CAPEv2
CAPEv2 copied to clipboard
kevoreilly
Feature request: More natural mouse movement in automated interactions
One of the few pafish sandbox detections that fire on CAPE is Sandbox traced by missing mouse movement or supernatural speed The source code for this detection is https://github.com/a0rtega/pafish/blob/b497899ff355ea7b9ecc1f5cd34a9fd1def02aec/pafish/rtt.c#L72
I just took a look at Pafish, latest 32-bit release 9e7d694ed87ae95f9c25af5f3a5cea76188cd7c1c91ce49c92e25585f232d98e.
My first observation is that the mouse movement function fails for both zero movement and 'supernatural' movement, so it's difficult to differentiate based solely on the tool's output. I considered recompiling with more output, but instead opted for an instruction trace to see exactly what happens during experimentation:
yarascan=0,bp0=0x4F63,bp1=0x5080,action1=stop
The yarascan option is just to suppress the existing bypass yara from interfering. The other options capture the entire execution of the rtt_mouse_speed_limit() function.
Unfortunately I observed that even with Disable automated interaction selected to suppress the auxiliary human.py this function still fails with 'supernatural' speed:
CAPE Sandbox - Debugger log: Tue Feb 6 14:43:08 2024
Breakpoint 0 hit by instruction at 0x00404F63 (thread 4564) EAX=0x404f63 "U" EBX=0x2000800 ECX=0xffffffff EDX=0x1d ESI=0x2f EDI=0x26911c4 ESP=0x62f93c *ESP=0x402788 EBP=0x62f968
Break at 0x00404F63 in pafish.exe (RVA 0x4f63, thread 4564, ImageBase 0x00400000)
0x00404F63 55 PUSH EBP ESP=0x62f938 "h" *ESP=0x62f968
0x00404F64 89E5 MOV EBP, ESP EBP=0x62f938 "h"
0x00404F66 83EC48 SUB ESP, 0x48 ESP=0x62f8f0 *ESP=0x0
0x00404F69 C745F4B80B0000 MOV DWORD [EBP-0xc], 0xbb8
0x00404F70 C745EC0A000000 MOV DWORD [EBP-0x14], 0xa
0x00404F77 C745F000000000 MOV DWORD [EBP-0x10], 0x0
0x00404F7E C7042410000000 MOV DWORD [ESP], 0x10
0x00404F85 A130854100 MOV EAX, [0x418530] EAX=0x76874d10
0x00404F8A FFD0 CALL GetSystemMetrics EAX=0x500 ECX=0x500 EDX=0x30 ESP=0x62f8f4 *ESP=0x0
0x00404F8C 83EC04 SUB ESP, 0x4 ESP=0x62f8f0 *ESP=0x0
0x00404F8F 89C1 MOV ECX, EAX
0x00404F91 BA67666666 MOV EDX, 0x66666667 EDX=0x66666667
0x00404F96 89C8 MOV EAX, ECX
0x00404F98 F7EA IMUL EDX EAX=0x300 EDX=0x200
0x00404F9A 89D0 MOV EAX, EDX EAX=0x200
0x00404F9C D1F8 SAR EAX, 0x1 EAX=0x100
0x00404F9E C1F91F SAR ECX, 0x1f ECX=0x0
0x00404FA1 89CA MOV EDX, ECX EDX=0x0
0x00404FA3 29D0 SUB EAX, EDX
0x00404FA5 8945E8 MOV [EBP-0x18], EAX
0x00404FA8 C7042411000000 MOV DWORD [ESP], 0x11
0x00404FAF A130854100 MOV EAX, [0x418530] EAX=0x76874d10
0x00404FB4 FFD0 CALL GetSystemMetrics EAX=0x2e1 ECX=0x2e1 EDX=0x2e1 ESP=0x62f8f4 *ESP=0x0
0x00404FB6 83EC04 SUB ESP, 0x4 ESP=0x62f8f0 *ESP=0x0
0x00404FB9 89C1 MOV ECX, EAX
0x00404FBB BA67666666 MOV EDX, 0x66666667 EDX=0x66666667
0x00404FC0 89C8 MOV EAX, ECX
0x00404FC2 F7EA IMUL EDX EAX=0xccccce87 EDX=0x126
0x00404FC4 89D0 MOV EAX, EDX EAX=0x126
0x00404FC6 D1F8 SAR EAX, 0x1 EAX=0x93
0x00404FC8 C1F91F SAR ECX, 0x1f ECX=0x0
0x00404FCB 89CA MOV EDX, ECX EDX=0x0
0x00404FCD 29D0 SUB EAX, EDX
0x00404FCF 8945E4 MOV [EBP-0x1c], EAX
0x00404FD2 8D45D4 LEA EAX, [EBP-0x2c] EAX=0x62f90c
0x00404FD5 890424 MOV [ESP], EAX
0x00404FD8 A120854100 MOV EAX, [0x418520] EAX=0x76865750
0x00404FDD FFD0 CALL GetCursorPos EAX=0x1 ECX=0x2a410001 EDX=0xc0000029 ESP=0x62f8f4 *ESP=0x0
0x00404FDF 83EC04 SUB ESP, 0x4 ESP=0x62f8f0 *ESP=0x0
0x00404FE2 EB7F JMP 0x81
0x00405063 837DF400 CMP DWORD [EBP-0xc], 0x0
0x00405067 0F8577FFFFFF JNZ 0xffffff7d
0x00404FE4 8B45EC MOV EAX, [EBP-0x14] EAX=0xa
0x00404FE7 890424 MOV [ESP], EAX
0x00404FEA A1EC834100 MOV EAX, [0x4183ec] EAX=0x754f0f00
0x00404FEF FFD0 CALL Sleep EAX=0x0 ECX=0x2df3a281 EDX=0x2b8000 "P" ESP=0x62f8f4 *ESP=0x0
0x00404FF1 83EC04 SUB ESP, 0x4 ESP=0x62f8f0 *ESP=0x0
0x00404FF4 8D45CC LEA EAX, [EBP-0x34] EAX=0x62f904
0x00404FF7 890424 MOV [ESP], EAX
0x00404FFA A120854100 MOV EAX, [0x418520] EAX=0x76865750
0x00404FFF FFD0 CALL GetCursorPos EAX=0x1 ECX=0x2a410001 EDX=0xc00002f8 ESP=0x62f8f4 *ESP=0x0
0x00405001 83EC04 SUB ESP, 0x4 ESP=0x62f8f0 *ESP=0x0
0x00405004 8B45D4 MOV EAX, [EBP-0x2c] EAX=0x2de
0x00405007 8B55CC MOV EDX, [EBP-0x34] EDX=0x44f
0x0040500A 29D0 SUB EAX, EDX EAX=0xfffffe8f
0x0040500C 8945E0 MOV [EBP-0x20], EAX
0x0040500F 8B45D8 MOV EAX, [EBP-0x28] EAX=0x8
0x00405012 8B55D0 MOV EDX, [EBP-0x30] EDX=0x2f8
0x00405015 29D0 SUB EAX, EDX EAX=0xfffffd10
0x00405017 8945DC MOV [EBP-0x24], EAX
0x0040501A 837DE000 CMP DWORD [EBP-0x20], 0x0
0x0040501E 7506 JNZ 0x8
0x00405026 8345F001 ADD DWORD [EBP-0x10], 0x1
0x0040502A 8B45E0 MOV EAX, [EBP-0x20] EAX=0xfffffe8f
0x0040502D 99 CDQ EDX=0xffffffff
0x0040502E 89D0 MOV EAX, EDX EAX=0xffffffff
0x00405030 3345E0 XOR EAX, [EBP-0x20] EAX=0x170
0x00405033 29D0 SUB EAX, EDX EAX=0x171
0x00405035 3945E8 CMP [EBP-0x18], EAX
0x00405038 7D17 JGE 0x19
0x0040503A 8B45DC MOV EAX, [EBP-0x24] EAX=0xfffffd10
0x0040503D 99 CDQ
0x0040503E 89D0 MOV EAX, EDX EAX=0xffffffff
0x00405040 3345DC XOR EAX, [EBP-0x24] EAX=0x2ef
0x00405043 29D0 SUB EAX, EDX EAX=0x2f0
0x00405045 3945E4 CMP [EBP-0x1c], EAX
0x00405048 7D07 JGE 0x9
0x0040504A B801000000 MOV EAX, 0x1 EAX=0x1
0x0040504F EB2E JMP 0x30
0x0040507F C9 LEAVE Breakpoint 1 hit by instruction at 0x00405080 (thread 4564) ESP=0x62f93c *ESP=0x402788 EBP=0x62f968
0x00405080 C3 RET
ActionDispatcher: stopping trace.
Here the jge at the end corresponds to the source abs(dy) > my which shows that the checks for excessive movement between subsequent calls to GetCursorPos is failing, despite there being no automated interaction at all!
I am currently stumped as to why this is occurring which has temporarily scuppered my attempts to fix this with changes to human.py.
