search

cuckoosandbox / monitor

The new Cuckoo Monitor.
GNU General Public License v3.0
338 stars 166 forks source link

Unable to start with --dbg path_to/windbg.exe #22

Open elibi opened 8 years ago

elibi commented 8 years ago

It seems related to the fact that the debugger is started using start_app and not a regular CreateProcess call. Why do we need to inject to the debugger process? it didn't work anyway.

Unfortunately I don't have the log available.

elibi commented 8 years ago

@jbremer

jbremer commented 8 years ago

Could you try with OllyDBG or x64dbg? As you can see in the command-line string that's created it passes the process identifier along using the -p switch - I'm not sure if that works for WinDBG? We could add support for WinDBG if you prefer, but initially this switch was intended for Olly. For WinDBG I propose we add a flag --dbg-windbg that then uses the WinDBG command-line (which I'm sure you can find out for us) instead of the Olly one.

Thanks!

jbremer commented 8 years ago

Or just something like --windbg C:\..., of course.

elibi commented 8 years ago

The command line is fine and actually works. However, what's not working is the monitor's injection to the WinDBG process, which I don't fully understand why we need it anyways.

When I replaced the "start_app" call with a simple CreateProcess everything worked seamlessly.

jbremer commented 8 years ago

It executes the CreateProcess from its own process. I just used start_app rather than CreateProcessW because it's there anyway and includes some flags that we use normally anyway. Can you show a diff of your solution that does work for you?

elibi commented 8 years ago

Sure.

diff --git a/bin/inject.c b/bin/inject.c
index 6d93799..f1eb91f 100644
--- a/bin/inject.c
+++ b/bin/inject.c
@@ -548,6 +548,14 @@ int main()
     uint32_t pid = 0, tid = 0, from = 0, inj_mode = INJECT_NONE;
     uint32_t show_window = SW_SHOWNORMAL, only_start = 0, resume_thread_ = 0;

+    STARTUPINFO si;
+    PROCESS_INFORMATION pi;
+
+    ZeroMemory( &si, sizeof(si) );
+    si.cb = sizeof(si);
+    ZeroMemory( &pi, sizeof(pi) );
+
+
     for (int idx = 1; idx < argc; idx++) {
         if(wcscmp(argv[idx], L"--crt") == 0) {
             inj_mode = INJECT_CRT;
@@ -796,8 +804,9 @@ int main()
         wchar_t buf[1024];
         wsprintfW(buf, L"\"%s\" -p %d", dbg_path, pid);

-        start_app(GetCurrentProcessId(), dbg_path, buf,
-            NULL, NULL, SW_SHOWNORMAL);
+//        start_app(GetCurrentProcessId(), dbg_path, buf,
+//            NULL, NULL, SW_SHOWNORMAL);
+       CreateProcessW(NULL, buf, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi);

         Sleep(5000);
     }