF46B9FBD2BA27 C:\Program Files\IDA Pro 7.5\loaders\MemZipLoader64.dll
C45ED73B96C3FE96AB8907D1EBA80512948A697A831A646BC985A2C024E0C2D5 C:\Program Files\IDA Pro 7.5\loaders\UrlLoader.dll
5724D32F520F390DA68D6B61F3C3F49511F54BF2B1C21C9DCE2EA5EA7F508D3B C:\Program Files\IDA Pro 7.5\loaders\UrlLoader64.dll
When loading IDA Pro, I only see the UrlLoader being loaded, the MemZipLoader isn't loaded:
Possible file format: UrlLoader (C:\Program Files\IDA Pro 7.5\loaders\UrlLoader64.dll)
Possible file format: ZIP (C:\Program Files\IDA Pro 7.5\loaders\archldr_zip64.dll)
bytes pages size description
--------- ----- ---- --------------------------------------------
2048000 250 8192 allocating memory for b-tree...
2048000 250 8192 allocating memory for virtual array...
262144 32 8192 allocating memory for name pointers...
-----------------------------------------------------------------
4358144 total memory allocated
I am using IDA Pro 7.5.201028.
I'm willing to provide assistance to diagnose this on request, thanks again.
Same with IDA Pro 7.6.210427:
PS C:\tmp> Expand-Archive .\BinaryPackage.zip
PS C:\tmp> cp .\BinaryPackage\MemoryLoader.dll 'C:\Program Files\IDA Pro 7.6\'
PS C:\tmp> cp .\BinaryPackage\MemoryLoader64.dll 'C:\Program Files\IDA Pro 7.6\'
PS C:\tmp> cp .\BinaryPackage\MemZipLoader.dll 'C:\Program Files\IDA Pro 7.6\loaders\'
PS C:\tmp> cp .\BinaryPackage\MemZipLoader64.dll 'C:\Program Files\IDA Pro 7.6\loaders\'
PS C:\tmp> cp .\BinaryPackage\UrlLoader.dll 'C:\Program Files\IDA Pro 7.6\loaders\'
PS C:\tmp> cp .\BinaryPackage\UrlLoader64.dll 'C:\Program Files\IDA Pro 7.6\loaders\'
...
Possible file format: UrlLoader (C:\Program Files\IDA Pro 7.6\loaders\UrlLoader64.dll)
Possible file format: ZIP (C:\Program Files\IDA Pro 7.6\loaders\archldr_zip64.dll)
Hi, can you please run IDA with "-z" option and upload the log, I will review it and upload a fix.
- 7.5 - ida_debug_log.log
- 7.6 - ida_76.log
Relevant part (guessing), where Possible file format isn't reported for MemZipLoader:
Scanning directory 'C:\Users\username\AppData\Roaming\Hex-Rays\IDA Pro\loaders' for loaders
Scanning directory 'C:\Program Files\IDA Pro 7.5\loaders' for loaders
Loading C:\Program Files\IDA Pro 7.5\loaders\MemZipLoader.dll...
Calling accept_file()
Loading C:\Program Files\IDA Pro 7.5\loaders\UrlLoader.dll...
Calling accept_file()
Possible file format: UrlLoader (C:\Program Files\IDA Pro 7.5\loaders\UrlLoader.dll)
Loading C:\Program Files\IDA Pro 7.5\loaders\aif.dll...
Calling accept_file()
Loading C:\Program Files\IDA Pro 7.5\loaders\amiga.dll...
Calling accept_file()
Loading C:\Program Files\IDA Pro 7.5\loaders\aof.dll...
Calling accept_file()
Loading C:\Program Files\IDA Pro 7.5\loaders\aout.dll...
Calling accept_file()
Loading C:\Program Files\IDA Pro 7.5\loaders\archldr_zip.dll...
Calling accept_file()
Possible file format: ZIP (C:\Program Files\IDA Pro 7.5\loaders\archldr_zip.dll)
Loading C:\Program Files\IDA Pro 7.5\loaders\bochsrc.dll...
Calling accept_file()
Loading C:\Program Files\IDA Pro 7.5\loaders\coff.dll...
Calling accept_file()
Ok, I think I figured it out. Maybe the zip format you are selected is not supported on my PC this ZIP for example works great.
- Contains two files, both not malicious. many_files.zip
Hm indeed these are not the same version, but it still won't load:
- your file: zip v 6.3
- VT sample files: zip v 2.0
$ unzip -v ~/tmp/many_files\ \(1\).zip
Archive: /home/user/tmp/many_files (1).zip
Length Method Size Cmpr Date Time CRC-32 Name
-------- ------ ------- ---- ---------- ----- -------- ----
65536 Defl:N 28249 57% 2018-09-15 09:28 655cd14b amsi.dll
43224 Defl:N 22840 47% 2020-11-04 15:28 3f548079 PROCEXP152.SYS
-------- ------- --- -------
108760 51089 53% 2 files
$ unzip -Z ~/tmp/many_files\ \(1\).zip
Archive: /home/user/tmp/many_files (1).zip
Zip file size: 51403 bytes, number of entries: 2
-rw-a-- 6.3 fat 65536 Bx defN 18-Sep-15 09:28 amsi.dll
-rw-a-- 6.3 fat 43224 Bx defN 20-Nov-04 15:28 PROCEXP152.SYS
2 files, 108760 bytes uncompressed, 51089 bytes compressed: 53.0%
$ unzip -Z malware.zip
Archive: malware.zip
Zip file size: 512371 bytes, number of entries: 1
-rw---- 2.0 fat 894976 Bl defN 80-000-00 00:00 084659a92ed6499bf391534e649f3cf620b9405f7c03ef8c7a1fa35f8b9caa64
1 file, 894976 bytes uncompressed, 512117 bytes compressed: 42.8%
$ unzip -v malware.zip
Archive: malware.zip
Length Method Size Cmpr Date Time CRC-32 Name
-------- ------ ------- ---- ---------- ----- -------- ----
894976 Defl:N 512117 43% 1980-00-00 00:00 a14d6fe5 084659a92ed6499bf391534e649f3cf620b9405f7c03ef8c7a1fa35f8b9caa64
-------- ------- --- -------
894976 512117 43% 1 file
IDA logs:
Possible file format: UrlLoader (C:\Program Files\IDA Pro 7.6\loaders\UrlLoader64.dll)
Possible file format: ZIP (C:\Program Files\IDA Pro 7.6\loaders\archldr_zip64.dll)
bytes pages size description
--------- ----- ---- --------------------------------------------
524288 64 8192 allocating memory for b-tree...
204800 25 8192 allocating memory for virtual array...
262144 32 8192 allocating memory for name pointers...
-----------------------------------------------------------------
991232 total memory allocated
Loading processor module C:\Program Files\IDA Pro 7.6\procs\pc64.dll for metapc...Initializing processor module metapc...OK
Autoanalysis subsystem has been initialized.
Unloading IDP module C:\Program Files\IDA Pro 7.6\procs\pc64.dll...
Sorry about that I will update you when it's fixed.
Rusetsky Roman
On Wed, May 19, 2021, 22:10 4rchib4ld @.***> wrote:
Same situation here, even with the provided zip file :(
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/SentineLabs/Memloader/issues/1#issuecomment-844391343, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACW3YMYV25SDPU7O45WZFGLTOQELDANCNFSM44J2AI7A .
Don't worry, it really should have been a native feature of IDA Pro in the beginning. Given the amount of time I had my samples deleted by the local AV I don't understand why it's still not the case though, surely we're not the only IDA Pro customers who had troubles when touching the disk.
While in theory we should always have a detonation VM handy with no AV to run IDA Pro, erm, reality is a complex thing.