Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Windows 10 #64

Closed
enzok opened this issue Jul 30, 2018 · 15 comments
Closed

Windows 10 #64

enzok opened this issue Jul 30, 2018 · 15 comments

Comments

@enzok
Copy link
Contributor

enzok commented Jul 30, 2018

Any consideration for a Windows 10 capable cuckoomon?

@kevoreilly
Copy link
Contributor

I haven't tested a full setup, but I have tested capemon and the new loader on Windows 10. It seems to inject into processes no problem, although loading a new process seems not to load a window for something like notepad so there are perhaps issues to iron out there, but still the process runs and the monitor loads.

Definitely something I want to be compatible with so I will need to test it further.

@enzok
Copy link
Contributor Author

enzok commented Aug 1, 2018

Thanks. I'll build one and see how it goes.

@kevoreilly
Copy link
Contributor

Great - let me know. Be sure to try the new loader by renaming newloader* to loader* in the bin folder!

@kevoreilly
Copy link
Contributor

I forgot there is actually a branch for testing the new loader!

@doomedraven
Copy link
Contributor

im gonna also try it :) thanks

@doomedraven
Copy link
Contributor

hey from my previos tests when we added fixes to dll, and i just tested new loader again, im having the same issue, no behavior on win7

INFO: Successfully executed process from path "C:\Program Files\Microsoft Office\Office12\WINWORD.EXE" with arguments ""C:\Users\X\AppData\Local\Temp\X.doc" /q" with pid 3972
2018-08-02 08:50:00,890 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2018-08-02 08:50:00,937 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 3972, error: -12
2018-08-02 08:50:17,515 [lib.api.process] INFO: Successfully resumed process with pid 3972

it happens with pe and doc, not tested more formats, example of this one b573b6c322719046af76b16604d77576a741e2809f52bf78f855f1d1623a3f39, doc

any idea? i got newloader.exe and placed it instead of loader.exe(renamed obviosly)

@Spiralem
Copy link
Contributor

Spiralem commented Jul 3, 2019

I am curious if Windows 10 x64 is supported now?

enzok pushed a commit to enzok/CAPE that referenced this issue Aug 26, 2019
Add in some bootkit/rootkit drive access anomalies
@hackdefendr
Copy link

I found that the trick to getting Windows 10 x64 VM working under CAPE is to make sure UAC is fully disabled in the registry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
  • EnableLUA DWORD
  • Set to 0 and reboot the VM.

Also it is good to disable Windows Defender and Real-time Protection from Group Policy.

Aside from this, I see no issues with using Windows 10 x64 as the guest.

@kevoreilly
Copy link
Contributor

The issue currently is more around the question: do the samples detonate properly? Is the API hookng stable? I'm not sure about either of these.

For example, try this Trickbot sample, known to run on Win 10:
3f99d1eabc438bd840cab6c7d6443119e8848ec4fd9c8d67c2ffa8dfb4bd5d66

(AnyRun: https://app.any.run/tasks/b0beb3db-1a7c-4e05-9ffd-e3ef278b8877)

I'd be interested to hear if you see this running properly in cape with spawned processes and full behaviour.

@hackdefendr
Copy link

hackdefendr commented Sep 12, 2019

Not sure if a 59 second analysis can be considered successful or not. But that is how long it took to run. Here is my html report for that trickbot:

7_report.zip

Here is the same trickbot analysis with Timeout Enforced to 10 minutes:

8_report.zip

@kevoreilly
Copy link
Contributor

Check the process tree in the any run job. It spawns loads. In cape there is no spawned processes.

@hackdefendr
Copy link

Nope...I definitely see your point. Any ideas of why that is? 64bit vs 32bit?

@kevoreilly
Copy link
Contributor

Windows 10 largely works now - there will still be issues but they can be created individually when they arise.

@Spiralem
Copy link
Contributor

Windows 10 largely works now - there will still be issues but they can be created individually when they arise.

Is this with https://github.com/ctxis/capemon this monitor?

@doomedraven
Copy link
Contributor

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants