Agent crashing due to DLL issue

[contradiction1337]

Prerequisites

Please answer the following questions for yourself before submitting an issue.

• [x] I am running the latest version
• [x] I checked the documentation and found no answer
• [x] I checked to make sure that this issue has not already been filed
• [x] I'm reporting the issue to the correct repository (for multi-repository projects)
• [x] I have read all configs with all optional parts

Expected Behavior

Analysis runs without crash / exception in Windows guest.

Current Behavior

Hello,

I have noticed that the CAPE agent will consistently crash while analyzing samples (eg: plain text file, PDF, ELF Binary), the analysis will complete eventually but it is confounded by a lot of noise from the interleaved crashes, this is particularly apparent with PDFs.

I have installed following the step by step instructions (https://capev2.readthedocs.io/en/latest/installation/host/installation.html) and tested both Windows 7 and 10 guests for the agent process, the issue presents in both cases.

My environment is a bare-metal Ubuntu (20.04) host with the KVM Hypervisor running my Windows 7/10 agents, the master process and web interface are running on the host and master/agent communicate via a KVM bridge network.

I believe this issue is caused by the monitoring DLL which CAPE injects not providing some interface Windows is expecting, then crashing when the OS attempts to call it.

I have attempted to debug as per https://github.com/kevoreilly/CAPEv2/wiki/Tips'n'Tricks#how-to-debug-analyzer-and-any-script-that-executes-inside-of-the-virtual-machine

Within the guest, invoking the script the CAPE agent would run (in debug mode) via PowerShell with "Transcript Logging" enabled produces the following output (see "Failure Logs" section).

When I run a scan with the option "free=yes" to disable the DLL injection, the analysis completes without any crashes, though clearly without most of the analysis performed.

I have also attached a screenshot from CAPE of the actual crash.

NOTE: I am testing with known benign samples, so this is not the result of some complex malware crashing the agent.

Please advise and many thanks!

Failure Information (for bugs)

Steps to Reproduce

0. Follow default installation (process described above)
1. Submit a PDF sample
2. Observe crash in resulting logs

Context

Please provide any relevant information about your setup. This is important in case the issue is not reproducible except for under certain conditions.

Question	Answer
Git commit	159764b77f05545dbe3a378ede491511dc1cfd01
OS version	Ubuntu 20.04, Windows 10, Windows 7

Failure Logs

2021-04-28 06:02:59,562 [root] DEBUG: PDF (Adobe) settings enabled.
2021-04-28 06:02:59,562 [root] DEBUG: TLS secret dump mode enabled.
2021-04-28 06:02:59,562 [root] DEBUG: Dropped file limit defaulting to 100. 
2021-04-28 06:02:59,578 [root] DEBUG: CAPE initialised: 64-bit monitor loaded in process 480 at 0x000007FEEC260000, thre 
ad 2924, image base 0x00000000FF3B0000, stack from 0x0000000001324000-0x0000000001330000
2021-04-28 06:02:59,578 [root] DEBUG: Commandline: C:\Windows\sysnative\lsass.exe
2021-04-28 06:02:59,578 [root] INFO: Loaded monitor into process with pid 480
2021-04-28 06:02:59,578 [root] DEBUG: Error 203 (0xcb) - InjectDllViaThread: RtlCreateUserThread injection failed: The s
ystem could not find the environment option that was entered.
2021-04-28 06:02:59,593 [root] DEBUG: Successfully injected DLL C:\tmpq5cf0_9h\dll\lAyaxilw.dll.
2021-04-28 06:02:59,609 [root] DEBUG: Started auxiliary module TLSDumpMasterSecrets
2021-04-28 06:02:59,609 [root] DEBUG: Initializing auxiliary module "Usage"...
2021-04-28 06:02:59,609 [root] DEBUG: Started auxiliary module Usage
The following services are dependent on the Windows Management Instrumentation service.

[kevoreilly]

Hi - unfortunately the logs do not show the crash and are not relevant to the problem (lsass process). Also they show you are out of date as this loader issue was fixed in https://github.com/kevoreilly/CAPEv2/commit/52a15869a1ed5574a4ddd0c525848d76a416da6c

We have Adobe Reader working on Win7 as seen in capesandbox.com - not to say that any/all versions work. Some may have hook incompatibilities. The version we are using is 11.0.10 - give that a try and see how you get on.

[contradiction1337]

@kevoreilly - Thankyou for your quick response! I can confirm that I have updated to the latest version, and verified that it is using the updated windows loader. The unhandled exception occurs in a range of files, and not just limited to Adobe. Attached is the full logs for an analysis on a XLS document on a Windows7 machine.

Line 504 of the attached logs indicates an unhanded exception that still occurs due to RTLDispatch

2021-05-11 03:33:12,343 [root] DEBUG: RtlDispatchException: Unhandled exception! Address 0x000007FE00000BC0, code 0xc0000005, flags 0x0, parameters 0x8 and 0xbc0.

capev2_unhandledexception.txt

Thanks again for your support @kevoreilly !

[kevoreilly]

Ah this time the error message is a bit more meaningful! However the point about this not being complex malware crashing the agent misses the point that it is a complex application, and complex for cape to monitor. With this in mind, a huge amount of effort and time has been put into ensuring compatibility with specific 'supported' versions. This means 32-bit Office 2010 or 2016 (as on capesandbox.com) with 2010 being the 'most' supported.

So before embarking down the long and difficult road of hook compatibility testing, I would recommend you use 32-bit Office 2010 in cape. If you can upload an xls to capesandbox.com that breaks Excel 2010 then it will be of sufficiently high priority to break into my to-do list.

Alternatively you are welcome to do some hook testing. Running with minhook=1 will allow you to see if a bare minimum of hooks will enable it to work. Beyond that it's a question of disabling and testing groups of or individual hooks in trial-and-error which is a long, slow job unfortunately.

[kevoreilly]

Closing as down to incompatible/unsupported Office/Adobe versions (i.e. not Office 32-bit, Adobe Reader 11.0.10)