Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Windows 8.1 machine dont hook System calls #63

Open
ferdinan4 opened this issue Jun 8, 2018 · 1 comment
Open

Windows 8.1 machine dont hook System calls #63

ferdinan4 opened this issue Jun 8, 2018 · 1 comment

Comments

@ferdinan4
Copy link

Hi!

I'm trying to use the last version of monitor, but I noticed that when I launch a sample against a Windows 8.1, Windows 10 or Windows 8.1x64 dont hooks System call.

In the Windows 7x32 and Windows7x64 are working properly, and log all new process created...

Some idea?, I write the MD5 of the sample, to help you to test in your Cuckoo Sandbox.

MD5: e15cb14886edfcb26787202cfae7556c

And here there is the analysis logs, from Windows 7x32 and Windows 81x32

Windows7x32

2018-06-08 08:54:04,993 [analyzer] DEBUG: Starting analyzer from: C:\tmpnq9b9u
2018-06-08 08:54:05,071 [analyzer] DEBUG: Pipe server name: ??\PIPE\LeOogKWOQPoRognGvENAz
2018-06-08 08:54:05,071 [analyzer] DEBUG: Log pipe server name: ??\PIPE\cITSvdclDbicPhniYcIFBDsTXDGPAAuW
2018-06-08 08:54:05,071 [analyzer] INFO: Searching for installing files
2018-06-08 08:54:05,071 [analyzer] ERROR: No files for autoinstall
2018-06-08 08:54:05,071 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2018-06-08 08:54:05,101 [analyzer] INFO: Automatically selected analysis package "exe"
2018-06-08 08:54:18,868 [analyzer] DEBUG: Started auxiliary module DbgView
2018-06-08 08:54:19,322 [analyzer] DEBUG: Started auxiliary module Disguise
2018-06-08 08:54:21,539 [analyzer] DEBUG: Loaded monitor into process with pid 532
2018-06-08 08:54:21,539 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2018-06-08 08:54:21,539 [analyzer] DEBUG: Started auxiliary module Human
2018-06-08 08:54:21,539 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2018-06-08 08:54:21,539 [analyzer] DEBUG: Started auxiliary module OpenWeb
2018-06-08 08:54:21,539 [analyzer] DEBUG: Started auxiliary module Reboot
2018-06-08 08:54:21,743 [analyzer] DEBUG: Started auxiliary module RecentFiles
2018-06-08 08:54:21,743 [analyzer] DEBUG: Started auxiliary module Screenshots
2018-06-08 08:54:21,743 [modules.auxiliary.sendkeys] INFO: Módulo SendKeys cargado pero inactivo
2018-06-08 08:54:21,743 [analyzer] DEBUG: Started auxiliary module sendkeys
2018-06-08 08:54:21,743 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2018-06-08 08:54:21,757 [lib.api.process] ERROR: Usuario no limitado
2018-06-08 08:54:25,757 [lib.api.process] INFO: Successfully executed process from path u'C:\Users\JUANCI1\AppData\Local\Temp\ProbaTor_setup.exe' with arguments '' and pid 1536
2018-06-08 08:54:26,023 [analyzer] DEBUG: Loaded monitor into process with pid 1536
2018-06-08 08:54:26,164 [analyzer] ERROR: mode
2018-06-08 08:54:26,180 [analyzer] ERROR: 0
2018-06-08 08:54:26,197 [analyzer] INFO: Injected into process with pid 304 and name u'calc.exe'
2018-06-08 08:54:26,197 [analyzer] DEBUG: Received request to inject pid=1536, but we are already injected there.
2018-06-08 08:54:26,243 [analyzer] DEBUG: Received request to inject pid=304, but we are already injected there.
2018-06-08 08:54:26,555 [lib.api.process] INFO: Memory dump of process with pid 304 completed
2018-06-08 08:54:26,571 [analyzer] INFO: Added new file to list with pid 1536 and path \Device\ConDrv
2018-06-08 08:54:26,789 [analyzer] DEBUG: Loaded monitor into process with pid 304
2018-06-08 08:54:47,382 [analyzer] INFO: Added new file to list with pid 1536 and path C:\Users\JuanCierva\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malguar.exe
2018-06-08 08:54:49,056 [analyzer] INFO: Added new file to list with pid 1536 and path C:\Users\JuanCierva\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malguar2.exe
2018-06-08 08:54:50,523 [analyzer] INFO: Added new file to list with pid 1536 and path C:\calc.exe
2018-06-08 08:54:51,243 [analyzer] INFO: Added new file to list with pid 1536 and path C:\descargao.exe
2018-06-08 08:56:32,993 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2018-06-08 08:56:32,993 [analyzer] WARNING: File at path "u'\device\condrv'" does not exist, skip.
2018-06-08 08:56:33,007 [analyzer] INFO: Analysis completed.
marta@marta:/.cuckoo/storage/analyses/634$ cat ../635/analysis.log
2018-06-08 08:54:12,000 [analyzer] DEBUG: Starting analyzer from: C:\tmpdkm1gi
2018-06-08 08:54:12,030 [analyzer] DEBUG: Pipe server name: ??\PIPE\lDrcIDKxRQMYDGcCuYAGRr
2018-06-08 08:54:12,030 [analyzer] DEBUG: Log pipe server name: ??\PIPE\kyVpvtTrTSGdrxLGz
2018-06-08 08:54:12,030 [analyzer] INFO: Searching for installing files
2018-06-08 08:54:12,046 [analyzer] ERROR: No files for autoinstall
2018-06-08 08:54:12,046 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2018-06-08 08:54:12,046 [analyzer] INFO: Automatically selected analysis package "exe"
2018-06-08 08:54:17,358 [analyzer] DEBUG: Started auxiliary module DbgView
2018-06-08 08:54:18,015 [analyzer] DEBUG: Started auxiliary module Disguise
2018-06-08 08:54:18,296 [analyzer] DEBUG: Loaded monitor into process with pid 492
2018-06-08 08:54:18,296 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2018-06-08 08:54:18,296 [analyzer] DEBUG: Started auxiliary module Human
2018-06-08 08:54:18,296 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2018-06-08 08:54:18,296 [analyzer] DEBUG: Started auxiliary module OpenWeb
2018-06-08 08:54:18,296 [analyzer] DEBUG: Started auxiliary module Reboot
2018-06-08 08:54:18,453 [analyzer] DEBUG: Started auxiliary module RecentFiles
2018-06-08 08:54:18,453 [analyzer] DEBUG: Started auxiliary module Screenshots
2018-06-08 08:54:18,453 [modules.auxiliary.sendkeys] INFO: Módulo SendKeys cargado pero inactivo
2018-06-08 08:54:18,453 [analyzer] DEBUG: Started auxiliary module sendkeys
2018-06-08 08:54:18,453 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2018-06-08 08:54:23,078 [lib.api.process] ERROR: Usuario no limitado
2018-06-08 08:54:23,203 [lib.api.process] INFO: Successfully executed process from path u'C:\Users\juan\AppData\Local\Temp\ProbaTor_setup.exe' with arguments '' and pid 2364
2018-06-08 08:54:23,437 [analyzer] DEBUG: Loaded monitor into process with pid 2364
2018-06-08 08:54:23,467 [analyzer] ERROR: mode
2018-06-08 08:54:23,467 [analyzer] ERROR: 0
2018-06-08 08:54:23,500 [analyzer] INFO: Injected into process with pid 1260 and name u'calc.exe'
2018-06-08 08:54:23,655 [analyzer] DEBUG: Loaded monitor into process with pid 1260
2018-06-08 08:54:23,717 [analyzer] DEBUG: Received request to inject pid=1260, but we are already injected there.
2018-06-08 08:54:41,790 [analyzer] ERROR: mode
2018-06-08 08:54:41,790 [analyzer] ERROR: 0
2018-06-08 08:54:41,822 [analyzer] INFO: Injected into process with pid 2072 and name u'cmd.exe'
2018-06-08 08:54:41,947 [analyzer] DEBUG: Loaded monitor into process with pid 2072
2018-06-08 08:54:41,961 [analyzer] DEBUG: Received request to inject pid=2072, but we are already injected there.
2018-06-08 08:54:42,009 [analyzer] ERROR: mode
2018-06-08 08:54:42,009 [analyzer] ERROR: 0
2018-06-08 08:54:42,025 [analyzer] INFO: Injected into process with pid 2372 and name u'PING.EXE'
2018-06-08 08:54:42,227 [analyzer] DEBUG: Loaded monitor into process with pid 2372
2018-06-08 08:54:42,509 [analyzer] INFO: Added new file to list with pid 2364 and path C:\Users\juan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malguar.exe
2018-06-08 08:54:42,711 [analyzer] INFO: Added new file to list with pid 2364 and path C:\Users\juan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malguar2.exe
2018-06-08 08:54:42,711 [analyzer] INFO: Error dumping file from path "C:\Users\juan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malguar2.exe": [Errno 13] Permission denied: u'C:\Users\juan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malguar2.exe'
2018-06-08 08:54:42,727 [analyzer] INFO: Added new file to list with pid 2364 and path C:\calc.exe
2018-06-08 08:54:42,822 [analyzer] INFO: Process with pid 2072 has terminated
2018-06-08 08:54:43,430 [analyzer] INFO: Added new file to list with pid 2364 and path C:\descargao.exe
2018-06-08 08:54:43,493 [analyzer] ERROR: mode
2018-06-08 08:54:43,493 [analyzer] ERROR: 0
2018-06-08 08:54:43,540 [analyzer] INFO: Injected into process with pid 2568 and name u'cmd.exe'
2018-06-08 08:54:43,665 [analyzer] DEBUG: Loaded monitor into process with pid 2568
2018-06-08 08:54:43,680 [analyzer] DEBUG: Received request to inject pid=2568, but we are already injected there.
2018-06-08 08:54:43,743 [analyzer] ERROR: mode
2018-06-08 08:54:43,743 [analyzer] ERROR: 0
2018-06-08 08:54:43,775 [analyzer] INFO: Injected into process with pid 1608 and name u'sc.exe'
2018-06-08 08:54:43,822 [analyzer] INFO: Process with pid 2372 has terminated
2018-06-08 08:54:43,915 [analyzer] DEBUG: Loaded monitor into process with pid 1608
2018-06-08 08:54:51,290 [analyzer] DEBUG: Received request to inject pid=1608, but we are already injected there.
2018-06-08 08:54:51,322 [analyzer] ERROR: mode
2018-06-08 08:54:51,336 [analyzer] ERROR: 0
2018-06-08 08:54:51,352 [analyzer] INFO: Injected into process with pid 2756 and name u'cmd.exe'
2018-06-08 08:54:51,509 [analyzer] DEBUG: Loaded monitor into process with pid 2756
2018-06-08 08:54:51,822 [analyzer] INFO: Process with pid 2568 has terminated
2018-06-08 08:54:52,822 [analyzer] INFO: Process with pid 1608 has terminated
2018-06-08 08:56:26,822 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2018-06-08 08:56:26,836 [analyzer] INFO: Analysis completed.

Windows 81x32

2018-06-08 08:54:04,993 [analyzer] DEBUG: Starting analyzer from: C:\tmpnq9b9u
2018-06-08 08:54:05,071 [analyzer] DEBUG: Pipe server name: ??\PIPE\LeOogKWOQPoRognGvENAz
2018-06-08 08:54:05,071 [analyzer] DEBUG: Log pipe server name: ??\PIPE\cITSvdclDbicPhniYcIFBDsTXDGPAAuW
2018-06-08 08:54:05,071 [analyzer] INFO: Searching for installing files
2018-06-08 08:54:05,071 [analyzer] ERROR: No files for autoinstall
2018-06-08 08:54:05,071 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2018-06-08 08:54:05,101 [analyzer] INFO: Automatically selected analysis package "exe"
2018-06-08 08:54:18,868 [analyzer] DEBUG: Started auxiliary module DbgView
2018-06-08 08:54:19,322 [analyzer] DEBUG: Started auxiliary module Disguise
2018-06-08 08:54:21,539 [analyzer] DEBUG: Loaded monitor into process with pid 532
2018-06-08 08:54:21,539 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2018-06-08 08:54:21,539 [analyzer] DEBUG: Started auxiliary module Human
2018-06-08 08:54:21,539 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2018-06-08 08:54:21,539 [analyzer] DEBUG: Started auxiliary module OpenWeb
2018-06-08 08:54:21,539 [analyzer] DEBUG: Started auxiliary module Reboot
2018-06-08 08:54:21,743 [analyzer] DEBUG: Started auxiliary module RecentFiles
2018-06-08 08:54:21,743 [analyzer] DEBUG: Started auxiliary module Screenshots
2018-06-08 08:54:21,743 [modules.auxiliary.sendkeys] INFO: Módulo SendKeys cargado pero inactivo
2018-06-08 08:54:21,743 [analyzer] DEBUG: Started auxiliary module sendkeys
2018-06-08 08:54:21,743 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2018-06-08 08:54:21,757 [lib.api.process] ERROR: Usuario no limitado
2018-06-08 08:54:25,757 [lib.api.process] INFO: Successfully executed process from path u'C:\Users\JUANCI~1\AppData\Local\Temp\ProbaTor_setup.exe' with arguments '' and pid 1536
2018-06-08 08:54:26,023 [analyzer] DEBUG: Loaded monitor into process with pid 1536
2018-06-08 08:54:26,164 [analyzer] ERROR: mode
2018-06-08 08:54:26,180 [analyzer] ERROR: 0
2018-06-08 08:54:26,197 [analyzer] INFO: Injected into process with pid 304 and name u'calc.exe'
2018-06-08 08:54:26,197 [analyzer] DEBUG: Received request to inject pid=1536, but we are already injected there.
2018-06-08 08:54:26,243 [analyzer] DEBUG: Received request to inject pid=304, but we are already injected there.
2018-06-08 08:54:26,555 [lib.api.process] INFO: Memory dump of process with pid 304 completed
2018-06-08 08:54:26,571 [analyzer] INFO: Added new file to list with pid 1536 and path \Device\ConDrv
2018-06-08 08:54:26,789 [analyzer] DEBUG: Loaded monitor into process with pid 304
2018-06-08 08:54:47,382 [analyzer] INFO: Added new file to list with pid 1536 and path C:\Users\JuanCierva\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malguar.exe
2018-06-08 08:54:49,056 [analyzer] INFO: Added new file to list with pid 1536 and path C:\Users\JuanCierva\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malguar2.exe
2018-06-08 08:54:50,523 [analyzer] INFO: Added new file to list with pid 1536 and path C:\calc.exe
2018-06-08 08:54:51,243 [analyzer] INFO: Added new file to list with pid 1536 and path C:\descargao.exe
2018-06-08 08:56:32,993 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2018-06-08 08:56:32,993 [analyzer] WARNING: File at path "u'\device\condrv'" does not exist, skip.
2018-06-08 08:56:33,007 [analyzer] INFO: Analysis completed.
@celyrin
Copy link

celyrin commented Jun 25, 2024

I also tested Windows 10 guests (including Windows 11). I found that for 32-bit programs, Cuckoo can work fine and capture behavioral data. However, for 64-bit programs, I observed exception exits in the behavior logs, indicating bugs in the injection process that need adaptation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ferdinan4 @celyrin