search

cuckoosandbox / cuckoo

Cuckoo Sandbox is an automated dynamic malware analysis system
http://www.cuckoosandbox.org
Other
5.56k stars 1.7k forks source link

"ProcessMemory" #1043

Closed sarulon closed 8 years ago

sarulon commented 8 years ago

2016-08-15 00:02:33,941 [lib.cuckoo.core.plugins] ERROR: Failed to run the processing module "ProcessMemory" for task #57:

doomedraven commented 8 years ago

this not gives any details...

sarulon commented 8 years ago

ERROR: Failed to run the processing module "ProcessMemory" for task #61: Traceback (most recent call last): File "/home/alex/cuckoo/lib/cuckoo/core/plugins.py", line 242, in process data = current.run() File "/home/alex/cuckoo/modules/processing/procmemory.py", line 221, in run proc["extracted"] = list(self.dump_images(proc)) File "/home/alex/cuckoo/modules/processing/procmemory.py", line 161, in dump_images if pe.is_dll() and not drop_dlls: AttributeError: PE instance has no attribute 'is_dll' 2016-08-15 02:09:35,184 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "Procmon" on analysis at "/home/alex/cuckoo/storage/analyses/61" 2016-08-15 02:09:35,186 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "Static" on analysis at "/home/alex/cuckoo/storage/analyses/61" 2016-08-15 02:09:37,114 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "Strings" on analysis at "/home/alex/cuckoo/storage/analyses/61" 2016-08-15 02:09:38,338 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "TargetInfo" on analysis at "/home/alex/cuckoo/storage/analyses/61" 2016-08-15 02:09:38,339 [modules.processing.network] ERROR: Unable to open /home/alex/cuckoo/storage/analyses/61/dump_sorted.pcap

doomedraven commented 8 years ago

can you show your version of pefile ?

sarulon commented 8 years ago

what is pefile ?

doomedraven commented 8 years ago

library which fails in your case, did you do sudo pip install -r requieremets.txt?

sarulon commented 8 years ago

did it now

doomedraven commented 8 years ago

read the manual how to setup everything before new issues plz

sarulon commented 8 years ago

i did it by the manual , still i get few errors

sarulon commented 8 years ago

2016-08-15 03:39:51,292 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "AnalysisInfo" on analysis at "/home/alex/cuckoo/storage/analyses/62" 2016-08-15 03:39:53,281 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "MetaInfo" on analysis at "/home/alex/cuckoo/storage/analyses/62" 2016-08-15 03:39:53,316 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "BehaviorAnalysis" on analysis at "/home/alex/cuckoo/storage/analyses/62" 2016-08-15 03:39:53,317 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "DroppedBuffer" on analysis at "/home/alex/cuckoo/storage/analyses/62" 2016-08-15 03:39:53,345 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "Debug" on analysis at "/home/alex/cuckoo/storage/analyses/62" 2016-08-15 03:39:53,346 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "Dropped" on analysis at "/home/alex/cuckoo/storage/analyses/62" 2016-08-15 03:39:54,765 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "ProcessMemory" on analysis at "/home/alex/cuckoo/storage/analyses/62" 2016-08-15 03:39:54,766 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "Procmon" on analysis at "/home/alex/cuckoo/storage/analyses/62" 2016-08-15 03:40:00,134 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "Static" on analysis at "/home/alex/cuckoo/storage/analyses/62" 2016-08-15 03:40:00,361 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "Strings" on analysis at "/home/alex/cuckoo/storage/analyses/62" 2016-08-15 03:40:00,512 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "TargetInfo" on analysis at "/home/alex/cuckoo/storage/analyses/62" 2016-08-15 03:40:00,513 [modules.processing.network] ERROR: Unable to open /home/alex/cuckoo/storage/analyses/62/dump_sorted.pcap

sarulon commented 8 years ago

~/cuckoo$ getcap /usr/sbin/tcpdump /usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip

doomedraven commented 8 years ago

any network traffic presented in network tab?

sarulon commented 8 years ago

image

doomedraven commented 8 years ago

so 2016-08-15 03:40:00,513 [modules.processing.network] ERROR: Unable to open /home/alex/cuckoo/storage/analyses/62/dump_sorted.pcap is not an error itself if no traffic

jbremer commented 8 years ago

This is an older bug related to the 2.0-rc1 release, you can ignore it for the time being. (It's been fixed months ago, awaiting the next official release).

jbremer commented 8 years ago

Can you post the output of pip freeze for the pefile related issue?

sarulon commented 8 years ago

Babel==2.3.4 ConfigArgParse==0.10.0 Cython==0.20.1.post0 Django==1.8.4 Flask==0.10.1 HTTPReplay==0.1.15 Jinja2==2.8 Landscape-Client==14.12 M2Crypto==0.25.1 Magic-file-extensions==0.2 Mako==1.0.1 MarkupSafe==0.23 MySQL-python==1.2.3 PAM==0.4.2 Pillow==3.2.0 PyYAML==3.11 Pygments==2.1.3 SFlock==0.1 SQLAlchemy==1.0.8 Sphinx==1.4.5 Twisted-Core==13.2.0 Werkzeug==0.10.4 alabaster==0.7.9 alembic==0.8.0 androguard==3.0 apt-xapian-index==0.45 argh==0.26.2 argparse==1.2.1 backports-abc==0.4 backports.ssl-match-hostname==3.5.0.1 beautifulsoup4==4.4.1 blinker==1.4 bottle==0.12.0 certifi==2016.8.8 cffi==1.6.0 chardet==2.3.0 click==6.6 colorama==0.3.7 configobj==4.7.2 construct==2.5.2 cryptography==1.3.2 distorm3==3.3.4 docutils==0.12 dpkt==1.8.7 ecdsa==0.13 elasticsearch==2.2.0 enum34==1.0.4 h2==2.4.0 hpack==2.3.0 html2text==2016.4.2 html5lib==0.999 hyperframe==3.2.0 idna==2.0 imagesize==0.7.1 ipaddress==1.0.14 itsdangerous==0.24 jsbeautifier==1.6.2 libvirt-python==1.2.2 lxml==3.6.0 mitmproxy==0.17 ndg-httpsclient==0.4.0 nose==1.3.1 oletools==0.42 openpyxl==1.7.0 passlib==1.6.5 pathtools==0.1.2 peepdf==0.3.2 pefile==1.2.9.1 pefile2==1.2.11 pyOpenSSL==0.15.1 pyasn1==0.1.8 pycparser==2.14 pycrypto==2.6.1 pydeep==0.2 pymisp==2.4.36 pymongo==3.0.3 pyparsing==2.1.7 pyperclip==1.5.27 pyserial==2.6 python-apt===0.9.3.5ubuntu2 python-dateutil==2.4.2 python-debian===0.1.21-nmu2ubuntu2 python-editor==0.3 python-magic==0.4.6 pythonaes==1.0 pytz==2016.6.1 pyvmomi==6.0.0.2016.6 requests==2.7.0 singledispatch==3.4.0.3 six==1.9.0 snowballstemmer==1.2.1 ssh-import-id==3.21 tlslite-ng==0.6.0a3 tornado==4.3 typing==3.5.2.2 urllib3==1.16 urwid==1.3.1 volatility==2.4 wakeonlan==0.2.2 watchdog==0.8.3 wheel==0.24.0 wsgiref==0.1.2 yara-python==3.1 zope.interface==4.0.5

jbremer commented 8 years ago

Right, you have an older pefile==1.2.9.1 in there - please uninstall it. It's likely clobbering your Python namespace with an outdated version.

sarulon commented 8 years ago

i'm getting this Not uninstalling pefile at /usr/lib/python2.7/dist-packages, owned by OS

jbremer commented 8 years ago

What about sudo apt-get remove python-pefile or something like that?

sarulon commented 8 years ago

can i do this sudo pip install pefile --upgrade insted ?

doomedraven commented 8 years ago

no, you will install broken version pefile2 is good version here

sarulon commented 8 years ago

i'l try to uninstall it

sarulon commented 8 years ago

2016-08-15 04:03:45,711 [lib.cuckoo.core.scheduler] ERROR: Error from the Cuckoo Guest: Analysis failed: The package "modules.packages.zip" start function encountered an unhandled exception: Error returned by is32bit: Command '['bin\is32bit.exe', '-f', u'C:\Users\admin\AppData\Local\Temp\RULES-~1/']' returned non-zero exit status 1 Traceback (most recent call last): File "C:\bnhjx\analyzer.py", line 778, in success = analyzer.run() File "C:\bnhjx\analyzer.py", line 631, in run "exception: %s" % (package_name, e) CuckooError: The package "modules.packages.zip" start function encountered an unhandled exception: Error returned by is32bit: Command '['bin\is32bit.exe', '-f', u'C:\Users\admin\AppData\Local\Temp\RULES-~1/']' returned non-zero exit status 1

sarulon commented 8 years ago

i have this one to , when i uploading zip files for inspection , only zip files that didn't created on windows machines give me this error . anything i can do here ?

doomedraven commented 8 years ago

search in issues, zip is not supported at the moment as far as i remember

doomedraven commented 8 years ago

i personnaly would sugegst use dev instead of rc1, but be aware of possible bugs, but there a lot of bugs solved wh

sarulon commented 8 years ago

is there possible to change file type , if it recognize it as zip to change it to rar & winrar installed on vm will open it ?

sarulon commented 8 years ago

i found workaround for the zip problem need to change zip to something else in analyzer/windows/lib/core/packages.py its opens it in winrar install on windows vm

jbremer commented 8 years ago

@sarulon Please feel free to share your zip vs rar solution. We're currently working hard on a different approach to tackle the zip issue, but seeing your changes might definitely help us - thanks!

sarulon commented 8 years ago

in this file /cuckoo/analyzer/windows/lib/core/packages.py i changed the elif "zip" in file_type: to elif "z" in file_type: now its opens the zip with winrar installed on the vm i hope that helps

jbremer commented 8 years ago

Going to close this issue as resolved. Thanks for your feedback @sarulon. Unfortunately we're going down a different road to get proper .zip and .rar support, but thanks for your insights :-)