CAPEv2
CAPEv2 copied to clipboard
kevoreilly
Unable to use linux packages
About accounts on capesandbox.com
- Issues isn't the way to ask for account acctivation. Ping capesandbox in Twitter with your username
This is opensource and you getting free support so be friendly!
- Free support from doomedraven ended, no whiskey no support. For something he updated the documentation :)
Prerequisites
Please answer the following questions for yourself before submitting an issue.
- [x] I am running the latest version
- [x] I did read the README!
- [x] I checked the documentation and found no answer
- [x] I checked to make sure that this issue has not already been filed
- [x] I'm reporting the issue to the correct repository (for multi-repository projects)
- [x] I'm have read all configs with all optional parts
Expected Behavior
Can select package for linux VM via web interface or utils/submit.py, analysis performs via correct linux package
Current Behavior
It is impossible to select linux package via Submit/Analysis package (for an example bash package exists in analyzer/linux/modules/packages/ but is absent in web UI menu). Even if package is specified in commandline for submit.py, cape is not honoring it - analysis starts without any package, or not starts at all (stuck in pending state). Don't know if this is a misconfiguration / bug, or absence of support is expected (in that case it's strange, why analyzer/linux exists)
Failure Information (for bugs)
Steps to Reproduce
Please provide detailed steps for reproducing the issue.
- take elf or bash script
- submit it via submit.py or web interface
- task stuck at pending state or executed without any package
Context
Please provide any relevant information about your setup. This is important in case the issue is not reproducible except for under certain conditions.
| Question | Answer |
|---|---|
| Git commit | commit c0d553aa38ee57462711655bc2686ae22e4256a8 |
| OS version | Ubuntu 20.04.5 LTS (same for 22.04.1 LTS) |
conf/web.conf
#enable linux fields on webgui [linux] #For advanced users only, can be buggy, linux analysis is work in progress for fun enabled = yes
Failure Logs
cape@cape01:/opt/CAPEv2$ python3 -m poetry run python utils/submit.py --machine cuckoo-ub1804 --platform linux --package bash /tmp/virus.sh INFO:lib.cuckoo.core.database:Do sandbox packages need an update? Sflock identifies as: False - b'/tmp/cuckoo-tmp/upload_mkpgp6j3/virus.sh' Success: File "/tmp/virus.sh" added as task with ID 8
2022-09-24 19:13:23,003 [root] DEBUG: Starting analyzer from: /tmppu60lwlo 2022-09-24 19:13:23,003 [root] DEBUG: Storing results at: /tmp/tTpIcbq 2022-09-24 19:13:23,003 [lib.core.packages] INFO: _guess_package_name failed 2022-09-24 19:13:23,004 [lib.core.packages] INFO: ASCII text 2022-09-24 19:13:23,004 [lib.core.packages] INFO: virus.sh
do you have enabled DYNAMIC_ARCH_DETERMINATION by this web_conf.general.dynamic_arch_determination? inside of web.conf?
Hello, thank you for your reply.
Yes, dynamic arch and platform determinations are enabled in web config
# Assign architecture to task to fetch correct VM type
dynamic_arch_determination = yes
# Assign platform to task to fetch correct VM type
dynamic_platform_determination = yes
Than someone broke it 🤣i dont have time this week to look into this issue
El mar, 27 sept 2022 18:41, alx1m1k @.***> escribió:
Hello, thank you for your reply.
Yes, dynamic arch and platform determinations are enabled in web config
Assign architecture to task to fetch correct VM type
dynamic_arch_determination = yes Assign platform to task to fetch correct VM type
dynamic_platform_determination = yes
— Reply to this email directly, view it on GitHub https://github.com/kevoreilly/CAPEv2/issues/1166#issuecomment-1259772849, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAOFH34A2INYCJO3LMDORYDWAMPSXANCNFSM6AAAAAAQUYOIVU . You are receiving this because you commented.Message ID: @.***>
@nbargnesi do you have a status update on your aforementioned Linux changes? I'm wondering because I've also hit a wall in terms of Linux detonation.
Not yet, but I've got Ubuntu 20.04/22.04, Oracle, and Fedora linux detonating in CAPE regularly it just takes a fair bit of work to get there. Part of the problem is how outdated open source Linux malware analysis is everywhere you look.
Here's a sense for the initial bit of what's needed to make CAPE decent at doing Linux malware - no particular order:
- Rewrite extra/systemtap/strace.stp. What's there is pretty basic and doesn't handle things like process creation.
- Rewrite analyzer/linux/modules/auxiliary/filecollector.py. The pyinotify library it uses is dead. The collector can miss a lot, deadlock, etc. Use something like fanotify or kernel instrumentation, possibly via an auxiliary analyzer module.
- Use a better path when doing the analysis in the VM. IIRC determine_system_drive is what's at least partly responsible for where the analysis goes, and uses
/which requires write permissions in the VM. We shouldn't need to run in the VM as root. It should work if a VM is configured that way, but it shouldn't be a requirement. - Rewrite analyzer/linux/lib/api/screenshot.py. With the switch to Wayland, PIL won't work. There are alternatives. I'm using gnome-screenshot, but someone thought it would be a good idea to make the whole screen flash when a screenshot is taken so it's not ideal.
- Parse analysis logs and fit them into CAPE's behavioral analysis report and UI.
- Documentation.
Some point this month, my current plan is to kick off a long-lived branch to start collecting these changes, maybe do something like what @doomedraven did with his big v2 PR some time ago. I don't see a good path to a set of smaller PRs.
Hi.I have seen your branch. Have you tested which files can be correctly analyzed in the ubuntu virtual machine? Thank you. @nbargnesi
Hi.I have seen your branch. Have you tested which files can be correctly analyzed in the ubuntu virtual machine? Thank you. @nbargnesi
With Ubuntu VMs specifically, coverage isn't too good. This is based on how Ubuntu generally fairs with SystemTap support, which is to say in general not very well.
Ubuntu 22.04 with the SystemTap rewrite in my branch will work, but you'll need to turn on SystemTap's guru mode when building the kernel module, to help work around the instrumentation overhead.
In the end, you'll be able to analyze files, but CAPE needs a lot more work to make sense of the results.
Okay, I understand. It seems like it takes a lot of effort to debug. It doesn't seem suitable for me now. I can only wish the pioneers in this field no more bugs 😀@nbargnesi**_