Closed Waffles-2 closed 7 years ago
Waffles-2
commented
7 years ago Response from J Bremer:
Actually you can use the undocumented curdir analysis option. As in, cuckoo submit sample.exe -o curdir=C:\ and it will execute the sample from, well, the C:\ directory.
spender-sandbox
commented
7 years ago Doesn't exist in this fork
Waffles-2
commented
7 years ago @spender-sandbox I don't want to re-open this issue cause it may be off topic? Although, I'm not sure, anyway, I am getting this message:
INFO: Analysis results folder does not contain any file or injection was disabled.
I am only getting this message when I change line 563 of process.py to a custom location even though injection is enabled. Is there something I need to change in conjunction with that change to make the dynamic analysis work?
Thanks in advance!
spender-sandbox
commented
7 years ago Why would you change that line? It doesn't have anything to do with where the resulting binary will be run from, look for the code dealing with "self.target" in analyzer.py to change that. Changing the line you changed will only result in cuckoomon failing to be able to read its config, and would end up not knowing where to report back at. You'd have to modify cuckoomon as well if you want to change the config location (which again, has nothing to do with where the binary runs from).
-Brad
Waffles-2
commented
7 years ago Hi Brad, thanks for the fast reply!
So I've been playing with trying to get cuckoo running asa admin but without the ability to write to the root directory, so that was one of the things that needed to be changed as it drops the config file to C:\ thank you for pointing me in the direction of cuckoomon I'll investigate some more.
Thank you!!
Waffles-2
commented
7 years ago Hi again Brad! Hope I'm not bothering you too much!
So I have been picking up some C and editing/learning more about Cuckoomon.dll, but I cannot seem to get it working. For example, lets say we change the config location in line 563 of process.py.
Currently I have been changing config_fname in config.c but it hasn't worked as I am still getting the response:
INFO: Analysis results folder does not contain any file or injection was disabled.
I would really appreciate it if you could let me know what I would have to change in the DLL to get it working?
Thank you again!!!
spender-sandbox
commented
7 years ago It should work if you did the things you mentioned, so there's got to be something you missed mentioning. Did you remember to copy the new cuckoomon.dll to analyzer/windows/dll ?
-Brad
Waffles-2
commented
7 years ago Yep, I built the new DLL with the changes and put it into the folder. Thanks for your help though, I will keep investigating and hopefully report back with good news.
To shed some light on why I am doing this, I was attempting to make it so cuckoo was not dropping any files to the root directory and trying to get it to drop everything to an alternative directory within the user area.
spender-sandbox
commented
7 years ago Be careful with that, if you're determining the path at runtime based on the username, as cuckoomon can inject itself into processes run as any user, so if you're only putting the config at a per-user path for analyzer.py, when you inject into a SYSTEM process it won't be able to find the config (hence why I just drop it to the root directory -- it gets removed immediately after being parsed anyway).
-Brad
Waffles-2
commented
7 years ago That makes sense, based on that I tried changing it from determining a path based on username to a different hardcoded path. Changed it both in the DLL and in process.py C:\\Python27\\%u.ini and unfortunately, this is yielding the same results of:
INFO: Analysis results folder does not contain any file or injection was disabled.
spender-sandbox
commented
7 years ago Did you ever have it working prior to your changes? Are you able to VNC into the guest to see what's going on? It could be that the guest isn't able to communicate back with the resultserver.
-Brad
Waffles-2
commented
7 years ago Yeah, so everything works if I roll back the DLL and process.py to C:\\%u.ini that makes me think that it isn't a problem with the communication and it is just changing these lines that cause it to fail. Is there anything else you can think of that would need to be changed if the config location is changed? Like anything else referencing that config or that hard-coded location?
spender-sandbox
commented
7 years ago Can you show me the exact changes you made?
-Brad
Waffles-2
commented
7 years ago Here are the changes I have made so far, I don't have access to the code till the morning so I can ZIP it up and send it to you but here's the changes.
Agent.py:
os.environ["SYSTEMDRIVE"] + os.sep to os.environ["AppData"] + os.sepConstants.py
os.path.join(os.getenv("SystemDrive"), "\\", random_string(6, 10)) to os.path.join(os.getenv("AppData"), "\\", random_string(6, 10))The changes up to here work fine, it is once the following two changes are made that analyses stop working.
Process.py
"C:\\%s.ini" % self.pid to "C:\\Python27\\%s.ini" % self.pidCuckoomon.dll (config.c):
"C:\\%u.ini", GetCurrentProcessId() to "C:\\Python27\\%u.ini", GetCurrentProcessId()spender-sandbox
commented
7 years ago Does the user running analyzer.py have the ability to write to the python27 directory? Could perhaps add some exception handling to the 'with open' line
-Brad
Waffles-2
commented
7 years ago Yeah they have access to that directory, in fact when I VNC into the guest machine I can see that the .ini file is created and then deleted after being parsed. I guess it would be good if I added some error handling to see how far through it is getting. I'll report back tomorrow with results. Thanks for your help Brad.
Waffles-2
commented
7 years ago Hi again Brad! So the DLL successfully reads in the config at the new location then closes and deletes it but still:
INFO: Analysis results folder does not contain any file or injection was disabled.
Where in the code (python or DLL) does the BSON log get generated and sent back to the host machine? Maybe I have caused a problem there? Maybe there is something hard coded that needs to be changed? As the host machine isn't receiving the .BSON log file.
Thanks again.
Waffles-2
commented
7 years ago Problem solved, solution below
Hey @spender-sandbox, thank you for your help earlier on, I took a nice long break from looking at the problem and just jumped back to it. I am a idiot -.- the DLL was being compiled in debug mode not release mode...
So the following 4 changes enable you to customize the location of the files dropped to C: by cuckoo:
Agent.py:
Changed the variable system_drive from os.environ["SYSTEMDRIVE"] + os.sep to os.environ["AppData"] + os.sep
Constants.py:
Changed ROOT from os.path.join(os.getenv("SystemDrive"), "\\", random_string(6, 10)) to os.path.join(os.getenv("AppData"), "\\", random_string(6, 10))
Process.py:
Changed the variable config_path from "C:\\%s.ini" % self.pid to "C:\\Python27\\%s.ini" % self.pid
Cuckoomon.dll (config.c):
This variable should output the same as config_path in process.py above. Change config_fname from "C:\\%u.ini", GetCurrentProcessId() to "C:\\Python27\\%u.ini", GetCurrentProcessId()
spender-sandbox
commented
7 years ago I knew it was something like that that wasn't mentioned ;) Glad you got it settled.
-Brad
Waffles-2
commented
7 years ago Heyyyyy Brad, I hate to open old wounds but I'm running into a bit of a problem!
Getting the error message CRITICAL:Error initializing terminate event thread. It looks like this error message is the where the analysis stops. It appears to be terminate_event_init.
I don't really understand what terminate_event_init does and how it does it (I wish I was better at C) so I can't understand why this is happening. Any advice?
spender-sandbox
commented
7 years ago Need more info -- it happens on every analysis? It happens when something is being injected into exactly as analysis stops? Does it prevent analysis from happening completely? It's a bit odd as that's not the first thread that would be created by cuckoomon, the unhook thread would be created first.
-Brad
Waffles-2
commented
7 years ago It doesn't happen when you submit a PNG file, it does happen with .exe and URLs. Here's what happens from the agent:
I can get a proper log if you need it, Thanks.
spender-sandbox
commented
7 years ago Not sure, what you could do is change the function to add a DWORD lasterror1, lasterror2;
Then do lasterror1 = GetLastError(); after the CreateEventA, and lasterror2 = GetLastError(); after the CreateThread, then modify the pipe to: pipe("CRITICAL: Error initializing terminate event thread %x %x", lasterror1, lasterror2);
and send me the logs from that.
-Brad
Waffles-2
commented
7 years ago Having some Visual Studio problems atm so it is failing to build the DLL, I'll get back to you tomorrow hopefully!! Thanks for your time again!
Waffles-2
commented
7 years ago So I have identified the problem as a race condition I have another program trying to hook into the process and they are causing the process to crash. Are there any alternative methods for cuckoos dll injection?
spender-sandbox
commented
7 years ago By "another program trying to hook into the process" do you mean some other hooking app? or the malware itself?
Waffles-2
commented
7 years ago Sorry, yes I meant another hooking app. Is there another way for cuckoo to inject the dll or load the hooks or something?
After reading some documentation, I think it may be due to two threads calling GetProcAddress and deadlocking.
Waffles-2
commented
7 years ago Hey @spender-sandbox
I am trying to simulate the launching of an executable using Cuckoo, but manually from within the windows machine rather than having to go through the process of submitting a sample and running a full analysis every time (just for testing purposes).
What I think I need to find is:
If you could point me in the right direction or give any tips on working towards this simulation that would be great, thank you!
spender-sandbox
commented
7 years ago The cuckoomon loader has some code inside #ifdef DEBUG that should handle much of that, by allowing the loader to act as an analyzer replacement.
FINAL EDIT: This is closed but not solved, the steps provided should have worked but have not. Too much time has been put into this with not reward so I am stopping researching it here.
How do you go about changing the default location (the temp folder) to a different location? I have tried changing the path in /packages/exe.py but I just get an error running that package and I would like to change it for all file types not just exe.
Any suggestions? Thanks.
EDIT: So if I change this line https://github.com/spender-sandbox/cuckoo-modified/blob/master/agent/agent.py#L87 the file gets dropped to the location specified as
root, however, it appears that it is still getting executed from the temp directory.EDIT2: Possibly something to do with this? https://github.com/spender-sandbox/cuckoo-modified/blob/6c73e335dd8a1b42b5c417679d8119a0425df091/analyzer/windows/lib/api/process.py#L327
def executepassespathin but where is it defined?EDIT3: SOLUTION to changing the execution location not to changing the drop location of ALL files.
On line 854 of analyzer.py you need to change
os.environ["TEMP"]to the directory you want the file to be dropped to.On line 87 of agent.py you need to change
os.environ["TEMP"]to the directory you changed it to in analyzer.py.