Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Log parsing issue? #891

Open
xme opened this issue May 20, 2024 · 1 comment
Open

Log parsing issue? #891

xme opened this issue May 20, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@xme
Copy link

xme commented May 20, 2024

Describe the bug

I got this error after some analysis:

May 20 23:51:38 malawi drak-postprocess[621]: b'{"Plugin":"sysret","TimeStamp":"1716241755.143929","PID":3120,"PPID":1720,"TID":2976,"UserName":"SessionID","UserId":0,"ProcessName":"\\\\Device\\\\HarddiskVolume2\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v4.0.30319\\\\mscorsvw.exe","Method":"09\xaa\xbd,V","EventUID":"0x48910e","Module":"win32k","vCPU":0,"CR3":"0x18fb8000","Syscall":632,"Ret":1,"Info":"STATUS_WAIT_1"}\n'
May 20 23:51:38 malawi drak-postprocess[621]: Traceback (most recent call last):
May 20 23:51:38 malawi drak-postprocess[621]:   File "/opt/venvs/drakcore/lib/python3.8/site-packages/drakcore/postprocess/drakparse.py", line 205, in parse_logs
May 20 23:51:38 malawi drak-postprocess[621]:     line_obj = json.loads(line, strict=False)
May 20 23:51:38 malawi drak-postprocess[621]:   File "/usr/lib/python3.8/json/__init__.py", line 343, in loads
May 20 23:51:38 malawi drak-postprocess[621]:     s = s.decode(detect_encoding(s), 'surrogatepass')
May 20 23:51:38 malawi drak-postprocess[621]: UnicodeDecodeError: 'utf-8' codec can't decode byte 0xaa in position 236: invalid start byte

How to reproduce
Submit a file to the sandbox.

@xme xme added the bug Something isn't working label May 20, 2024
@psrok1
Copy link
Member

psrok1 commented May 28, 2024

Hi! It seems that drak-postprocess doesn't like that part: "Method":"09\xaa\xbd,V"

I see that it shouldn't affect the rest of log processing, because drak-postpostprocess will just omit this line as a part of exception handling (https://github.com/CERT-Polska/drakvuf-sandbox/blob/master/drakcore/drakcore/postprocess/drakparse.py#L205).

Is it real, obfuscated method name in that .NET malware?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants