Error with API call to memory/get

cuckoosandbox / cuckoo

Cuckoo Sandbox is an automated dynamic malware analysis system

http://www.cuckoosandbox.org

Other

5.56k stars 1.7k forks source link

Error with API call to memory/get #2327

Open andreashaukeland opened 6 years ago

andreashaukeland commented 6 years ago

When trying to access the memorydumps from the API I noticed that the files are stored either as: 2704-1.dmp 2704-2322ca1e7d943923.exe where 2704 is the pid of the memory dump. It should to my knowledge be saved as 2704.dmp.

My Cuckoo version and operating system are:

Ubuntu 18.04 and 2.0.6 Have tested on two different machines, one running VirtualBox and one running KVM.

This can be reproduced by:

Creating a memory dump and accessing it from the REST-API with http://localhost:8090/memory/get//

The log, error, files etc can be found at:

Gives the error message: { "message": "Memory dump not found" }

doomedraven commented 6 years ago

but did it exists in dist? + why double slash at the end?

andreashaukeland commented 6 years ago

Yes, the files exists in .cuckoo/storage/analyses//memory. Double slash is a type from me, sorry.

RicoVZ commented 6 years ago

Hi @andreashaukeland,

Thanks for posting an issue.

You are right. This seems a bit odd. For now, it can be accessed if you use /get/<taskid>/<pid>-<dumpnumber>. Example http://localhost:8090/memory/get/1/5001-1.

I realize this is not ideal. The reason that the file has a "-numberhere", is because the dumping code takes into account that multiple dumps of the same process might be made. The API or docs should probably be updated to make this more clear.

oyviaase commented 6 years ago

The issue is worse if you use KVM as your hypervisor since it only stores the memory dumps as <pid>-<filename> such as 3452-5faa444f6dbc35f0.exe_ making it impossible to download them using the API.

The simple solution would be to add .dmp at the end of the filename to allow the API to download it.

oyviaase commented 6 years ago

I forgott that I had set dumpdelete to yes. Setting it back to no saves some *.dmp files in addition to a lot of other `*.dll` files.

RicoVZ commented 6 years ago

@oyviaase

The exe and dll files are files that were extracted from process memory dumps. The dumps .dmp files they were extracted from should still be available if Cuckoo is not set to delete them after processing.

You are right. It does cause those to be not downloadable over the API. I will add this to the list to things to change. :smile: