search

cuckoosandbox / monitor

The new Cuckoo Monitor.
GNU General Public License v3.0
337 stars 166 forks source link

Windows 8.1 machine dont hook System calls #63

Open ferdinan4 opened 6 years ago

ferdinan4 commented 6 years ago

Hi!

I'm trying to use the last version of monitor, but I noticed that when I launch a sample against a Windows 8.1, Windows 10 or Windows 8.1x64 dont hooks System call.

In the Windows 7x32 and Windows7x64 are working properly, and log all new process created...

Some idea?, I write the MD5 of the sample, to help you to test in your Cuckoo Sandbox.

MD5: e15cb14886edfcb26787202cfae7556c

And here there is the analysis logs, from Windows 7x32 and Windows 81x32

Windows7x32

2018-06-08 08:54:04,993 [analyzer] DEBUG: Starting analyzer from: C:\tmpnq9b9u 2018-06-08 08:54:05,071 [analyzer] DEBUG: Pipe server name: \??\PIPE\LeOogKWOQPoRognGvENAz 2018-06-08 08:54:05,071 [analyzer] DEBUG: Log pipe server name: \??\PIPE\cITSvdclDbicPhniYcIFBDsTXDGPAAuW 2018-06-08 08:54:05,071 [analyzer] INFO: Searching for installing files 2018-06-08 08:54:05,071 [analyzer] ERROR: No files for autoinstall 2018-06-08 08:54:05,071 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically. 2018-06-08 08:54:05,101 [analyzer] INFO: Automatically selected analysis package "exe" 2018-06-08 08:54:18,868 [analyzer] DEBUG: Started auxiliary module DbgView 2018-06-08 08:54:19,322 [analyzer] DEBUG: Started auxiliary module Disguise 2018-06-08 08:54:21,539 [analyzer] DEBUG: Loaded monitor into process with pid 532 2018-06-08 08:54:21,539 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets 2018-06-08 08:54:21,539 [analyzer] DEBUG: Started auxiliary module Human 2018-06-08 08:54:21,539 [analyzer] DEBUG: Started auxiliary module InstallCertificate 2018-06-08 08:54:21,539 [analyzer] DEBUG: Started auxiliary module OpenWeb 2018-06-08 08:54:21,539 [analyzer] DEBUG: Started auxiliary module Reboot 2018-06-08 08:54:21,743 [analyzer] DEBUG: Started auxiliary module RecentFiles 2018-06-08 08:54:21,743 [analyzer] DEBUG: Started auxiliary module Screenshots 2018-06-08 08:54:21,743 [modules.auxiliary.sendkeys] INFO: Módulo SendKeys cargado pero inactivo 2018-06-08 08:54:21,743 [analyzer] DEBUG: Started auxiliary module sendkeys 2018-06-08 08:54:21,743 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n 2018-06-08 08:54:21,757 [lib.api.process] ERROR: Usuario no limitado 2018-06-08 08:54:25,757 [lib.api.process] INFO: Successfully executed process from path u'C:\Users\JUANCI~1\AppData\Local\Temp\ProbaTor_setup.exe' with arguments '' and pid 1536 2018-06-08 08:54:26,023 [analyzer] DEBUG: Loaded monitor into process with pid 1536 2018-06-08 08:54:26,164 [analyzer] ERROR: mode 2018-06-08 08:54:26,180 [analyzer] ERROR: 0 2018-06-08 08:54:26,197 [analyzer] INFO: Injected into process with pid 304 and name u'calc.exe' 2018-06-08 08:54:26,197 [analyzer] DEBUG: Received request to inject pid=1536, but we are already injected there. 2018-06-08 08:54:26,243 [analyzer] DEBUG: Received request to inject pid=304, but we are already injected there. 2018-06-08 08:54:26,555 [lib.api.process] INFO: Memory dump of process with pid 304 completed 2018-06-08 08:54:26,571 [analyzer] INFO: Added new file to list with pid 1536 and path \Device\ConDrv 2018-06-08 08:54:26,789 [analyzer] DEBUG: Loaded monitor into process with pid 304 2018-06-08 08:54:47,382 [analyzer] INFO: Added new file to list with pid 1536 and path C:\Users\JuanCierva\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malguar.exe 2018-06-08 08:54:49,056 [analyzer] INFO: Added new file to list with pid 1536 and path C:\Users\JuanCierva\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malguar2.exe 2018-06-08 08:54:50,523 [analyzer] INFO: Added new file to list with pid 1536 and path C:\calc.exe 2018-06-08 08:54:51,243 [analyzer] INFO: Added new file to list with pid 1536 and path C:\descargao.exe 2018-06-08 08:56:32,993 [analyzer] INFO: Analysis timeout hit, terminating analysis. 2018-06-08 08:56:32,993 [analyzer] WARNING: File at path "u'\device\condrv'" does not exist, skip. 2018-06-08 08:56:33,007 [analyzer] INFO: Analysis completed. marta@marta:~/.cuckoo/storage/analyses/634$ cat ../635/analysis.log 2018-06-08 08:54:12,000 [analyzer] DEBUG: Starting analyzer from: C:\tmpdkm1gi 2018-06-08 08:54:12,030 [analyzer] DEBUG: Pipe server name: \??\PIPE\lDrcIDKxRQMYDGcCuYAGRr 2018-06-08 08:54:12,030 [analyzer] DEBUG: Log pipe server name: \??\PIPE\kyVpvtTrTSGdrxLGz 2018-06-08 08:54:12,030 [analyzer] INFO: Searching for installing files 2018-06-08 08:54:12,046 [analyzer] ERROR: No files for autoinstall 2018-06-08 08:54:12,046 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically. 2018-06-08 08:54:12,046 [analyzer] INFO: Automatically selected analysis package "exe" 2018-06-08 08:54:17,358 [analyzer] DEBUG: Started auxiliary module DbgView 2018-06-08 08:54:18,015 [analyzer] DEBUG: Started auxiliary module Disguise 2018-06-08 08:54:18,296 [analyzer] DEBUG: Loaded monitor into process with pid 492 2018-06-08 08:54:18,296 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets 2018-06-08 08:54:18,296 [analyzer] DEBUG: Started auxiliary module Human 2018-06-08 08:54:18,296 [analyzer] DEBUG: Started auxiliary module InstallCertificate 2018-06-08 08:54:18,296 [analyzer] DEBUG: Started auxiliary module OpenWeb 2018-06-08 08:54:18,296 [analyzer] DEBUG: Started auxiliary module Reboot 2018-06-08 08:54:18,453 [analyzer] DEBUG: Started auxiliary module RecentFiles 2018-06-08 08:54:18,453 [analyzer] DEBUG: Started auxiliary module Screenshots 2018-06-08 08:54:18,453 [modules.auxiliary.sendkeys] INFO: Módulo SendKeys cargado pero inactivo 2018-06-08 08:54:18,453 [analyzer] DEBUG: Started auxiliary module sendkeys 2018-06-08 08:54:18,453 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n 2018-06-08 08:54:23,078 [lib.api.process] ERROR: Usuario no limitado 2018-06-08 08:54:23,203 [lib.api.process] INFO: Successfully executed process from path u'C:\Users\juan\AppData\Local\Temp\ProbaTor_setup.exe' with arguments '' and pid 2364 2018-06-08 08:54:23,437 [analyzer] DEBUG: Loaded monitor into process with pid 2364 2018-06-08 08:54:23,467 [analyzer] ERROR: mode 2018-06-08 08:54:23,467 [analyzer] ERROR: 0 2018-06-08 08:54:23,500 [analyzer] INFO: Injected into process with pid 1260 and name u'calc.exe' 2018-06-08 08:54:23,655 [analyzer] DEBUG: Loaded monitor into process with pid 1260 2018-06-08 08:54:23,717 [analyzer] DEBUG: Received request to inject pid=1260, but we are already injected there. 2018-06-08 08:54:41,790 [analyzer] ERROR: mode 2018-06-08 08:54:41,790 [analyzer] ERROR: 0 2018-06-08 08:54:41,822 [analyzer] INFO: Injected into process with pid 2072 and name u'cmd.exe' 2018-06-08 08:54:41,947 [analyzer] DEBUG: Loaded monitor into process with pid 2072 2018-06-08 08:54:41,961 [analyzer] DEBUG: Received request to inject pid=2072, but we are already injected there. 2018-06-08 08:54:42,009 [analyzer] ERROR: mode 2018-06-08 08:54:42,009 [analyzer] ERROR: 0 2018-06-08 08:54:42,025 [analyzer] INFO: Injected into process with pid 2372 and name u'PING.EXE' 2018-06-08 08:54:42,227 [analyzer] DEBUG: Loaded monitor into process with pid 2372 2018-06-08 08:54:42,509 [analyzer] INFO: Added new file to list with pid 2364 and path C:\Users\juan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malguar.exe 2018-06-08 08:54:42,711 [analyzer] INFO: Added new file to list with pid 2364 and path C:\Users\juan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malguar2.exe 2018-06-08 08:54:42,711 [analyzer] INFO: Error dumping file from path "C:\Users\juan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malguar2.exe": [Errno 13] Permission denied: u'C:\Users\juan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malguar2.exe' 2018-06-08 08:54:42,727 [analyzer] INFO: Added new file to list with pid 2364 and path C:\calc.exe 2018-06-08 08:54:42,822 [analyzer] INFO: Process with pid 2072 has terminated 2018-06-08 08:54:43,430 [analyzer] INFO: Added new file to list with pid 2364 and path C:\descargao.exe 2018-06-08 08:54:43,493 [analyzer] ERROR: mode 2018-06-08 08:54:43,493 [analyzer] ERROR: 0 2018-06-08 08:54:43,540 [analyzer] INFO: Injected into process with pid 2568 and name u'cmd.exe' 2018-06-08 08:54:43,665 [analyzer] DEBUG: Loaded monitor into process with pid 2568 2018-06-08 08:54:43,680 [analyzer] DEBUG: Received request to inject pid=2568, but we are already injected there. 2018-06-08 08:54:43,743 [analyzer] ERROR: mode 2018-06-08 08:54:43,743 [analyzer] ERROR: 0 2018-06-08 08:54:43,775 [analyzer] INFO: Injected into process with pid 1608 and name u'sc.exe' 2018-06-08 08:54:43,822 [analyzer] INFO: Process with pid 2372 has terminated 2018-06-08 08:54:43,915 [analyzer] DEBUG: Loaded monitor into process with pid 1608 2018-06-08 08:54:51,290 [analyzer] DEBUG: Received request to inject pid=1608, but we are already injected there. 2018-06-08 08:54:51,322 [analyzer] ERROR: mode 2018-06-08 08:54:51,336 [analyzer] ERROR: 0 2018-06-08 08:54:51,352 [analyzer] INFO: Injected into process with pid 2756 and name u'cmd.exe' 2018-06-08 08:54:51,509 [analyzer] DEBUG: Loaded monitor into process with pid 2756 2018-06-08 08:54:51,822 [analyzer] INFO: Process with pid 2568 has terminated 2018-06-08 08:54:52,822 [analyzer] INFO: Process with pid 1608 has terminated 2018-06-08 08:56:26,822 [analyzer] INFO: Analysis timeout hit, terminating analysis. 2018-06-08 08:56:26,836 [analyzer] INFO: Analysis completed.

Windows 81x32

2018-06-08 08:54:04,993 [analyzer] DEBUG: Starting analyzer from: C:\tmpnq9b9u 2018-06-08 08:54:05,071 [analyzer] DEBUG: Pipe server name: \??\PIPE\LeOogKWOQPoRognGvENAz 2018-06-08 08:54:05,071 [analyzer] DEBUG: Log pipe server name: \??\PIPE\cITSvdclDbicPhniYcIFBDsTXDGPAAuW 2018-06-08 08:54:05,071 [analyzer] INFO: Searching for installing files 2018-06-08 08:54:05,071 [analyzer] ERROR: No files for autoinstall 2018-06-08 08:54:05,071 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically. 2018-06-08 08:54:05,101 [analyzer] INFO: Automatically selected analysis package "exe" 2018-06-08 08:54:18,868 [analyzer] DEBUG: Started auxiliary module DbgView 2018-06-08 08:54:19,322 [analyzer] DEBUG: Started auxiliary module Disguise 2018-06-08 08:54:21,539 [analyzer] DEBUG: Loaded monitor into process with pid 532 2018-06-08 08:54:21,539 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets 2018-06-08 08:54:21,539 [analyzer] DEBUG: Started auxiliary module Human 2018-06-08 08:54:21,539 [analyzer] DEBUG: Started auxiliary module InstallCertificate 2018-06-08 08:54:21,539 [analyzer] DEBUG: Started auxiliary module OpenWeb 2018-06-08 08:54:21,539 [analyzer] DEBUG: Started auxiliary module Reboot 2018-06-08 08:54:21,743 [analyzer] DEBUG: Started auxiliary module RecentFiles 2018-06-08 08:54:21,743 [analyzer] DEBUG: Started auxiliary module Screenshots 2018-06-08 08:54:21,743 [modules.auxiliary.sendkeys] INFO: Módulo SendKeys cargado pero inactivo 2018-06-08 08:54:21,743 [analyzer] DEBUG: Started auxiliary module sendkeys 2018-06-08 08:54:21,743 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n 2018-06-08 08:54:21,757 [lib.api.process] ERROR: Usuario no limitado 2018-06-08 08:54:25,757 [lib.api.process] INFO: Successfully executed process from path u'C:\Users\JUANCI~1\AppData\Local\Temp\ProbaTor_setup.exe' with arguments '' and pid 1536 2018-06-08 08:54:26,023 [analyzer] DEBUG: Loaded monitor into process with pid 1536 2018-06-08 08:54:26,164 [analyzer] ERROR: mode 2018-06-08 08:54:26,180 [analyzer] ERROR: 0 2018-06-08 08:54:26,197 [analyzer] INFO: Injected into process with pid 304 and name u'calc.exe' 2018-06-08 08:54:26,197 [analyzer] DEBUG: Received request to inject pid=1536, but we are already injected there. 2018-06-08 08:54:26,243 [analyzer] DEBUG: Received request to inject pid=304, but we are already injected there. 2018-06-08 08:54:26,555 [lib.api.process] INFO: Memory dump of process with pid 304 completed 2018-06-08 08:54:26,571 [analyzer] INFO: Added new file to list with pid 1536 and path \Device\ConDrv 2018-06-08 08:54:26,789 [analyzer] DEBUG: Loaded monitor into process with pid 304 2018-06-08 08:54:47,382 [analyzer] INFO: Added new file to list with pid 1536 and path C:\Users\JuanCierva\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malguar.exe 2018-06-08 08:54:49,056 [analyzer] INFO: Added new file to list with pid 1536 and path C:\Users\JuanCierva\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malguar2.exe 2018-06-08 08:54:50,523 [analyzer] INFO: Added new file to list with pid 1536 and path C:\calc.exe 2018-06-08 08:54:51,243 [analyzer] INFO: Added new file to list with pid 1536 and path C:\descargao.exe 2018-06-08 08:56:32,993 [analyzer] INFO: Analysis timeout hit, terminating analysis. 2018-06-08 08:56:32,993 [analyzer] WARNING: File at path "u'\device\condrv'" does not exist, skip. 2018-06-08 08:56:33,007 [analyzer] INFO: Analysis completed.

celyrin commented 3 months ago

I also tested Windows 10 guests (including Windows 11). I found that for 32-bit programs, Cuckoo can work fine and capture behavioral data. However, for 64-bit programs, I observed exception exits in the behavior logs, indicating bugs in the injection process that need adaptation.