Comments (15)
I haven't tested a full setup, but I have tested capemon and the new loader on Windows 10. It seems to inject into processes no problem, although loading a new process seems not to load a window for something like notepad so there are perhaps issues to iron out there, but still the process runs and the monitor loads.
Definitely something I want to be compatible with so I will need to test it further.
from cape.
Thanks. I'll build one and see how it goes.
from cape.
Great - let me know. Be sure to try the new loader by renaming newloader* to loader* in the bin folder!
from cape.
I forgot there is actually a branch for testing the new loader!
from cape.
im gonna also try it :) thanks
from cape.
hey from my previos tests when we added fixes to dll, and i just tested new loader again, im having the same issue, no behavior on win7
INFO: Successfully executed process from path "C:\Program Files\Microsoft Office\Office12\WINWORD.EXE" with arguments ""C:\Users\X\AppData\Local\Temp\X.doc" /q" with pid 3972
2018-08-02 08:50:00,890 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2018-08-02 08:50:00,937 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 3972, error: -12
2018-08-02 08:50:17,515 [lib.api.process] INFO: Successfully resumed process with pid 3972
it happens with pe and doc, not tested more formats, example of this one b573b6c322719046af76b16604d77576a741e2809f52bf78f855f1d1623a3f39, doc
any idea? i got newloader.exe and placed it instead of loader.exe(renamed obviosly)
from cape.
I am curious if Windows 10 x64 is supported now?
from cape.
I found that the trick to getting Windows 10 x64 VM working under CAPE is to make sure UAC is fully disabled in the registry:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
- EnableLUA DWORD
- Set to 0 and reboot the VM.
Also it is good to disable Windows Defender and Real-time Protection from Group Policy.
Aside from this, I see no issues with using Windows 10 x64 as the guest.
from cape.
The issue currently is more around the question: do the samples detonate properly? Is the API hookng stable? I'm not sure about either of these.
For example, try this Trickbot sample, known to run on Win 10:
3f99d1eabc438bd840cab6c7d6443119e8848ec4fd9c8d67c2ffa8dfb4bd5d66
(AnyRun: https://app.any.run/tasks/b0beb3db-1a7c-4e05-9ffd-e3ef278b8877)
I'd be interested to hear if you see this running properly in cape with spawned processes and full behaviour.
from cape.
Not sure if a 59 second analysis can be considered successful or not. But that is how long it took to run. Here is my html report for that trickbot:
Here is the same trickbot analysis with Timeout Enforced to 10 minutes:
from cape.
Check the process tree in the any run job. It spawns loads. In cape there is no spawned processes.
from cape.
Nope...I definitely see your point. Any ideas of why that is? 64bit vs 32bit?
from cape.
Windows 10 largely works now - there will still be issues but they can be created individually when they arise.
from cape.
Windows 10 largely works now - there will still be issues but they can be created individually when they arise.
Is this with https://github.com/ctxis/capemon this monitor?
from cape.
nop, https://github.com/kevoreilly/capemon check capev2 https://github.com/kevoreilly/CAPEv2
from cape.
Related Issues (20)
- Alembic not updating db properly HOT 5
- Error when installing from requirements.txt HOT 4
- VPN not selectable in Web Interface HOT 36
- x64 DLL Extraction module doesn't work HOT 1
- Which commit was capemon.dll compiled from HOT 4
- Small bug on web UI submission template HOT 1
- File not detected as being in VT HOT 2
- Injection vs Extraction HOT 4
- Agent.py HOT 3
- KeyError: (<weakref at 0x7fbf4a8f5d68; to 'function' at 0x7fbf43b9dd90 (go)>,) HOT 4
- Permission for Scraping https://www.capesandbox.com/analysis/ HOT 2
- [Feature Request] Add support for Unfurl HOT 1
- Invalid URL under C2Server HOT 1
- Memory Dump on proxmox HOT 1
- Samples not analyzed on Linux guest (Ubuntu 18.04 32-bits) HOT 2
- The PCAP file does not exist
- Result Server Binding error HOT 1
- Cape Sandbox linux analysis
- Linux Analysis of Cape Sandbox
- Getting zero mal score in linux analysis
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cape.