A forum for reverse engineering, OS internals and malware analysis 

Ask your beginner questions here.
 #32934  by ekt0
 Mon May 20, 2019 12:51 pm
Hello,

I am using IDA Pro 7.0.
I have a weird behaviour with IDAPython. I need to allocate some memory in order to execute malware's shellcode from my IDAPython script. I was trying to execute VirtualAlloc of ctypes but it only returns 0 (which is unusable of course). It only happens when I execute it on IDA:
Code: Select all
Python>import ctypes
Python>ctypes.windll.kernel32.VirtualAlloc(0,192,0x1000,0)
0
Have you ever encountered this issue?

ekt0
 #32935  by EP_X0FF
 Mon May 20, 2019 4:49 pm
If VirtualAlloc params is what you supplied then it is invalid call due to Protect flag you set to 0. If you want to execute something it should be at least PAGE_EXECUTE_READWRITE assuming you will do Read/Write to that region next.
 #32941  by ekt0
 Thu May 23, 2019 1:24 pm
That's a good point, I forgot to add the flag on my example. However, I do use the flag PAGE_EXECUTE_READWRITE on my script. Executing VirtualAlloc with those parameters works well when executed on a Python interpreter, outside of IDA.

If you don't have the same issue than I, can you provide the version number of IDA you are using please?

Thanks.
 #32948  by EP_X0FF
 Sat May 25, 2019 7:26 am
I don't have any script. If this API fails then look on GetLastError result value after failed call.
 #32949  by ekt0
 Sat May 25, 2019 9:38 am
If you want to check if you have the same issue, just execute the following lines on IDA's Python command line (assuming you have IDAPython) :
Code: Select all
import ctypes
lpAddress = 0
size = 0x100
flAllocationType = 0x1000
flProtect = 0x40
mem = ctypes.windll.kernel32.VirtualAlloc(lpAddress, size, flAllocationType, flProtect)
if mem == 0:
    print("KO")
else:
    print("OK")
That prints KO for me.

Workaround
So, I found out that when I set the argument types myself, it actually works. I don't really understand why though. GetLastError outputs Invalid Handle message. Also, I have exactly the same behaviour between IDA and IDA64.
Here is how I "fixed" the issue:
Code: Select all
import ctypes
from ctypes import wintypes
hex(ctypes.windll.kernel32.VirtualAlloc(0,192,0x1000,0x40))
# Result: 0x0, which is wrong
ctypes.windll.kernel32.VirtualAlloc.argtypes = (wintypes.LPVOID,wintypes.c_size_t,wintypes.DWORD,wintypes.DWORD)
hex(ctypes.windll.kernel32.VirtualAlloc(0,192,0x1000,0x40))
# Result: 0x5bbb0000, which is fine
I would be curious to know if you guys have the same issue.
 #32950  by R136a1
 Sat May 25, 2019 10:28 am
ekt0 wrote: Sat May 25, 2019 9:38 am If you want to check if you have the same issue, just execute the following lines on IDA's Python command line (assuming you have IDAPython) :
Code: Select all
import ctypes
lpAddress = 0
size = 0x100
flAllocationType = 0x1000
flProtect = 0x40
mem = ctypes.windll.kernel32.VirtualAlloc(lpAddress, size, flAllocationType, flProtect)
if mem == 0:
    print("KO")
else:
    print("OK")
That prints KO for me.

Workaround
So, I found out that when I set the argument types myself, it actually works. I don't really understand why though. GetLastError outputs Invalid Handle message. Also, I have exactly the same behaviour between IDA and IDA64.
Here is how I "fixed" the issue:
Code: Select all
import ctypes
from ctypes import wintypes
hex(ctypes.windll.kernel32.VirtualAlloc(0,192,0x1000,0x40))
# Result: 0x0, which is wrong
ctypes.windll.kernel32.VirtualAlloc.argtypes = (wintypes.LPVOID,wintypes.c_size_t,wintypes.DWORD,wintypes.DWORD)
hex(ctypes.windll.kernel32.VirtualAlloc(0,192,0x1000,0x40))
# Result: 0x5bbb0000, which is fine
I would be curious to know if you guys have the same issue.

All these examples work for me. Which Python and IDAPython versions are you using?
 #32956  by R136a1
 Sun May 26, 2019 10:58 am
You're on Windows 10, right?

I have tested your set up on Windows 7 and Windows 10 and can confirm. On Windows 7, all of the above examples work. On Windows 10, only the last example works. I have also tested latest IDA Pro (7.2) on Windows 10 and it suffers from the sam issue. I guess the bug is in IDA Python though, but I'm not really sure.
 #32957  by ekt0
 Sun May 26, 2019 5:38 pm
Yep, Windows 10 ! I thought about that too but I was too lazy to setup a Win7 VM. Weird bug. Maybe I should contact them about that in case it's because of IDAPython, I don't know how though.