Comments (23)
kevoreilly
commented on September 27, 2024
This is my bad - I updated the hook for NtSetInformationProcess and failed to make sure the sigs that depend on it still work. Apologies - should be fixed in latest commit.
from cape.
enzok
commented on September 27, 2024
Thanks. These errors were fixed.
I did get the following error running a Ursnif sample. It decoded the config so not sure if it's a real issue. I'll let you decided.
2018-07-10 11:27:38,879 [lib.cuckoo.core.plugins] ERROR: Failed to run signature "NtCreateThreadEx":
Traceback (most recent call last):
File "/opt/cuckoo/utils/../lib/cuckoo/core/plugins.py", line 414, in run
result = sig.on_call(call, proc)
File "/opt/cuckoo/utils/../modules/signatures/CAPE.py", line 517, in on_call
ThreadCreationFlags = int(self.get_raw_argument(call, "CreateFlags"), 0)
TypeError: int() can't convert non-string with explicit base
from cape.
redsand
commented on September 27, 2024
Good find. thanks for this
from cape.
kevoreilly
commented on September 27, 2024
Should be fixed now
from cape.
kevoreilly
commented on September 27, 2024
Damn actually this looks to be because I had a slightly different hook for NtCreateThreadEx for the Ursnif package. I had 'CreationFlags' to be more like the other hook creation functions whereas the current hook has 'CreateFlags' for this argument (it's not easy to find the actual prototype, some even have this as a BOOL CreateSuspended). I have a new version of the Ursnif package in the works which has 'CreateFlags' but I will need to publish this then switch the signature back again...
from cape.
redsand
commented on September 27, 2024
Good find
…On Tue, Jul 10, 2018 at 2:13 PM, kevoreilly ***@***.***> wrote:
Damn actually this looks to be because I had a slightly different hook for
NtCreateThreadEx for the Ursnif package. I had 'CreationFlags' to be more
like the other hook creation functions whereas the current hook has
'CreateFlags' for this argument (it's not easy to find the actual
prototype, some even have this as a BOOL CreateSuspended). I have a new
version of the Ursnif package in the works which has 'CreateFlags' but I
will need to publish this then switch the signature back again...
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#56 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAhV894FYBoYRhDqXAc9KfGS_cd4O7t6ks5uFPzbgaJpZM4VIpdS>
.
from cape.
enzok
commented on September 27, 2024
Just got back from vacation. I added the CAPE commits since July 10th and am getting the following in my logs:
2018-07-23 13:44:56,090 [lib.cuckoo.core.plugins] ERROR: Failed to run signature "NtCreateThreadEx":
Traceback (most recent call last):
File "/opt/cuckoo/utils/../lib/cuckoo/core/plugins.py", line 414, in run
result = sig.on_call(call, proc)
File "/opt/cuckoo/utils/../modules/signatures/CAPE.py", line 527, in on_call
ThreadCreationFlags = int(self.get_raw_argument(call, "CreationFlags"), 16)
TypeError: int() can't convert non-string with explicit base
2018-07-23 13:44:56,090 [lib.cuckoo.core.plugins] ERROR: Failed to run signature "NtCreateThreadEx":
Traceback (most recent call last):
File "/opt/cuckoo/utils/../lib/cuckoo/core/plugins.py", line 414, in run
result = sig.on_call(call, proc)
File "/opt/cuckoo/utils/../modules/signatures/CAPE.py", line 527, in on_call
ThreadCreationFlags = int(self.get_raw_argument(call, "CreationFlags"), 16)
TypeError: int() can't convert non-string with explicit base
from cape.
kevoreilly
commented on September 27, 2024
I've just pushed a fix for this but this will unfortunately mean you will get sig errors with the Ursnif package as it had a different label for the NtCreateThreadEx argument (CreationFlags) - until I push an update to the Ursnif Dlls. I will try and get that done soon, I have an update in the works.
from cape.
enzok
commented on September 27, 2024
That is the error I received with the latest commits on a non-Ursnif sample. I did check the MD5s to confirm that I have the latest analyzer DLLs.
from cape.
kevoreilly
commented on September 27, 2024
This should be fixed now (except for Ursnif package which I will update soon).
from cape.
enzok
commented on September 27, 2024
Is there an updated DLL or just the Cape.py file?
from cape.
kevoreilly
commented on September 27, 2024
The majority of the DLLs already have the matching argument string 'CreateFlags'. The exception to this is the Ursnif DLLs (CreationFlags) but I have an updated version which I plan to release soon.
from cape.
enzok
commented on September 27, 2024
OK understood. Thank you.
from cape.
enzok
commented on September 27, 2024
Still getting this error.
2018-07-27 10:23:24,083 [lib.cuckoo.core.plugins] ERROR: Failed to run signature "NtCreateThreadEx":
Traceback (most recent call last):
File "/opt/cuckoo/utils/../lib/cuckoo/core/plugins.py", line 414, in run
result = sig.on_call(call, proc)
File "/opt/cuckoo/utils/../modules/signatures/CAPE.py", line 527, in on_call
ThreadCreationFlags = int(self.get_raw_argument(call, "CreateFlags"), 16)
TypeError: int() can't convert non-string with explicit base
from cape.
kevoreilly
commented on September 27, 2024
I'm confused - you seem to be getting the errors whether it's "CreateFlags" or "CreationFlags". The hook code for NtCreateThreadEx is in https://github.com/ctxis/capemon/blob/capemon/hook_thread.c and currently has "CreateFlags" which should correlate with the signature.
from cape.
enzok
commented on September 27, 2024
i verified md5 values for the CAPE DLLs and they match your latest build. Verified I have the latest Cape.py. What else can I do to troubleshoot?
from cape.
kevoreilly
commented on September 27, 2024
Can you check the behavioural logs - search for the NtCreateThreadEx calls and see whether they are listed with 'CreateFlags' or 'CreationFlags' as argument.
from cape.
enzok
commented on September 27, 2024
LOL. I was doing that as you were commenting.
Looks like the correct call argument. So the hook is working. Maybe something with parsing the value?
{
"category": "threading",
"parentcaller": "0x00000000",
"return": "0x00000000",
"timestamp": "2018-07-27 10:35:07,734",
"caller": "0x00000000",
"thread_id": "2592",
"repeated": 0,
"api": "NtCreateThreadEx",
"status": true,
"arguments": [
{
"name": "ThreadHandle",
"value": "0x00000258"
},
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "CreateFlags",
"value": "0x00000003"
},
{
"name": "StartAddress",
"value": "0x77c42e65"
}
],
"id": 377
},
And...
{
"category": "threading",
"parentcaller": "0x13fcc1ff9",
"return": "0x00000000",
"timestamp": "2018-07-27 10:35:30,510",
"caller": "0x13fcc1a14",
"thread_id": "2120",
"repeated": 0,
"api": "NtCreateThreadEx",
"status": true,
"arguments": [
{
"name": "ThreadHandle",
"value": "0x0000013c"
},
{
"name": "ProcessHandle",
"value": "0xffffffffffffffff"
},
{
"name": "CreateFlags",
"value": "0x00000003"
},
{
"name": "StartAddress",
"value": "0x77a2aef0"
}
],
"id": 50
},
And...
{
"category": "threading",
"parentcaller": "0x00411e81",
"return": "0x00000000",
"timestamp": "2018-07-27 10:36:12,817",
"caller": "0x004095a9",
"thread_id": "276",
"repeated": 0,
"api": "NtCreateThreadEx",
"status": true,
"arguments": [
{
"name": "ThreadHandle",
"value": "0x00000134"
},
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "CreateFlags",
"value": "0x00000003"
},
{
"name": "StartAddress",
"value": "0x77c42e65"
}
],
"id": 558
},
{
"category": "threading",
"parentcaller": "0xff7a3a19",
"return": "0x00000000",
"timestamp": "2018-07-27 10:36:24,938",
"caller": "0xff7a354d",
"thread_id": "2644",
"repeated": 0,
"api": "NtCreateThreadEx",
"status": true,
"arguments": [
{
"name": "ThreadHandle",
"value": "0x000000dc"
},
{
"name": "ProcessHandle",
"value": "0xffffffffffffffff"
},
{
"name": "CreateFlags",
"value": "0x00000003"
},
{
"name": "StartAddress",
"value": "0x77a2aef0"
}
],
"id": 21
},
And...
{
"category": "threading",
"parentcaller": "0x00403cd3",
"return": "0x00000000",
"timestamp": "2018-07-27 10:37:32,939",
"caller": "0x00407810",
"thread_id": "628",
"repeated": 0,
"api": "NtCreateThreadEx",
"status": true,
"arguments": [
{
"name": "ThreadHandle",
"value": "0x00000118"
},
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "CreateFlags",
"value": "0x00000003"
},
{
"name": "StartAddress",
"value": "0x77c42e65"
}
],
"id": 66
},
And...
``` {
"category": "threading",
"parentcaller": "0x00000000",
"return": "0x00000000",
"timestamp": "2018-07-27 10:34:24,568",
"caller": "0x00000000",
"thread_id": "2368",
"repeated": 0,
"api": "NtCreateThreadEx",
"status": true,
"arguments": [
{
"name": "ThreadHandle",
"value": "0x000001d0"
},
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "CreateFlags",
"value": "0x00000003"
},
{
"name": "StartAddress",
"value": "0x77c42e65"
}
],
"id": 367
},
from cape.
enzok
commented on September 27, 2024
Should the method here be get_argument instead of get_raw_argument?
from cape.
enzok
commented on September 27, 2024
Ignore my last comment.
I changed the base and it seems to have fixed the issue (16 to 0):
ThreadCreationFlags = int(self.get_raw_argument(call, "CreateFlags"), 0)
from cape.
kevoreilly
commented on September 27, 2024
Damn this was my fault! Sorry about that, just pushed the fix. Thanks for your help.
from cape.
enzok
commented on September 27, 2024
Glad to help. I'll close this out unless you want me to wait until you push the Ursnif update.
from cape.
kevoreilly
commented on September 27, 2024
I'll close this now but will try and get the Ursnif update published soon.
from cape.
Related Issues (20)
- Alembic not updating db properly HOT 5
- Error when installing from requirements.txt HOT 4
- VPN not selectable in Web Interface HOT 36
- x64 DLL Extraction module doesn't work HOT 1
- Which commit was capemon.dll compiled from HOT 4
- Small bug on web UI submission template HOT 1
- File not detected as being in VT HOT 2
- Injection vs Extraction HOT 4
- Agent.py HOT 3
- KeyError: (<weakref at 0x7fbf4a8f5d68; to 'function' at 0x7fbf43b9dd90 (go)>,) HOT 4
- Permission for Scraping https://www.capesandbox.com/analysis/ HOT 2
- [Feature Request] Add support for Unfurl HOT 1
- Invalid URL under C2Server HOT 1
- Memory Dump on proxmox HOT 1
- Samples not analyzed on Linux guest (Ubuntu 18.04 32-bits) HOT 2
- The PCAP file does not exist
- Result Server Binding error HOT 1
- Cape Sandbox linux analysis
- Linux Analysis of Cape Sandbox
- Getting zero mal score in linux analysis
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cape.