mandiant
duplication when opening application from taskbar
Details
when starting fakenet, chrome, and processExplorer and IDA from the taskbar, I get a duplication which is confusing:
@emtuls I think this is related to some things you have worked on. Do you have any ideas how to fix it?
@Ana06 I am not sure if this can be completely fixed unfortunately.
Unable to be fixed:
- For the
IDAshortcut, because our shortcut is to a launcher, it is technically not the same program that is being run (it launches the correct IDA), so that is why it's creating a whole new icon. - For
Cyberchef, we are using a shortcut that launcheschrome, and because the shortcut itself is not actuallychrome, it will create a new icon as well, as it is not the actual program that is being run.- Alternatively: I can make a shortcut be just to open up a
.htmlpage, which gets us closer (once the default application for.htmlis properly done), but this would NOT allow us to pin a shortcut to the taskbar because Microsoft does not allow pinning of a.htmlpages to a taskbar, but it does work for a desktop icon and in theToolsdirectory. - The best way to make this work would be if we could somehow set the default homepage for chrome (or whatever browser is default) to be
cyberchef, but from my research, I don't think this is something that can be programmatically done (Microsoft seems to forbid this)
- Alternatively: I can make a shortcut be just to open up a
Fixable:
- For
ProcmonandProcexp, I can fix them, since it seems that our shortcuts are to the 32 bit versions and they must detect that it is running on a 64 bit system and then spawns the 64 bit version, which is a separate application and thus, creates a new icon. Changing these to just run the 64 bit programs directly mitigates this.
Unsure
- For
Fakenet, I did not experience this issue on my system, so I would need to investigate further. Would you be able to provide me the Target yourfakenetis using for the shortcut?
@emtuls can you please send a PR to fix procmon and procexp now (that seem easy to fix) and we can continue discussing the rest here?
the chrome issue is related to https://github.com/mandiant/VM-Packages/pull/1054, as this would again make it look a bit different.
Have you tested the latest version of fakenet?
Proposal to fix Chrome/CyberChef
Option 1: Use the CyberChef icon in the taskbar for Chrome
Use the CyberChef icon in the taskbar for Chrome that by default opens CyberChef:
- In the
cyberchef.vmpackage, change the target ofCyberChef.lnkto"C:\Program Files\Google\Chrome\Application\chrome.exe" -home "C:\Tools\CyberChef\CyberChef_v10.19.0.html"
Note that this option makes that Chrome always uses the CyberChef icon in the taskbar.
Option 2: Use the Chrome icon in the taskbar for Chrome that by default opens CyberChef
- In the
googlechrome.vmpackage, create a shortcut in%ProgramData%\_VM\chrome.lnkwith Chrome as target an icon. - In the
cyberchef.vmpackage, modify%ProgramData%\_VM\chrome.lnktarget to"C:\Program Files\Google\Chrome\Application\chrome.exe" -home "C:\Tools\CyberChef\CyberChef_v10.19.0.html"keeping the Chrome icon. - Change
LayoutModification.xmlin flare-vm to use%ProgramData%\_VM\chrome.lnkinstead of the CyberChef shortcut.
Note that both solutions make Google Chrome a hard dependency of CyberChef, not being able to remove the dependency as proposed in https://github.com/mandiant/VM-Packages/issues/1021. I think this is ok and I think we can still fix the .html popup issue as part of https://github.com/mandiant/VM-Packages/issues/1021 that @emtuls has researched.
I understand from the discussing in https://github.com/mandiant/VM-Packages/issues/966, that we prefer option 1. I'll send a PR for it, but I wanted to document both options.
After doing some more testing on option 1, it seems that Windows that not consistenly group Chrome and CyberChef until I reboot the system, but I think this is acceptable.