[prev in list] [next in list] [prev in thread] [next in thread]
List: cuckoo
Subject: [cuckoo] problem with url analysis
From: enctype () gmail ! com (enctype enctype)
Date: 2012-01-11 12:54:48
Message-ID: 35BFB91C-2F30-4262-8639-33288FE7A4F4 () gmail ! com
[Download RAW message or body]
Hi Claudio,
Thanks for the answer.
In the meantime I commented out the cuckoo_monitor call in ie.py as workaround. At \
least I can check what is happening and still capture the network activity.
Unfortunately I can't help with this issue at the moment.
Lorenzo
On Mon, Jan 9, 2012 at 5:16 PM, Claudio <claudio at shadowserver.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Lorenzo,
>
> Yes we are aware of that, it's a known issue.
> The problem relies in the injection. We noticed that whatever DLL we
> injects into Internet Explorer (especially if created suspended) will
> make it crashes, at least under some circumstances, or it will behave
> unexpectedly.
> Dario could perhaps explain this better as he investigated the issue
> more than I did.
> We are already considering adopting a different injection approach, we
> are sorry for the inconvenience but there's not much we can do about
> it in the short term.
>
> C.
>
> On 1/9/12 5:10 PM, Lorenzo wrote:
> > Hi folks,
> >
> > Being my first post I'd like to thank you for your work and sharing
> > it with the opensource community.
> >
> > I just installed Cuckoo 0.3.1 and trying to familiarize with it.
> > Everything seems to work fine except the url submission. There I'm
> > finding some trouble. When I submit the job:
> >
> > $ python submit.py --package ie --url http://www.google.com
> >
> > The VM starts correctly but when it's time to execute Internet
> > Explorer, it seems to crash unexpectedly. Analysis log shows:
> >
> > [2012-01-06 18:15:59,242] [Core.PipeServer] INFO: Starting Pipe
> > Server. [2012-01-06 18:15:59,335] [Core.Analyzer] INFO: Analysis
> > package imported from "packages.ie". [2012-01-09 16:58:16,256]
> > [Core.Analyzer] INFO: Executing analysis package run function.
> > [2012-01-09 16:58:16,256] [Screenshots.Run] INFO: Started taking
> > screenshots. [2012-01-09 16:58:16,536] [Execute.Execute] INFO:
> > Launched process "C:\Program Files\Internet Explorer\iexplore.exe"
> > with arguments ""C:\Program Files\Internet Explorer\iexplore.exe"
> > http://www.google.com/", ID "3008" and thread "0x00000744".
> > [2012-01-09 16:58:17,302] [Monitor.Monitor] INFO: Using default
> > Cuckoo DLL "C:\cuckoo\dll\cmonitor.dll". [2012-01-09 16:58:17,473]
> > [Inject.GrantDebugPrivilege] INFO: Successfully granted debug
> > privileges on Cuckoo process. [2012-01-09 16:58:17,693]
> > [Inject.Inject] DEBUG: Process with PID 3008 successfully injected
> > with DLL at path "C:\cuckoo\dll\FeFdpu.dll". [2012-01-09
> > 16:58:18,020] [Screenshots.Run] DEBUG: Screenshot saved at
> > "C:\cuckoo\shots\shot_1.jpg". [2012-01-09 16:58:18,036]
> > [Monitor.Monitor] INFO: Original process with PID "3008"
> > successfully injected. [2012-01-09 16:58:18,068] [Core.Analyzer]
> > INFO: Analysis package returned following process PID to add to
> > monitor list: 3008. [2012-01-09 16:58:18,084] [Core.Analyzer] INFO:
> > Running for a maximum of 200 seconds.
> >
> > apparently the command line is correct and if I open the windows
> > virtual machine and try by hand with python, it works, IE starts
> > and opens google.com:
> >
> > import os import sys from ctypes import *
> > sys.path.append("\\\\VBOXSVR\\setup\\lib\\") import cuckoo.defines
> > startupinfo = cuckoo.defines.STARTUPINFO() process_information =
> > cuckoo.defines.PROCESS_INFORMATION() creation_flags =
> > cuckoo.defines.CREATE_NEW_CONSOLE
> >
> > target_path="C:\\Program Files\\Internet Explorer\\iexplore.exe"
> > args="http://www.google.com"
> >
> > arguments = "\"" + target_path + "\" " + args
> > cuckoo.defines.KERNEL32.CreateProcessA(target_path, arguments,
> > None, None, None, creation_flags, None, None, byref(startupinfo),
> > byref(process_information))
> >
> >
> > I tried the same with Firefox and got the same result. Any idea?
> >
> > Thank you in advance for any kind of help.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJPCxLQAAoJEKLAxXCp+Dw4CFQIAIfFiRiMK13KYeR7VlZc0Ts5
> UFLKjrrbL6/ZB1eGQG0ceQSSbiPWpXa+Be2aSTBQw4M65gH7c53jGx93BshaFmW/
> vTkClOIqcp6yvqR7HYknILLgvVRu2dkUgJoT97SyxXBhT2n59qfQB+ijl0/qI1HJ
> fHhyC2UJiuUC5v2B7THES4phOtdWjxwY5NukGhCHUGO50bCfcXCNJBujWV+swmA2
> VJR5JvNapDIT3g95cXzhfENSwngI6JejEg9y2g7sF4iV4+amTAHFxphn/IJ4lIyw
> n6eC2L+MCaDz9YJqazVdI+WCbkcrWT+/LISSWomIdfux+UtppWQug6h9YoWzSqg=
> =cxz/
> -----END PGP SIGNATURE-----
> _______________________________________________
> Cuckoo mailing list
> Cuckoo at public.honeynet.org
> https://public.honeynet.org/mailman/listinfo/cuckoo
--
lorenzo
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic