Auxiliary modules don't hit stop()
para0x0dise opened this issue · 2 comments
About accounts on capesandbox.com
- Issues isn't the way to ask for account activation. Ping capesandbox in Twitter with your username
This is open source and you are getting free support so be friendly!
Prerequisites
Please answer the following questions for yourself before submitting an issue.
- I am running the latest version
- I did read the README!
- I checked the documentation and found no answer
- I checked to make sure that this issue has not already been filed
- I'm reporting the issue to the correct repository (for multi-repository projects)
- I have read and checked all configs (with all optional parts)
1. Issue:
I'm currently working on an auxiliary module that is used to capture a video of current analysis, but I have an issue that the analysis is finished without hitting stop()
methods and also the results are incomplete.
1.1. How module works:
- The module uses
opencv-python
library which uses multiple frames to produce the final video. - First, I specified the FPS to be 10 F/S which means that each frame will take
1/10 = 0.1
second, so I used adelta
to maintain the frame rate.
import logging
import time
import timeit
import os
from threading import Thread
from lib.core.config import Config
from lib.common.abstracts import Auxiliary
from lib.common.results import upload_to_host
log = logging.getLogger(__name__)
try:
import cv2
import numpy as np
from PIL import ImageGrab
HAVE_OPENCV = True
HAVE_PIL = True
log.info("Libs are loaded")
except ImportError:
HAVE_OPENCV = False
HAVE_PIL = False
log.error("Please Install Pillow and OpenCV libraries")
class Screen_recorder(Auxiliary, Thread):
def __init__(self, options, config):
Auxiliary.__init__(self, options, config)
Thread.__init__(self)
self.config = Config(cfg="analysis.conf")
self.enabled = self.config.screen_recorder_windows
self.do_run = self.enabled
def collect_Video(self):
videoPath = "C:\\recording.mp4"
if os.path.exists(videoPath):
try:
log.info("Trying to Upload the video...")
upload_to_host(videoPath, "recording.mp4")
log.info("Video is uplodaed.")
except Exception as e:
log.error(e)
else:
log.error("The video file is not found")
def start(self):
if not self.enabled or not HAVE_OPENCV or not HAVE_PIL:
return False
log.info(f"Timeout: {self.config.timeout}")
try:
trackingTime = 0
videoPath = "C:\\recording.mp4"
fps = 10.0
screen_size = ImageGrab.grab().size
fourcc = cv2.VideoWriter_fourcc(*'mp4v')
out = cv2.VideoWriter(videoPath, fourcc, fps, screen_size)
startingTime = timeit.default_timer()
# MAXIMUM time taken to capture, process, and write the current frame.
frameMaxDuration = 1.0 / fps
while self.do_run:
frameStartingTime = timeit.default_timer()
img = ImageGrab.grab()
frame = np.array(img)
frame = cv2.cvtColor(frame, cv2.COLOR_RGB2BGR)
out.write(frame)
# Calculate elapsed time and sleep to maintain the frame rate
# ACTUAL time taken to capture, process, and write the current frame.
frameActualTime = timeit.default_timer() - frameStartingTime
delta = frameMaxDuration - frameActualTime
# This condition doesn't check the actual duration of the video, but the duration of the runtime
# So we could produce a video of 30 seconds and the duration is only set to 10 seconds
# So we should maintain the frame rate using the previous timing calculations
if timeit.default_timer() - startingTime > self.config.timeout:
break
if delta > 0:
# Sleep for the remaining time to match the frameMaxDuration
trackingTime += delta
time.sleep(delta)
log.info(f"Video exists: {os.path.exists(videoPath)}")
log.info(f"Aux Duration: {trackingTime}")
log.info("Video is ready to upload")
out.release()
cv2.destroyAllWindows()
return True
except Exception as e:
log.error(e)
return False
def stop(self) -> bool:
log.info("Trying to stop the recorder......")
self.do_run = False
if self.enabled:
self.collect_Video()
return True
return False
1.2. Submission Settings:
- Timeout: 100 sec
- File hash:
e5074e3ee4bb9bb9abf6322ed7c820e950ef8e2d1af7f9a66007a37cf9656630
1.3. Produced logs:
2024-08-08 13:56:20,265 [root] INFO: Date set to: 20240808T13:56:18, timeout set to: 100
2024-08-08 13:56:18,000 [root] DEBUG: Starting analyzer from: C:\tmpy5yb4181
2024-08-08 13:56:18,000 [root] DEBUG: Storing results at: C:\kSamqedlkr
2024-08-08 13:56:18,000 [root] DEBUG: Pipe server name: \\.\PIPE\AGJgvItW
2024-08-08 13:56:18,000 [root] DEBUG: Python path: C:\Users\node-1-win7-1\AppData\Local\Programs\Python\Python37-32
2024-08-08 13:56:18,000 [root] INFO: analysis running as an admin
2024-08-08 13:56:18,000 [root] INFO: analysis package specified: "exe"
2024-08-08 13:56:18,000 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2024-08-08 13:56:18,000 [root] DEBUG: imported analysis package "exe"
2024-08-08 13:56:18,000 [root] DEBUG: initializing analysis package "exe"...
2024-08-08 13:56:18,000 [lib.common.common] INFO: wrapping
2024-08-08 13:56:18,000 [lib.core.compound] INFO: C:\Users\NODE-1~1\AppData\Local\Temp already exists, skipping creation
2024-08-08 13:56:18,000 [root] DEBUG: New location of moved file: C:\Users\NODE-1~1\AppData\Local\Temp\e5074e3ee4bb9bb9abf6322e
2024-08-08 13:56:18,000 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2024-08-08 13:56:18,000 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2024-08-08 13:56:18,000 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2024-08-08 13:56:18,000 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2024-08-08 13:56:18,546 [root] DEBUG: Importing auxiliary module "modules.auxiliary.amsi"...
2024-08-08 13:56:18,873 [root] DEBUG: Importing auxiliary module "modules.auxiliary.amsi_collector"...
2024-08-08 13:56:18,873 [root] DEBUG: Importing auxiliary module "modules.auxiliary.browser"...
2024-08-08 13:56:18,873 [root] DEBUG: Importing auxiliary module "modules.auxiliary.digisig"...
2024-08-08 13:56:18,873 [root] DEBUG: Importing auxiliary module "modules.auxiliary.disguise"...
2024-08-08 13:56:18,889 [root] DEBUG: Importing auxiliary module "modules.auxiliary.during_script"...
2024-08-08 13:56:18,889 [root] DEBUG: Importing auxiliary module "modules.auxiliary.evtx"...
2024-08-08 13:56:18,889 [root] DEBUG: Importing auxiliary module "modules.auxiliary.filepickup"...
2024-08-08 13:56:18,889 [root] DEBUG: Importing auxiliary module "modules.auxiliary.human"...
2024-08-08 13:56:18,889 [root] DEBUG: Importing auxiliary module "modules.auxiliary.permissions"...
2024-08-08 13:56:18,904 [root] DEBUG: Importing auxiliary module "modules.auxiliary.pre_script"...
2024-08-08 13:56:19,107 [root] DEBUG: Importing auxiliary module "modules.auxiliary.recentfiles"...
2024-08-08 13:56:19,107 [root] DEBUG: Importing auxiliary module "modules.auxiliary.screen_recorder"...
2024-08-08 13:56:23,506 [modules.auxiliary.screen_recorder] INFO: Libs are loaded
2024-08-08 13:56:23,506 [root] DEBUG: Importing auxiliary module "modules.auxiliary.screenshots"...
2024-08-08 13:56:23,506 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2024-08-08 13:56:23,506 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2024-08-08 13:56:23,506 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2024-08-08 13:56:23,506 [root] DEBUG: Importing auxiliary module "modules.auxiliary.tlsdump"...
2024-08-08 13:56:23,522 [root] DEBUG: Importing auxiliary module "modules.auxiliary.usage"...
2024-08-08 13:56:23,522 [root] WARNING: Auxiliary module AMSICollector was not implemented: 'Config' object has no attribute 'amsi'
2024-08-08 13:56:23,522 [root] DEBUG: Initialized auxiliary module "Browser"
2024-08-08 13:56:23,522 [root] DEBUG: Trying to start auxiliary module "Browser"...
2024-08-08 13:56:23,522 [root] DEBUG: Started auxiliary module Browser
2024-08-08 13:56:23,522 [root] DEBUG: Initialized auxiliary module "DigiSig"
2024-08-08 13:56:23,522 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2024-08-08 13:56:23,522 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2024-08-08 13:56:24,380 [modules.auxiliary.digisig] DEBUG: File is not signed
2024-08-08 13:56:24,380 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2024-08-08 13:56:24,396 [root] DEBUG: Started auxiliary module DigiSig
2024-08-08 13:56:24,396 [root] DEBUG: Initialized auxiliary module "Disguise"
2024-08-08 13:56:24,396 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2024-08-08 13:56:24,396 [modules.auxiliary.disguise] INFO: Disguising GUID to 8f3b35d9-832b-4b1d-a805-b40d527ae1ba
2024-08-08 13:56:24,396 [root] DEBUG: Started auxiliary module Disguise
2024-08-08 13:56:24,396 [root] DEBUG: Initialized auxiliary module "Evtx"
2024-08-08 13:56:24,396 [root] DEBUG: Trying to start auxiliary module "Evtx"...
2024-08-08 13:56:24,396 [root] DEBUG: Started auxiliary module Evtx
2024-08-08 13:56:24,396 [root] DEBUG: Initialized auxiliary module "FilePickup"
2024-08-08 13:56:24,396 [root] DEBUG: Trying to start auxiliary module "FilePickup"...
2024-08-08 13:56:24,396 [root] DEBUG: Started auxiliary module FilePickup
2024-08-08 13:56:24,396 [root] DEBUG: Initialized auxiliary module "Human"
2024-08-08 13:56:24,396 [root] DEBUG: Trying to start auxiliary module "Human"...
2024-08-08 13:56:24,396 [root] DEBUG: Started auxiliary module Human
2024-08-08 13:56:24,396 [root] DEBUG: Initialized auxiliary module "Permissions"
2024-08-08 13:56:24,396 [root] DEBUG: Trying to start auxiliary module "Permissions"...
2024-08-08 13:56:24,396 [root] DEBUG: Started auxiliary module Permissions
2024-08-08 13:56:24,520 [root] DEBUG: Initialized auxiliary module "Pre_script"
2024-08-08 13:56:24,520 [root] DEBUG: Trying to start auxiliary module "Pre_script"...
2024-08-08 13:56:24,520 [root] DEBUG: Started auxiliary module Pre_script
2024-08-08 13:56:24,520 [root] DEBUG: Initialized auxiliary module "RecentFiles"
2024-08-08 13:56:24,520 [root] DEBUG: Trying to start auxiliary module "RecentFiles"...
2024-08-08 13:56:24,520 [root] DEBUG: Started auxiliary module RecentFiles
2024-08-08 13:56:24,520 [root] DEBUG: Initialized auxiliary module "Screen_recorder"
2024-08-08 13:56:24,520 [root] DEBUG: Trying to start auxiliary module "Screen_recorder"...
2024-08-08 13:56:24,520 [modules.auxiliary.screen_recorder] INFO: Timeout: 100
2024-08-08 13:58:05,250 [modules.auxiliary.screen_recorder] INFO: Video exists: True
2024-08-08 13:58:05,250 [modules.auxiliary.screen_recorder] INFO: Aux Duration: 80.6868926999998
2024-08-08 13:58:05,250 [modules.auxiliary.screen_recorder] INFO: Video is ready to upload
2024-08-08 13:58:05,265 [root] DEBUG: Started auxiliary module Screen_recorder
2024-08-08 13:58:05,265 [root] DEBUG: Initialized auxiliary module "Screenshots"
2024-08-08 13:58:05,265 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2024-08-08 13:58:05,265 [root] DEBUG: Started auxiliary module Screenshots
2024-08-08 13:58:05,265 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2024-08-08 13:58:05,265 [root] DEBUG: Trying to start auxiliary module "TLSDumpMasterSecrets"...
2024-08-08 13:58:05,265 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 452
2024-08-08 13:58:05,265 [lib.api.process] INFO: Monitor config for <Process 452 lsass.exe>: C:\tmpy5yb4181\dll\452.ini
2024-08-08 13:58:05,265 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2024-08-08 13:58:05,265 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpy5yb4181\dll\VPoWkna.dll, loader C:\tmpy5yb4181\bin\hKDWsKvt.exe
2024-08-08 13:58:05,265 [root] DEBUG: Loader: Injecting process 452 with C:\tmpy5yb4181\dll\VPoWkna.dll.
2024-08-08 13:58:05,265 [root] DEBUG: 452: Python path set to 'C:\Users\node-1-win7-1\AppData\Local\Programs\Python\Python37-32'.
2024-08-08 13:58:05,281 [root] DEBUG: 452: TLS secret dump mode enabled.
2024-08-08 13:58:05,281 [root] INFO: Disabling sleep skipping.
2024-08-08 13:58:05,281 [root] DEBUG: 452: Monitor initialised: 64-bit capemon loaded in process 452 at 0x000007FEEAE40000, thread 3792, image base 0x00000000FF210000, stack from 0x0000000001A94000-0x0000000001AA0000
2024-08-08 13:58:05,281 [root] DEBUG: 452: Commandline: C:\Windows\system32\lsass.exe
2024-08-08 13:58:05,281 [root] DEBUG: 452: Hooked 5 functions
2024-08-08 13:58:05,281 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2024-08-08 13:58:05,281 [root] DEBUG: Successfully injected DLL C:\tmpy5yb4181\dll\VPoWkna.dll.
2024-08-08 13:58:05,281 [lib.api.process] INFO: Injected into 64-bit <Process 452 lsass.exe>
2024-08-08 13:58:05,281 [root] DEBUG: Started auxiliary module TLSDumpMasterSecrets
2024-08-08 13:58:05,281 [root] DEBUG: Initialized auxiliary module "Usage"
2024-08-08 13:58:05,281 [root] DEBUG: Trying to start auxiliary module "Usage"...
2024-08-08 13:58:05,281 [root] DEBUG: Started auxiliary module Usage
2024-08-08 13:58:05,281 [root] DEBUG: Initialized auxiliary module "During_script"
2024-08-08 13:58:05,281 [root] DEBUG: Trying to start auxiliary module "During_script"...
2024-08-08 13:58:05,281 [root] DEBUG: Started auxiliary module During_script
2024-08-08 13:58:15,951 [root] INFO: Restarting WMI Service
2024-08-08 13:58:18,073 [root] DEBUG: package modules.packages.exe does not support configure, ignoring
2024-08-08 13:58:18,073 [root] WARNING: configuration error for package modules.packages.exe: error importing data.packages.exe: No module named 'data.packages'
2024-08-08 13:58:18,073 [lib.common.common] INFO: Submitted file is missing extension, adding .exe
2024-08-08 13:58:18,073 [lib.core.compound] INFO: C:\Users\NODE-1~1\AppData\Local\Temp already exists, skipping creation
2024-08-08 13:58:18,089 [lib.api.process] INFO: Successfully executed process from path "C:\Users\NODE-1~1\AppData\Local\Temp\e5074e3ee4bb9bb9abf6322e.exe" with arguments "" with pid 3244
2024-08-08 13:58:18,089 [lib.api.process] INFO: Monitor config for <Process 3244 e5074e3ee4bb9bb9abf6322e.exe>: C:\tmpy5yb4181\dll\3244.ini
2024-08-08 13:58:18,089 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpy5yb4181\dll\pLbbBGHE.dll, loader C:\tmpy5yb4181\bin\xvkIjzM.exe
...
...
...
2024-08-08 13:58:47,058 [root] DEBUG: 2100: hook_api: Warning - CreateRemoteThreadEx export address 0x76DBA24B differs from GetProcAddress -> 0x75CB3FDF (KERNELBASE.dll::0x13fdf)
2024-08-08 13:58:47,058 [root] DEBUG: 2100: hook_api: Warning - UpdateProcThreadAttribute export address 0x76DBAACB differs from GetProcAddress -> 0x75CAF9CB (KERNELBASE.dll::0xf9cb)
2024-08-08 13:58:47,058 [root] DEBUG: 2100: Hooked 490 functions
2024-08-08 13:58:47,073 [root] DEBUG: 2100: WoW64 detected: 64-bit ntdll base: 0x777c0000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7782b610, Wow64PrepareForException: 0x0
2024-08-08 13:58:47,073 [root] DEBUG: 2100: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x1c0000
2024-08-08 13:58:47,073 [root] INFO: Loaded monitor into process with pid 2100
2024-08-08 13:58:47,073 [root] DEBUG: 2100: caller_dispatch: Added region at 0x00470000 to tracked regions list (kernel32::GetSystemTimeAsFileTime returns to 0x00475A43, thread 2540).
2024-08-08 13:58:47,073 [root] DEBUG: 2100: YaraScan: Scanning 0x00470000, size 0x93f2
2024-08-08 13:58:47,089 [root] DEBUG: 2100: ProcessImageBase: Main module image at 0x00470000 unmodified (entropy change 0.000000e+00)
2024-08-08 13:58:48,181 [root] DEBUG: 2100: NtTerminateProcess hook: Attempting to dump process 2100
2024-08-08 13:58:48,181 [root] DEBUG: 2100: VerifyCodeSection: Executable code does not match, 0x0 of 0x53fc matching
2024-08-08 13:58:48,181 [root] DEBUG: 2100: DoProcessDump: Code modification detected, dumping Imagebase at 0x00470000.
2024-08-08 13:58:48,181 [root] DEBUG: 2100: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2024-08-08 13:58:48,181 [root] DEBUG: 2100: DumpProcess: Instantiating PeParser with address: 0x00470000.
2024-08-08 13:58:48,197 [root] DEBUG: 2100: DumpProcess: Module entry point VA is 0x00005703.
2024-08-08 13:58:48,212 [lib.common.results] INFO: Uploading file C:\kSamqedlkr\CAPE\2100_56801014818148482024 to procdump\8956125f603bbd25f1ab242874d8c27806e483f1737f909136deec632459e900; Size is 27648; Max size: 100000000
2024-08-08 13:58:48,212 [root] DEBUG: 2100: DumpProcess: Module image dump success - dump size 0x6c00.
2024-08-08 13:58:48,212 [root] INFO: Process with pid 2100 has terminated
2024-08-08 13:58:48,228 [lib.common.results] INFO: Uploading file C:\Users\node-1-win7-1\AppData\Local\Temp\e5074e3ee4bb9bb9abf6322e.exe to files\e5074e3ee4bb9bb9abf6322ed7c820e950ef8e2d1af7f9a66007a37cf9656630; Size is 233472; Max size: 100000000
2024-08-08 13:58:48,243 [root] DEBUG: 1600: NtTerminateProcess hook: Attempting to dump process 1600
2024-08-08 13:58:48,243 [root] DEBUG: 1600: DoProcessDump: Skipping process dump as code is identical on disk.
2024-08-08 13:58:48,243 [root] INFO: Process with pid 1600 has terminated
2024-08-08 13:58:51,629 [root] INFO: Process with pid 3504 has terminated
2024-08-08 13:58:51,644 [root] DEBUG: 3504: ClearAllBreakpoints: Error setting thread context (thread 3968).
2024-08-08 13:58:51,644 [root] DEBUG: 3504: NtTerminateProcess hook: Attempting to dump process 3504
2024-08-08 13:58:51,644 [root] DEBUG: 3504: DoProcessDump: Skipping process dump as code is identical on disk.
2024-08-08 13:58:52,799 [root] DEBUG: 416: api-rate-cap: GetSystemTimeAsFileTime hook disabled due to rate
2024-08-08 13:58:52,799 [root] DEBUG: 416: api-rate-cap: NtSetTimer hook disabled due to rate
Here we can see that the video exists and is ready to be uploaded. I also checked the total sleeping time for delta
and I found out that it is 80 sec.
2024-08-08 13:58:05,250 [modules.auxiliary.screen_recorder] INFO: Video exists: True
2024-08-08 13:58:05,250 [modules.auxiliary.screen_recorder] INFO: Aux Duration: 80.6868926999998
2024-08-08 13:58:05,250 [modules.auxiliary.screen_recorder] INFO: Video is ready to upload
1.4. My Conclusion:
I think that there is a timing synchronization issue, CAPE ends the analysis before it's actually finished due to sleeping duration because the successful analysis should include the following in the analysis logs
...
...
2024-08-08 13:54:24,636 [root] INFO: Analysis completed
hm thats interesting
I think we should add a optional grace time to cuckoo timeout to allow the analyzer to stop (after the original timeout) and upload things
Edit: timeouts.critical does this