Hello all, I am developing extensions for Clamav (at least that's my objective!) and was doing some preliminary tests with UPX. This is my test procedure: 1) compile a simple exe on windows + mingw with one main call function and no stdout: clean.exe 2) upx clean.exe -o clean.upx.exe 3) run clamav and retrieve the unpacked file:
LibClamAV debug: EntryPoint offset: 0x14d0 (5328) LibClamAV debug: Bytecode executing hook id 259 (1 hooks) LibClamAV debug: Bytecode: no logical signature matched, no bytecode executed LibClamAV debug: UPX/FSG/MEW: empty section found - assuming compression LibClamAV debug: UPX: Looks like a NRV2B decompression routine LibClamAV debug: UPX: UPX1 seems skewed by 21 bytes LibClamAV debug: UPX: PE structure rebuilt from compressed file LibClamAV debug: UPX: Successfully decompressed LibClamAV debug: UPX/FSG: Decompressed data saved in /var/tmp/clam/clamav-6707cc60ae0369dcc51b58d58af8bbdf 4) attempt to run the unpacked file getting a massive page fault (tested both on wine and windows non virtual machine) see output on email bottom. My question: is this a normal behavior? I was kind of expecting a clean dumped file, because I have to do some static analysis on the dumped output. I have put the test files on this share folder in case somebody wants to replicate my output: https://www.dropbox.com/sh/uzvzilslhlop8jv/wyDr1qe8Y6 Clam version (installed from apt-get) ClamAV 0.97.8/17955/Fri Oct 11 03:44:05 2013 Stack trace unpacked follows: wine clean.unpacked.exe wine: Unhandled page fault on read access to 0x00006250 at address 0x6250 (thread 0009), starting debugger... Unhandled exception: page fault on read access to 0x00006250 in 32-bit code (0x00006250). Register dump: CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b EIP:00006250 ESP:0060fe54 EBP:0060fe88 EFLAGS:00010212( R- -- I -A- - ) EAX:00000000 EBX:7b894ff4 ECX:0060fef0 EDX:0060fef0 ESI:7ffdf000 EDI:00401280 Stack dump: 0x0060fe54: 00401290 00000001 f7693a2e 00000000 0x0060fe64: 00000000 00000000 00000000 00000000 0x0060fe74: 7b859ddc 7ffdf000 7bc4bd4a 7b894ff4 0x0060fe84: 7ffdf000 0060fec8 7b85b04f 7ffdf000 0x0060fe94: 00401280 00000000 00000000 00000000 0x0060fea4: 00000000 00000000 00000000 00000000 000c: sel=0067 base=00000000 limit=00000000 16-bit r-x Backtrace: =>0 0x00006250 (0x0060fe88) 1 0x7b85b04f in kernel32 (+0x4b04e) (0x0060fec8) 2 0x7bc71d90 call_thread_func_wrapper+0xb() in ntdll (0x0060fed8) 3 0x7bc7486d call_thread_func+0x7c() in ntdll (0x0060ffa8) 4 0x7bc71d6e RtlRaiseException+0x21() in ntdll (0x0060ffc8) 5 0x7bc49f4e call_dll_entry_point+0x61d() in ntdll (0x0060ffe8) 0x00006250: -- no code accessible -- Modules: Module Address Debug info Name (19 modules) PE 400000- 40d000 Deferred clean.unpacked ELF 7b800000-7ba29000 Dwarf kernel32<elf> \-PE 7b810000-7ba29000 \ kernel32 ELF 7bc00000-7bcc3000 Dwarf ntdll<elf> \-PE 7bc10000-7bcc3000 \ ntdll ELF 7bf00000-7bf04000 Deferred <wine-loader> ELF 7ed47000-7ed66000 Deferred libtinfo.so.5 ELF 7ed66000-7ed88000 Deferred libncurses.so.5 ELF 7efa1000-7efbb000 Deferred libnsl.so.1 ELF 7efbb000-7efe7000 Deferred libm.so.6 ELF 7efe7000-7eff4000 Deferred libnss_files.so.2 ELF 7eff4000-7f000000 Deferred libnss_nis.so.2 ELF f74a2000-f74ab000 Deferred libnss_compat.so.2 ELF f74ac000-f74b1000 Deferred libdl.so.2 ELF f74b1000-f765a000 Deferred libc.so.6 ELF f765b000-f7676000 Deferred libpthread.so.0 ELF f768f000-f77d1000 Dwarf libwine.so.1 ELF f77d3000-f77f5000 Deferred ld-linux.so.2 ELF f77f5000-f77f6000 Deferred [vdso].so Threads: process tid prio (all id:s are in hex) 00000008 (D) Z:\home\epokh\Documents\Cyclomatic\clean.unpacked.exe 00000009 0 <== 0000000e services.exe 0000001f 0 0000001e 0 00000018 0 00000017 0 00000015 0 00000010 0 0000000f 0 00000012 winedevice.exe 0000001c 0 00000019 0 00000014 0 00000013 0 0000001a plugplay.exe 00000020 0 0000001d 0 0000001b 0 00000021 explorer.exe 00000022 0 _______________________________________________ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net