Open osh2ep opened 7 years ago
It is about bin/is32bit.c
HANDLE open_process(uint32_t pid)
{
HANDLE process_handle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
if(process_handle == NULL) {
if(GetLastError() == ERROR_ACCESS_DENIED) {
error("process access denied");
}
error("[-] Error getting access to process: %ld!\n", GetLastError());
}
return process_handle;
}
OpenProcess a system process - lsass.exe
p = Process(process_name="lsass.exe")
Why PROCESS_ALL_ACCESS flag set for OpenProcess() a system process "lsass.exe"? As the documentation, it will return ERROR_ACCESS_DENIED obviously.
dwProcessId [in] The identifier of the local process to be opened. If the specified process is the System Process (0x00000000), the function fails and the last error code is ERROR_INVALID_PARAMETER. If the specified process is the Idle process or one of the CSRSS processes, this function fails and the last error code is ERROR_ACCESS_DENIED because their access restrictions prevent user-level code from opening them.
https://msdn.microsoft.com/en-us/library/windows/desktop/ms684320(v=vs.85).aspx
https://github.com/cuckoosandbox/monitor/issues/50
https://github.com/ViPig/cuckoo/commit/1a5d17a7b61be6c0b4fb6892ff55d1fbd5cf6017
Handle DumpTLSMasterSecret handle error message with warning one. However it disabled DumpTLSMasterSecret which lead to this issue https://github.com/jbremer/httpreplay/issues/14
Now migrating DumpTLSMasterSecret to module mitmproxy...
Problem
As above, is32bit.exe ( inside analyzer module running on Guest) can't grant access as it needs.
Steps to reproduce
Same as https://github.com/ViPig/cuckoo/issues/3