search

dkindlund / honeyclient

MITRE HoneyClient Project
http://www.honeyclient.org
GNU General Public License v2.0
8 stars 4 forks source link

Installation problems with capture #185

Open dkindlund opened 14 years ago

dkindlund commented 14 years ago

After running CaptureBat-Setup.exe and restarting the vm, the captureBAT.exe does not seem to run. It does not give out any output.

dkindlund commented 14 years ago

Author: kindlund Hi,

I assume you have installed the honeyclient code inside the user directory in the Cygwin environment, correct?

If so, could you please tell me the absolute path as to where your CaptureBAT.exe file is located?

For example, is it located here:

/home/Administrator/honeyclient/thirdparty/capture-mod/CaptureBAT.exe

This information should help us troubleshoot it further.

Thanks,

-- Darien

dkindlund commented 14 years ago

Author: achak@cerias.purdue.edu It is located in the folder as mentioned above. However, while trying to run the script outside of the cygwin environment, there is an error thata FTLLIB.dll is missing.

Thanks for all the help and sorry the delay.

Ankur

dkindlund commented 14 years ago

Author: kindlund Okay, so from the /home/Administrator directory inside a Cygwin bash prompt, can you type:

{{{ ~/honeyclient/thirdparty/capture-mod/CaptureBAT.exe -c -l "C:\cygwin\tmp\realtime-changes.txt" }}}

Once you execute this command, do you get any sort of output? If so, can you paste the output to this ticket?

Thanks,

-- Darien

dkindlund commented 14 years ago

Author: achak@cerias.purdue.edu I am not getting any output by running the above.

dkindlund commented 14 years ago

Author: kindlund Okay, before you installed the CaptureBAT-Setup.exe file, did you install the Microsoft Visual C++ 2005 Redistributable Package, as per the directions on the wiki? If so, did that installer indicate that the library was successfully installed? (e.g., Can you see the "Microsoft Visual C++ 2005 Redistributable Package" listed in the Add/Remove Programs section of the Control Panel?)

Xeno, any thoughts on if there's anything else that may be the culprit?

-- Darien

dkindlund commented 14 years ago

Author: achak@cerias.purdue.edu The library had been successfully installed but it did not help.

dkindlund commented 14 years ago

Author: kindlund Hi Ankur,

So, to be clear, when you run CaptureBAT.exe, does the process:

1) terminate?

2) or remain running, but just not provide any type of output?

If it's #2, then we can try and give you different switches at the command line to get some sort of additional output. Also, I assume you're running the CaptureBAT.exe from a Cygwin bash shell -- and not by double-clicking on the .exe file, correct?

Thanks,

-- Darien

dkindlund commented 14 years ago

Author: synphonica@gmail.com Hello, i have this problem too. BTW, this problem exist in Capture HPC too.

I have Windows XP build 2600 without any service packs, with successfully installed Microsoft Visual C++ 2005 Redistributable Package.

Such error appears when we have Windows XP without Service Pack 2 installed. In Capture HPC i`ve workaround this problem by manually download FTLLIB.dll, and save it into C:\WINDOWS\SYSTEM32\

In HoneyClient, such workaround helps a bit. After manually download and install ftllib.dll, CaptureBAT.exe successfully executed, but gives this error:

Driver already loaded: CaptureProcessMonitor Driver already loaded: CaptureRegistryMonitor FileMonitor: WARNING - Filter driver not loaded (error: 80070002) waiting 3 seco nds to try again ... (try 1 of 5) FileMonitor: WARNING - Filter driver not loaded (error: 80070002) waiting 3 seco

nds to try again ... (try 2 of 5)

so, we have started and working Registry and Process monitor. But we have FileMonitor stopped.

dkindlund commented 14 years ago

Author: xkovah Ah, apparently we havn't documented it on the wiki, but Capture only supports XP SP2 or newer. I am not sure if the Capture authors are working on back-porting it or not. I will make this more explicit.

Xeno