CAPEv2 icon indicating copy to clipboard operation
CAPEv2 copied to clipboard

Published 20 hours ago verified publisher icon kevoreilly

Python x64 versions crash the analysis process

Open nbargnesi opened this issue 2 years ago • 3 comments
trafficstars

Both the docs and agent module say an x86 version of Python is required.

Under the covers the analysis process calls a bunch of low-level Windows libraries, unpacking the results of these calls into a series of structures defined in lib.common.defines. The analyzer assumes the structures use 32-bit sizes, and will crash if running under a 64-bit Python.

There are architecture independent ways of doing most of what the analyzer needs to do, but for now the x86 requirement is there based on how the analyzer is written.

Note, the agent module doesn't need to run under an x86 Python, only the analyzer process. CAPE just happens to use the same sys.executable for both.

nbargnesi avatar Jul 28 '23 16:07 nbargnesi

This commit fixes the struct unpacking crash when a 64-bit Python is used.

nbargnesi avatar Jul 28 '23 17:07 nbargnesi

can you PR this commit?

doomedraven avatar Aug 03 '23 18:08 doomedraven

Done. I think we should keep this issue open for some time - there will be more crashes and issues running under a x64 Python analyzer.

nbargnesi avatar Aug 04 '23 16:08 nbargnesi