mandiant / flare-vm

A collection of software installations scripts for Windows systems that allows you to easily setup and maintain a reverse engineering environment on a VM.

Apache License 2.0

6.22k stars 887 forks source link

[Bug] Path issue (probably?) with CAPA #532

Closed HuskyHacks closed 8 months ago

HuskyHacks commented 8 months ago

What's the problem?

Hello!

I've had a few students report that for recent FLAREVM installs, CAPA can't locate its default rules set when invoked with a relative path:

The CAPA binary definitely runs but it doesn't find its default rule set, which leads me to believe the PATH var is getting messed up somewhere during install.

Steps to Reproduce

Perform full FLAREVM install
Open cmder/terminal/cmd prompt
capa [sample]

Output indicates that the binary executes but cannot find its bundled default rule set when invoked with a relative path.

Environment

Standard PMAT Win 10 FLAREVM install

Additional Information

No response

Ana06 commented 8 months ago

This seems to be the issue reported in https://github.com/mandiant/VM-Packages/issues/686 and fixed in https://github.com/mandiant/VM-Packages/pull/710. To be able to help you, please provide all the information required in the bug issue template. Concretely, we need the following environment information:

Output of VM-Get-Host-Info (run VM-Get-Host-Info in PowerShell with admin rights)

Also, I am not sure what a Standard PMAT Win 10 FLAREVM install is, could you please provide more details?

HuskyHacks commented 8 months ago

I'm reporting this on behalf of students taking PMAT, so I don't have their exact builds at the ready to provide the system info. I can get it for you.

In the course, lab set up basically boils down to

Use the Windows 10 Eval ISO
Run the FLAREVM installer and point it to the PMAT config file (https://raw.githubusercontent.com/HuskyHacks/PMAT-labs/main/config.xml)

HuskyHacks commented 8 months ago

Though after reading through those other closed issues, it's more likely that the student installed FLAREVM when that bug was still live, so maybe having them reinstall CAPA would be the actual issue here and this can probably be marked as a duplicate!

Ana06 commented 8 months ago

Reinstalling capa won't fix the problem, as the bug was in libraries.python3.vm. Upgrading libraries.python3.vm may fix the issue, but I would recommend a fresh new install. Closing as it seems it is a duplicate. Thanks for reporting it. 😃

Ana06 commented 8 months ago

Unrelated

@HuskyHacks I think you may want to update the environment variables in that config file. TOOL_LIST_SHORTCUT is not used anymore, I recommend you to remove and update TOOL_LIST_DIR as it is done in the current default configuration: https://github.com/mandiant/flare-vm/blob/main/config.xml#L5

HuskyHacks commented 8 months ago

Hey thanks! I'll update that and add the new registry key items too.