search

ViPig / cuckoo

0 stars 2 forks source link

Is32bit.exe can't grant PROCESS_ALL_ACCESS access #4

Open osh2ep opened 7 years ago

osh2ep commented 7 years ago

Problem

As above, is32bit.exe ( inside analyzer module running on Guest) can't grant access as it needs.

2017-07-12 04:14:37,101 [analyzer] ERROR: Cannot execute auxiliary module DumpTLSMasterSecrets: Error returned by is32bit: Command '['bin\\is32bit.exe', '-n', 'lsass.exe']' returned non-zero exit status 1
Traceback (most recent call last):
  File "C:\atdghyrl\analyzer.py", line 621, in run
    aux.start()
  File "C:\atdghyrl\modules\auxiliary\dumptls.py", line 12, in start
    Process(process_name="lsass.exe").inject(track=False, mode="dumptls")
  File "C:\atdghyrl\lib\api\process.py", line 367, in inject
    is32bit = self.is32bit(process_name=self.process_name)
  File "C:\atdghyrl\lib\api\process.py", line 210, in is32bit
    raise CuckooError("Error returned by is32bit: %s" % e)
CuckooError: Error returned by is32bit: Command '['bin\\is32bit.exe', '-n', 'lsass.exe']' returned non-zero exit status 1

Steps to reproduce

Same as https://github.com/ViPig/cuckoo/issues/3

osh2ep commented 7 years ago

Problem

It is about bin/is32bit.c

HANDLE open_process(uint32_t pid)
{
    HANDLE process_handle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
    if(process_handle == NULL) {
        if(GetLastError() == ERROR_ACCESS_DENIED) {
            error("process access denied");
        }
        error("[-] Error getting access to process: %ld!\n", GetLastError());
    }

    return process_handle;
}

OpenProcess a system process - lsass.exe

p = Process(process_name="lsass.exe")

Why PROCESS_ALL_ACCESS flag set for OpenProcess() a system process "lsass.exe"? As the documentation, it will return ERROR_ACCESS_DENIED obviously.

dwProcessId [in] The identifier of the local process to be opened. If the specified process is the System Process (0x00000000), the function fails and the last error code is ERROR_INVALID_PARAMETER. If the specified process is the Idle process or one of the CSRSS processes, this function fails and the last error code is ERROR_ACCESS_DENIED because their access restrictions prevent user-level code from opening them.

References

https://msdn.microsoft.com/en-us/library/windows/desktop/ms684320(v=vs.85).aspx

Discussion

https://github.com/cuckoosandbox/monitor/issues/50

Solution

https://github.com/ViPig/cuckoo/commit/1a5d17a7b61be6c0b4fb6892ff55d1fbd5cf6017

osh2ep commented 7 years ago

Handle DumpTLSMasterSecret handle error message with warning one. However it disabled DumpTLSMasterSecret which lead to this issue https://github.com/jbremer/httpreplay/issues/14

Now migrating DumpTLSMasterSecret to module mitmproxy...