You people have hooked both versions i.e. native and Win32 API. Means for registry, you hooked APIs from advapi32 as well as from ntdll, but i think, advapi32 calls will go through ntdll and we can catch the events only by hooking ntdll. Same is true for many other hooks e.g. File Hooks, Process Hooks etc.
What is the motivation/theme behind hooking both versions? Can we not get all the information by only hooking native APIs? Hooking only native, will keep the hook counter lower and we will get coverage of both native & win32 (because win32 calls native internally).
Thanks !

Hi,
I just saw the update in the monitor. This new instruction hooking looks interesting. Is there any particular documentation for this type of hooking listed on the web? I am wondering how they could be used and what they are used for? Thanks a lot

While trying to compile the monitor DLLs, I received the following error:

objects/code/insns.c:414:9: error: ‘SIG_vbscript_COleScript_Compile’ undeclared (first use in this function); did you mean ‘SIG_jscript_COleScript_Compile’?
         SIG_vbscript_COleScript_Compile,
         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         SIG_jscript_COleScript_Compile

Looking at the generated C files, the symbol was in fact missing however the signature looked to be correct.

Please see #71 for a pull request that fixes the issue. The duplication check last does not differentiate between functions in different modules/DLLs. Since the variable last is not used anywhere else, I added the module name to the last string to help differentiate. Afterwards all binaries are correctly generated.

Thanks for writing Cuckoo. It has been a huge help.

Problem

It is about bin/is32bit.c

HANDLE open_process(uint32_t pid)
{
    HANDLE process_handle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
    if(process_handle == NULL) {
        if(GetLastError() == ERROR_ACCESS_DENIED) {
            error("process access denied");
        }
        error("[-] Error getting access to process: %ld!\n", GetLastError());
    }

    return process_handle;
}

OpenProcess a system process - lsass.exe

p = Process(process_name="lsass.exe")

Why PROCESS_ALL_ACCESS flag set for OpenProcess() a system process "lsass.exe"? As the documentation, it will return ERROR_ACCESS_DENIED obviously.

dwProcessId [in]
The identifier of the local process to be opened.
If the specified process is the System Process (0x00000000), the function fails and the last error code is ERROR_INVALID_PARAMETER. If the specified process is the Idle process or one of the CSRSS processes, this function fails and the last error code is ERROR_ACCESS_DENIED because their access restrictions prevent user-level code from opening them.

References

https://msdn.microsoft.com/en-us/library/windows/desktop/ms684320(v=vs.85).aspx

It seems related to the fact that the debugger is started using start_app and not a regular CreateProcess call.
Why do we need to inject to the debugger process? it didn't work anyway.

Unfortunately I don't have the log available.

Both iexplorer.yml and jscript.yml have hooks for jscript， The init(jscript_init) method of the ActiveXObjectFncObj_Construct function will be lost after process.py is parsed

There was cuckoomon project, which had some modifications against vm detections. Is it possible to add that functionality to monitor?

Subj.

VM: Win7SP1 x32, Office 2013 (also occurs in Office 2010 in Win7 and WinXP)

One Example: This is actually an rtf file that should be named as .doc ( I can share more samples privately if needed ): https://malwr.com/analysis/OTdkMGNiMjI4NjcxNDVhZjg5NzUzZGFiNjBmOTlmMzY/

These documents exploit CVE-2015-1641, so it is possible that something to do with the way the exploit works is causing this issue. The shellcode has some standard obfuscation and then walks the PEB and loaded DLLs to find what it is looking for.

I have managed to trace the crash issue down to inject-x86.exe - If i manually run inject-x86.exe --free --app and then open the doc, it crashes during the exploitation process. If i manually type in cmd prompt and open the doc, the exploitation process succeeds. The documents worked when using Cuckoo 1.X's method of CreateProcessA vs calling inject.exe's shellcode injection to spawn.

Exception seen when injected, possible false flag:

    stacktrace: bson_check_string+0x37 bson_check_field_name-0x2 @ 0x63beb240 bson_append_minkey+0x81 bson_append_string-0x8b @ 0x63bea270 bson_append_string_n+0x2e bson_append_symbol_n-0x2 @ 0x63bea3d1 log_string+0x8f log_wstring-0x5f @ 0x63bc4cc8 log_api+0x264 log_new_process-0xaf2 @ 0x63bc58c8 New_advapi32_RegEnumValueA@32+0x19a New_advapi32_RegEnumValueW@32-0x20 @ 0x63bcffd3 _MsoFDoSmartTagSecurityCheck@8+0x862 _MsoTelemetryLogControl@8-0x575d4 mso+0x66a4fb @ 0x201a4fb _MsoFDoSmartTagSecurityCheck@8+0x11a7 _MsoTelemetryLogControl@8-0x56c8f mso+0x66ae40 @ 0x201ae40 _MsoFDoSmartTagSecurityCheck@8+0x1106 _MsoTelemetryLogControl@8-0x56d30 mso+0x66ad9f @ 0x201ad9f DllGetLCID+0xa09ef ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4aa7a1 wwlib+0x2f2ce5 @ 0x64c82ce5 DllGetLCID+0xa0951 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4aa83f wwlib+0x2f2c47 @ 0x64c82c47 DllGetLCID+0x403e83 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x14730d wwlib+0x656179 @ 0x64fe6179 DllGetLCID+0x403e3f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x147351 wwlib+0x656135 @ 0x64fe6135 DllGetLCID+0x403d8c ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x147404 wwlib+0x656082 @ 0x64fe6082 DllGetLCID+0x20b518 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x33fc78 wwlib+0x45d80e @ 0x64ded80e _MsoFreeCvsList@4+0x196d7 _MsoPwlfFromFlinfo@8-0x24bd49 mso+0x29a430 @ 0x1c4a430 _MsoDwWhichMessengerRunningEx@0+0x28b49 _MsoDestroyITFC@4-0x30b82 mso+0x23c1c9 @ 0x1bec1c9 DllRegisterServer+0x432b6 DllSetProperty-0x5b932 msxml6+0x68853 @ 0x719f8853 DllRegisterServer+0x4416a DllSetProperty-0x5aa7e msxml6+0x69707 @ 0x719f9707 DllRegisterServer+0x4416a DllSetProperty-0x5aa7e msxml6+0x69707 @ 0x719f9707 DllRegisterServer+0x4416a DllSetProperty-0x5aa7e msxml6+0x69707 @ 0x719f9707 DllRegisterServer+0x4416a DllSetProperty-0x5aa7e msxml6+0x69707 @ 0x719f9707 DllRegisterServer+0x41f32 DllSetProperty-0x5ccb6 msxml6+0x674cf @ 0x719f74cf DllRegisterServer+0x44b76 DllSetProperty-0x5a072 msxml6+0x6a113 @ 0x719fa113 DllRegisterServer+0x42b1e DllSetProperty-0x5c0ca msxml6+0x680bb @ 0x719f80bb _MsoDwWhichMessengerRunningEx@0+0x1f9a2 _MsoDestroyITFC@4-0x39d29 mso+0x233022 @ 0x1be3022 _MsoFreeCvsList@4+0x17de3 _MsoPwlfFromFlinfo@8-0x24d63d mso+0x298b3c @ 0x1c48b3c DllGetClassObject+0x39e36 DllGetLCID-0x21385d wwlib+0x3ea99 @ 0x649cea99 DllGetClassObject+0x36a0a DllGetLCID-0x216c89 wwlib+0x3b66d @ 0x649cb66d DllGetClassObject+0x3268d DllGetLCID-0x21b006 wwlib+0x372f0 @ 0x649c72f0 DllGetClassObject+0x32318 DllGetLCID-0x21b37b wwlib+0x36f7b @ 0x649c6f7b DllGetClassObject+0x30462 DllGetLCID-0x21d231 wwlib+0x350c5 @ 0x649c50c5 DllGetClassObject+0x2fc15 DllGetLCID-0x21da7e wwlib+0x34878 @ 0x649c4878 DllGetLCID+0xa2634 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4a8b5c wwlib+0x2f492a @ 0x64c8492a DllGetLCID+0x94522 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4b6c6e wwlib+0x2e6818 @ 0x64c76818 DllGetLCID+0x459c6b ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf1525 wwlib+0x6abf61 @ 0x6503bf61 DllGetLCID+0x4598d3 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf18bd wwlib+0x6abbc9 @ 0x6503bbc9 OleSetMenuDescriptor+0xef1 ReadStringStream-0x53e ole32+0x5eb44 @ 0x75a9eb44 OleLoad+0x112 OleDoAutoConvert-0x1d ole32+0x5f2af @ 0x75a9f2af OleLoad+0x37 OleDoAutoConvert-0xf8 ole32+0x5f1d4 @ 0x75a9f1d4 _MsoFPuncWch@4+0x5e641 _MsoGetFidCSSeqChkDll@0-0x1fcd6 mso+0xa3d608 @ 0x23ed608 DllGetLCID+0x459550 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf1c40 wwlib+0x6ab846 @ 0x6503b846 DllGetLCID+0x459457 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf1d39 wwlib+0x6ab74d @ 0x6503b74d DllGetLCID+0x458f19 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf2277 wwlib+0x6ab20f @ 0x6503b20f DllGetLCID+0x458d38 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf2458 wwlib+0x6ab02e @ 0x6503b02e DllGetLCID+0x45898d ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf2803 wwlib+0x6aac83 @ 0x6503ac83 DllGetLCID+0x45446a ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf6d26 wwlib+0x6a6760 @ 0x65036760 DllGetLCID+0x43ff23 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10b26d wwlib+0x692219 @ 0x65022219 DllGetLCID+0x43e5c5 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10cbcb wwlib+0x6908bb @ 0x650208bb DllGetLCID+0x43bf9f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10f1f1 wwlib+0x68e295 @ 0x6501e295 DllGetLCID+0x43b4fa ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10fc96 wwlib+0x68d7f0 @ 0x6501d7f0 DllGetClassObject+0x233e1a DllGetLCID-0x19879 wwlib+0x238a7d @ 0x64bc8a7d DllGetClassObject+0x2fc15 DllGetLCID-0x21da7e wwlib+0x34878 @ 0x649c4878 DllGetLCID+0xa2634 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4a8b5c wwlib+0x2f492a @ 0x64c8492a DllGetLCID+0x94522 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4b6c6e wwlib+0x2e6818 @ 0x64c76818 ?OSFCreateOfficeExtensionsDialogUser@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z+0xfb02f wdCommandDispatch-0x10ee45 wwlib+0x898677 @ 0x65228677 DllGetLCID+0x326892 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x2248fe wwlib+0x578b88 @ 0x64f08b88 DllGetLCID+0x17706f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x3d4121 wwlib+0x3c9365 @ 0x64d59365 DllGetClassObject+0x2e77 DllGetLCID-0x24a81c wwlib+0x7ada @ 0x64997ada FMain+0x253 DllGetClassObject-0x260 wwlib+0x4a03 @ 0x64994a03 wdCommandDispatch-0x370 winword+0x15c4 @ 0xbd15c4 wdCommandDispatch-0x3dc winword+0x1558 @ 0xbd1558 BaseThreadInitThunk+0x12 SetUnhandledExceptionFilter-0xbc kernel32+0x53c45 @ 0x76c43c45 RtlInitializeExceptionChain+0xef RtlFreeSid-0x117 ntdll+0x637f5 @ 0x776437f5 
    exception.instruction_r: 0f b6 00 0f b6 c0 0f b6 80 60 6b c2 63 0f be c0 
    exception.instruction: movzx eax, byte ptr [eax] 
    exception.exception_code: 0xc0000005 
    exception.symbol: bson_swap_endian32+0x2ad bson_check_string-0x87 
    exception.address: 0x63beb182 
    registers.esp: 2570528 
    registers.edi: 1 
    registers.eax: 195235840 
    registers.ebp: 2570564 
    registers.edx: 195231752 
    registers.ebx: 259 
    registers.esi: 0 
    registers.ecx: 1 

Hello, I am trying to add more API hooks to my local Cuckoo installation. Till now, I have done the following:

1. Added API signatures of GetModuleHandleA and GetModuleFIlenameA to process.rst file.
2. Made the necessary return values changes to is-success.conf.
3. Executed the make command. It compiled with 2 warnings.

Now I am wondering how do I integrate the compiled monitor to my cuckoo installation?. After making the monitor after above changes, I saw on CLI log that output file is monitorx32/64.dll. I found a few hashnamed folders in $CUCKOO_HOME/monitor directory, which contain montior32/64.dlls as well. But I have no idea win which folder I should replace my modified monitorx32/64.dll. Kindly guide me in this process. How can I push my monitor changes to cuckoo installations and what is the significance of hashnamed folders ?

the sig_hook() was defined by followed code hook_t *sig_hooks() in hooking.h file. But I can't find where the sig_hook() was achieved .

I make a doc, it calls powershell.exe to do something.
When I submit it to windows XP, the IWbemServices_ExecMethod api can be monitored like this:

{
    "category": "misc",
    "status": 1,
    "stacktrace": [],
    "pid": 1924,
    "api": "IWbemServices_ExecMethod",
    "return_value": 0,
    "arguments": {
        "inargs": {
            "CurrentDirectory": null,
            "CommandLine": "powershell -w hidden -enco IldvcmxkISIgfCBPdXQtRmlsZSBoZWxsby50eHQ=",
            "ProcessStartupInformation": {
                "YSize": null,
                "FillAttribute": null,
                "CreateFlags": null,
                "Title": null,
                "XCountChars": null,
                "EnvironmentVariables": null,
                "X": null,
                "XSize": null,
                "YCountChars": null,
                "ErrorMode": 0,
                "WinstationDesktop": null,
                "Y": null,
                "ShowWindow": null,
                "PriorityClass": null
            }
        },
        "method": "Create",
        "flags": 0,
        "outargs": {
            "ProcessId": 2004,
            "ReturnValue": 0
        },
        "class": "Win32_Process"
    },
    "time": 1578377503.109427,
    "tid": 1928,
    "flags": {},
    "uniqhash": 0,
    "type": "apicall"
},

But IWbemServices_ExecMethod can not be monitored in windows 7.

If you monitor it by apimonitor in windows 7, it can be monitored. Like this,

Maybe monitor has an error.

Here is the file:
test_vb_powershell.zip

Dont worry, that is just a clean file for test.

Is there a way to hook RtlQueryEnvironmentVariable_U? It appears that many samples are using this method to obtain the username / path info.

I noticed some anti analysis/VM trick which I think that is not really new at all. This trick is by computing the interval of last input events of the user. Its pseudocode is as follows:

To compute the interval of user last input event, it subtracts the last input event tickcount to the current tickcount. At first, I assumed that cuckoo can support this trick by just enabling the simulated human interaction tickcount. However, I found out that cuckoo didn't support this so I decided to a look at it.

Looking at GetLastInputInfo API, it is not hooked by cuckoo which just fine and will only return time of the last input event. However, GetTickCount has been hooked by cuckoo which the hook handler returns the current tickcount plus the startup time. Based on what I found for the value of startup time, it is purposely set to 1 up to 30 times 20 minutes to the startup time of the process to support anti-vm checks whether the VM has only been up for < 10 minutes. Here is snippet of GetTickCount hook handler:

    DWORD ret = Old_kernel32_GetTickCount(
    );
    get_last_error(&lasterror);
    
    ret += sleep_skipped() / 10000;

Since the GetTickCount will going to return large tickcount value, the interval from the last input event will going to be large enough, thus the anti-vm trick will going to loop up until cuckoo will hit the timeout.

Right now, my temporary solution for is to also hook the GetLastInputInfo API, and will return the tickcount relative to the hook handler of GetTickCount.

GetLastInputInfo

Signature::

* Is success: 1
* Library: user32
* Logging: no
* Return value: BOOLEAN

Parameters::

*  PLASTINPUTINFO plii

Post::

plii->dwTime += sleep_skipped() / 10000;

Do you have any other and elegant suggestion how to support this trick?

I installed the antivirus software from http://huorong.cn/, it's will inject dtrampo.dll to process before cuckoo's dll, and it will hook some Nt* functions like NtWriteFile, thus _native_copy_function copied the jmp code which caused the crash.

I inject cuckoo dll to notepad, then press "CTRL+O" in notepad, it should show the open file dialog, but it cost near ten minutes to show the dialog.

on win7 64, winmm.timeGetTime is:

000007FEFAFC1248 | sub rsp,0x28 | timeGetTime
-- | -- | --
000007FEFAFC124C | cmp dword ptr ds:[0x7FEFAFEE3E0],0x0 |  
000007FEFAFC1253 | jne 0x7FEFAFCD7D0 |  

seems tramp code for cmp dword ptr ds:[0x7FEFAFEE3E0],0x0 just copy bytes and not compute new relative address.

I have the latest and greatest as of a couple of weeks ago. Both monitor and cuckoo. I am not able to get URLs to process for anything above IE8. You never see the browser in the screenshots, but the process starts briefly before it's terminated.

Works with:
Win7-SP0-x86 and x64

• IE8

Does not work with:
Win7-SP0-x64
-IE9
-IE10
Win7-SP1-x64
-IE9

The logs mostly look like this. It starts, and then a second later, it's terminating.

2016-09-20 22:05:03,417 [lib.api.process] INFO: Successfully executed process from path 'C:\\Program Files\\Internet Explorer\\iexplore.exe' with arguments ['www.microsoft.com'] and pid 2768
2016-09-20 22:05:03,588 [analyzer] DEBUG: Loaded monitor into process with pid 2768
2016-09-20 22:05:04,243 [analyzer] DEBUG: Received request to inject pid=2768, but we are already injected there.
2016-09-20 22:05:05,507 [analyzer] INFO: Process with pid 2768 has terminated
2016-09-20 22:05:05,507 [analyzer] INFO: Process list is empty, terminating analysis.
2016-09-20 22:05:06,522 [analyzer] INFO: Terminating remaining processes before shutdown.
2016-09-20 22:05:06,522 [analyzer] INFO: Analysis completed.

Occastionally, i've seen it do this:

2016-09-25 13:57:37,526 [lib.api.process] INFO: Successfully executed process from path 'C:\\Program Files\\Internet Explorer\\iexplore.exe' with arguments ['www.msn.com'] and pid 2508
2016-09-25 13:57:37,651 [analyzer] WARNING: Unable to find the correct offsets for functions of: 64-bit kernel32.dll (with timestamp 0x503285c1)
2016-09-25 13:57:37,651 [analyzer] WARNING: Unable to find the correct offsets for functions of: 64-bit kernel32.dll (with timestamp 0x503285c1)
2016-09-25 13:57:37,651 [analyzer] DEBUG: Loaded monitor into process with pid 2508
2016-09-25 13:57:39,009 [analyzer] DEBUG: Received request to inject pid=2508, but we are already injected there.
2016-09-25 13:57:40,365 [analyzer] CRITICAL: Encountered an unknown process while in monitoring mode: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2508 CREDAT:209921 /prefetch:2!
2016-09-25 13:57:40,427 [analyzer] INFO: Injected into process with pid 1820 and name u'\u6410\u020e'
2016-09-25 13:57:40,427 [analyzer] DEBUG: Received request to inject pid=1820, but we are already injected there.
2016-09-25 13:57:40,802 [lib.api.process] INFO: Memory dump of process with pid 1820 completed
2016-09-25 13:57:41,177 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x50327671)
2016-09-25 13:57:41,177 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x50327671)
2016-09-25 13:57:41,223 [analyzer] DEBUG: Loaded monitor into process with pid 1820
2016-09-25 13:57:41,240 [analyzer] INFO: Added new file to list with pid 2508 and path C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{ECF03E79-8351-11E6-9DEA-005056B2687F}.dat
2016-09-25 13:57:41,318 [analyzer] INFO: Added new file to list with pid 2508 and path C:\Users\user\AppData\Local\Temp\~DFEDCBE8621D2F0931.TMP
2016-09-25 13:57:42,706 [analyzer] INFO: Process with pid 2508 has terminated
2016-09-25 13:57:43,720 [analyzer] INFO: Process with pid 1820 has terminated
2016-09-25 13:57:43,720 [analyzer] INFO: Process list is empty, terminating analysis.
2016-09-25 13:57:44,733 [analyzer] INFO: Terminating remaining processes before shutdown.
2016-09-25 13:57:44,733 [analyzer] WARNING: File at path "u'c:\\users\\user\\appdata\\local\\microsoft\\internet explorer\\recovery\\high\\active\\recoverystore.{ecf03e79-8351-11e6-9dea-005056b2687f}.dat'" does not exist, skip.
2016-09-25 13:57:44,733 [analyzer] WARNING: File at path "u'c:\\users\\user\\appdata\\local\\temp\\~dfedcbe8621d2f0931.tmp'" does not exist, skip.
2016-09-25 13:57:44,733 [analyzer] INFO: Analysis completed.

Given that IE8 does not handle HTML5, it would be really good to get a browser that can handle that for URL analysis purposes.

I'm also curious if anyone else is having this issue.

I've found no dll file generated after compliation. So how can I use this new monitor to replace the old cuckoomon.dll?

Here are some of the text I picked up from the monitor documentation:

"Now in order to call the original function the stub will look like the
following.

mov edi, edi
push ebp
mov ebp, esp
jmp original_function+5"

This same thing can also be done by the malware to evade analysis.
For eg:

call $+5
pop eax
add eax, 0xb
push eax
mov ebp, esp
jmp api_to_call+5

Would it not be a better idea to steal a random number of instructions and then patch back with "0xCC" or int 3? A vectored exception handler could be useful to catch the exception if someone tries this kind of circumvention.

Hi guys, first of all thanks alot for your excellent work.

I'm having issues in getting the COleScript::Compile hook defined in insn/vbscript.yml to work properly, and that's confirmed by the DEBUG:Error resolving function vbscript!COleScript_Compile through our custom callback log messages I see in the analysis.log file.

I followed the steps described in this article to set up my hook, since my C:\Windows\System32\vbscript.dll has a different sha256 (9cb3ace7916fbe3876970f58870a6635f32ebeb0ab4aecece7a96be31434b2eb) I had to change both the offset of the PE timestamp and the one of the function inside the DLL, while I wasn't able to figure out what does stack: 56 refers to (how should be set this parameter?). Below you can see my definition of the hook:

   COleScript_Compile:                                                                                                                                                                                            
     module: vbscript
     offsets:
       0x512080e8:
         bitmode: 32
         offset: 0x12af0
         register: r8
         stack: 56
         logging:
        - u script r8
        - u type stk0

Despite of this, the hook seems not working yet. Is there some useful documentation about this "special" hooks? I can't find nothing but that article on the web, and I have no idea what is wrong with the above definition.

I'm working with a Windows 7 Professional x64 (SP1) VM and the sample I'm using for tests is a simple "Hello World" VBS script. My version of vbscript.dll is 5.8.9200.16521.

(I've tried with bitmode: 64 too)

Edit:
I checked the steps I followed to reach the above definition on the same vbscript.dll version used in the article, and they seems to be correct since I can obtain the same offsets used in the production version of this hook. What am i missing?

Hello, I found a suspected deadlock bug in open_handles() function of monitor.

log_raw() calls write_file() to transport action messages circularly. After every time calling write_file(), log_raw() judges whether the return value of write_file() being STATUS_INVALID_HANDLE.

You wrote a comment there:

It is possible that malware closes our pipe handle. In that case we'll get an invalid handle error. Let's just open a new pipe handle.

Then if the return value is STATUS_INVALID_HANDLE, log_raw() calls open_handles() function to open the pipe handle again.

In open_handles() function, after calling CreateFileW(), if the pipe handle is opened successfully, log_raw() is called to send the current process identifier to the pipe server.

Then there is the problem.

At the beginning in log_raw(), EnterCriticalSection(&g_mutex) is called to keep thread synchronization. At the second time calling this function without a call of LeaveCriticalSection(&g_mutex) before, the critical section has been 'entered' before, so the thread possibly will be waiting forever.

I'm not from a Linux background and I'm finding it hard to find a guide or advice and how to make
monitor work with cuckoo.

cuckoo 2.0.6
I've installed the dependencies and it then says make ?? I'm lost at the make part

Can somebody help me with this

From a basic level ..

I install the dependencies ..
then I git clone or download zip
where do i clone or download the files to
and how do I then make etc

Appreciate any help

Is this supposed to be outputted when I run the make command?
If not, how do I fix it?
Thank you in advance.

i686-w64-mingw32-gcc -m32 -c -o objects/x86/code/hooks.o objects/code/hooks.c -Wall -Wextra -std=c99 -static -Wno-missing-field-initializers -I inc/ -I objects/code/ -I src/bson/ -I src/sha1/ -mwindows -DDEBUG=0 -O0 -s
x86_64-w64-mingw32-gcc -m64 -c -o objects/x64/code/hooks.o objects/code/hooks.c -Wall -Wextra -std=c99 -static -Wno-missing-field-initializers -I inc/ -I objects/code/ -I src/bson/ -I src/sha1/ -mwindows -DDEBUG=0 -O0 -s
objects/code/hooks.c: In function ‘New_kernel32_GetFileAttributesExW’:
objects/code/hooks.c:10306:13: warning: passing argument 1 of ‘strstr’ from incompatible pointer type [-Wincompatible-pointer-types]
  if (strstr(lpFileName, "VBox") != NULL)
             ^~~~~~~~~~
In file included from /usr/share/mingw-w64/include/guiddef.h:148:0,
                 from /usr/share/mingw-w64/include/winnt.h:628,
                 from /usr/share/mingw-w64/include/minwindef.h:163,
                 from /usr/share/mingw-w64/include/windef.h:8,
                 from /usr/share/mingw-w64/include/windows.h:69,
                 from /usr/share/mingw-w64/include/winsock2.h:23,
                 from objects/code/hooks.h:22,
                 from objects/code/hooks.c:21:
/usr/share/mingw-w64/include/string.h:96:31: note: expected ‘const char *’ but argument is of type ‘LPCWSTR {aka const short unsigned int *}’
   _CONST_RETURN char *__cdecl strstr(const char *_Str,const char *_SubStr);
                               ^~~~~~
objects/code/hooks.c:10342:13: warning: passing argument 1 of ‘strstr’ from incompatible pointer type [-Wincompatible-pointer-types]
  if (strstr(lpFileName, "VBox") != NULL)
             ^~~~~~~~~~
In file included from /usr/share/mingw-w64/include/guiddef.h:148:0,
                 from /usr/share/mingw-w64/include/winnt.h:628,
                 from /usr/share/mingw-w64/include/minwindef.h:163,
                 from /usr/share/mingw-w64/include/windef.h:8,
                 from /usr/share/mingw-w64/include/windows.h:69,
                 from /usr/share/mingw-w64/include/winsock2.h:23,
                 from objects/code/hooks.h:22,
                 from objects/code/hooks.c:21:
/usr/share/mingw-w64/include/string.h:96:31: note: expected ‘const char *’ but argument is of type ‘LPCWSTR {aka const short unsigned int *}’
   _CONST_RETURN char *__cdecl strstr(const char *_Str,const char *_SubStr);
                               ^~~~~~
objects/code/hooks.c: In function ‘New_kernel32_GetFileAttributesW’:
objects/code/hooks.c:10365:13: warning: passing argument 1 of ‘strstr’ from incompatible pointer type [-Wincompatible-pointer-types]
  if (strstr(lpFileName, "VBox") != NULL)
             ^~~~~~~~~~
In file included from /usr/share/mingw-w64/include/guiddef.h:148:0,
                 from /usr/share/mingw-w64/include/winnt.h:628,
                 from /usr/share/mingw-w64/include/minwindef.h:163,
                 from /usr/share/mingw-w64/include/windef.h:8,
                 from /usr/share/mingw-w64/include/windows.h:69,
                 from /usr/share/mingw-w64/include/winsock2.h:23,
                 from objects/code/hooks.h:22,
                 from objects/code/hooks.c:21:
/usr/share/mingw-w64/include/string.h:96:31: note: expected ‘const char *’ but argument is of type ‘LPCWSTR {aka const short unsigned int *}’
   _CONST_RETURN char *__cdecl strstr(const char *_Str,const char *_SubStr);
                               ^~~~~~
objects/code/hooks.c:10399:13: warning: passing argument 1 of ‘strstr’ from incompatible pointer type [-Wincompatible-pointer-types]
  if (strstr(lpFileName, "VBox") != NULL)
             ^~~~~~~~~~
In file included from /usr/share/mingw-w64/include/guiddef.h:148:0,
                 from /usr/share/mingw-w64/include/winnt.h:628,
                 from /usr/share/mingw-w64/include/minwindef.h:163,
                 from /usr/share/mingw-w64/include/windef.h:8,
                 from /usr/share/mingw-w64/include/windows.h:69,
                 from /usr/share/mingw-w64/include/winsock2.h:23,
                 from objects/code/hooks.h:22,
                 from objects/code/hooks.c:21:
/usr/share/mingw-w64/include/string.h:96:31: note: expected ‘const char *’ but argument is of type ‘LPCWSTR {aka const short unsigned int *}’
   _CONST_RETURN char *__cdecl strstr(const char *_Str,const char *_SubStr);
                               ^~~~~~
objects/code/hooks.c: In function ‘New_advapi32_RegQueryValueExA’:
objects/code/hooks.c:6889:1: warning: control reaches end of non-void function [-Wreturn-type]
 }
 ^
objects/code/hooks.c: In function ‘New_kernel32_GetFileAttributesExW’:
objects/code/hooks.c:10306:13: warning: passing argument 1 of ‘strstr’ from incompatible pointer type [-Wincompatible-pointer-types]
  if (strstr(lpFileName, "VBox") != NULL)
             ^~~~~~~~~~
In file included from /usr/share/mingw-w64/include/guiddef.h:148:0,
                 from /usr/share/mingw-w64/include/winnt.h:628,
                 from /usr/share/mingw-w64/include/minwindef.h:163,
                 from /usr/share/mingw-w64/include/windef.h:8,
                 from /usr/share/mingw-w64/include/windows.h:69,
                 from /usr/share/mingw-w64/include/winsock2.h:23,
                 from objects/code/hooks.h:22,
                 from objects/code/hooks.c:21:
/usr/share/mingw-w64/include/string.h:96:31: note: expected ‘const char *’ but argument is of type ‘LPCWSTR {aka const short unsigned int *}’
   _CONST_RETURN char *__cdecl strstr(const char *_Str,const char *_SubStr);
                               ^~~~~~
objects/code/hooks.c:10342:13: warning: passing argument 1 of ‘strstr’ from incompatible pointer type [-Wincompatible-pointer-types]
  if (strstr(lpFileName, "VBox") != NULL)
             ^~~~~~~~~~
In file included from /usr/share/mingw-w64/include/guiddef.h:148:0,
                 from /usr/share/mingw-w64/include/winnt.h:628,
                 from /usr/share/mingw-w64/include/minwindef.h:163,
                 from /usr/share/mingw-w64/include/windef.h:8,
                 from /usr/share/mingw-w64/include/windows.h:69,
                 from /usr/share/mingw-w64/include/winsock2.h:23,
                 from objects/code/hooks.h:22,
                 from objects/code/hooks.c:21:
/usr/share/mingw-w64/include/string.h:96:31: note: expected ‘const char *’ but argument is of type ‘LPCWSTR {aka const short unsigned int *}’
   _CONST_RETURN char *__cdecl strstr(const char *_Str,const char *_SubStr);
                               ^~~~~~
objects/code/hooks.c: In function ‘New_kernel32_GetFileAttributesW’:
objects/code/hooks.c:10365:13: warning: passing argument 1 of ‘strstr’ from incompatible pointer type [-Wincompatible-pointer-types]
  if (strstr(lpFileName, "VBox") != NULL)
             ^~~~~~~~~~
In file included from /usr/share/mingw-w64/include/guiddef.h:148:0,
                 from /usr/share/mingw-w64/include/winnt.h:628,
                 from /usr/share/mingw-w64/include/minwindef.h:163,
                 from /usr/share/mingw-w64/include/windef.h:8,
                 from /usr/share/mingw-w64/include/windows.h:69,
                 from /usr/share/mingw-w64/include/winsock2.h:23,
                 from objects/code/hooks.h:22,
                 from objects/code/hooks.c:21:
/usr/share/mingw-w64/include/string.h:96:31: note: expected ‘const char *’ but argument is of type ‘LPCWSTR {aka const short unsigned int *}’
   _CONST_RETURN char *__cdecl strstr(const char *_Str,const char *_SubStr);
                               ^~~~~~
objects/code/hooks.c:10399:13: warning: passing argument 1 of ‘strstr’ from incompatible pointer type [-Wincompatible-pointer-types]
  if (strstr(lpFileName, "VBox") != NULL)
             ^~~~~~~~~~
In file included from /usr/share/mingw-w64/include/guiddef.h:148:0,
                 from /usr/share/mingw-w64/include/winnt.h:628,
                 from /usr/share/mingw-w64/include/minwindef.h:163,
                 from /usr/share/mingw-w64/include/windef.h:8,
                 from /usr/share/mingw-w64/include/windows.h:69,
                 from /usr/share/mingw-w64/include/winsock2.h:23,
                 from objects/code/hooks.h:22,
                 from objects/code/hooks.c:21:
/usr/share/mingw-w64/include/string.h:96:31: note: expected ‘const char *’ but argument is of type ‘LPCWSTR {aka const short unsigned int *}’
   _CONST_RETURN char *__cdecl strstr(const char *_Str,const char *_SubStr);
                               ^~~~~~
objects/code/hooks.c: In function ‘New_advapi32_RegQueryValueExA’:
objects/code/hooks.c:6889:1: warning: control reaches end of non-void function [-Wreturn-type]
 }
 ^
i686-w64-mingw32-gcc -m32 -shared -o bin/monitor-x86.dll bin/monitor.c objects/x86/src/hooking.o objects/x86/src/config.o objects/x86/src/iexplore.o objects/x86/src/exploit.o objects/x86/src/sleep.o objects/x86/src/log.o objects/x86/src/ignore.o objects/x86/src/copy.o objects/x86/src/native.o objects/x86/src/pipe.o objects/x86/src/office.o objects/x86/src/disguise.o objects/x86/src/flash.o objects/x86/src/memory.o objects/x86/src/utf8.o objects/x86/src/wmi.o objects/x86/src/hashtable.o objects/x86/src/diffing.o objects/x86/src/unhook.o objects/x86/src/assembly.o objects/x86/src/symbol.o objects/x86/src/misc.o objects/x86/code/hooks.o objects/x86/code/flags.o objects/x86/code/insns.o objects/x86/src/bson/bson.o objects/x86/src/bson/encoding.o objects/x86/src/bson/numbers.o src/capstone/capstone-x86.lib objects/x86/src/sha1/sha1.o -Wall -Wextra -std=c99 -static -Wno-missing-field-initializers -I inc/ -I objects/code/ -I src/bson/ -I src/sha1/ -mwindows -DDEBUG=0 -O0 -s -lshlwapi
x86_64-w64-mingw32-gcc -m64 -shared -o bin/monitor-x64.dll bin/monitor.c objects/x64/src/hooking.o objects/x64/src/config.o objects/x64/src/iexplore.o objects/x64/src/exploit.o objects/x64/src/sleep.o objects/x64/src/log.o objects/x64/src/ignore.o objects/x64/src/copy.o objects/x64/src/native.o objects/x64/src/pipe.o objects/x64/src/office.o objects/x64/src/disguise.o objects/x64/src/flash.o objects/x64/src/memory.o objects/x64/src/utf8.o objects/x64/src/wmi.o objects/x64/src/hashtable.o objects/x64/src/diffing.o objects/x64/src/unhook.o objects/x64/src/assembly.o objects/x64/src/symbol.o objects/x64/src/misc.o objects/x64/code/hooks.o objects/x64/code/flags.o objects/x64/code/insns.o objects/x64/src/bson/bson.o objects/x64/src/bson/encoding.o objects/x64/src/bson/numbers.o src/capstone/capstone-x64.lib objects/x64/src/sha1/sha1.o -Wall -Wextra -std=c99 -static -Wno-missing-field-initializers -I inc/ -I objects/code/ -I src/bson/ -I src/sha1/ -mwindows -DDEBUG=0 -O0 -s -lshlwapi

Hello,
I am trying to understand how and if it is possible to actually hook a function with the monitor and change runtime the arguments of it.
I am trying to change the code over hook.c and inject.c but doesn't seem really effective.
Thank you

I have cloned cuckoomonitor in the monitor directory of Cuckoo Sandbox, after I do make, and when I run pafish on windows7, nothing was changed..
So, What should I do to hide my virtual environment?

And the hook_reg.c file no longer exists?

When an analysis is almost complete, both file and URL, the server throws a "Failure in AnalysisManager.run" error message.
After the Traceback, the "HTTP Error: 500 Server Error: Internal Server Error for url: http:/192.168.56.101:800/mkdtemp" is reported.

I have reviewed a number of documents and I have tried a number of updates without any success.

Please assist.
cuckoo.log

Hi!

I'm trying to use the last version of monitor, but I noticed that when I launch a sample against a Windows 8.1, Windows 10 or Windows 8.1x64 dont hooks System call.

In the Windows 7x32 and Windows7x64 are working properly, and log all new process created...

Some idea?, I write the MD5 of the sample, to help you to test in your Cuckoo Sandbox.

MD5: e15cb14886edfcb26787202cfae7556c

And here there is the analysis logs, from Windows 7x32 and Windows 81x32

Windows7x32

2018-06-08 08:54:04,993 [analyzer] DEBUG: Starting analyzer from: C:\tmpnq9b9u
2018-06-08 08:54:05,071 [analyzer] DEBUG: Pipe server name: ??\PIPE\LeOogKWOQPoRognGvENAz
2018-06-08 08:54:05,071 [analyzer] DEBUG: Log pipe server name: ??\PIPE\cITSvdclDbicPhniYcIFBDsTXDGPAAuW
2018-06-08 08:54:05,071 [analyzer] INFO: Searching for installing files
2018-06-08 08:54:05,071 [analyzer] ERROR: No files for autoinstall
2018-06-08 08:54:05,071 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2018-06-08 08:54:05,101 [analyzer] INFO: Automatically selected analysis package "exe"
2018-06-08 08:54:18,868 [analyzer] DEBUG: Started auxiliary module DbgView
2018-06-08 08:54:19,322 [analyzer] DEBUG: Started auxiliary module Disguise
2018-06-08 08:54:21,539 [analyzer] DEBUG: Loaded monitor into process with pid 532
2018-06-08 08:54:21,539 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2018-06-08 08:54:21,539 [analyzer] DEBUG: Started auxiliary module Human
2018-06-08 08:54:21,539 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2018-06-08 08:54:21,539 [analyzer] DEBUG: Started auxiliary module OpenWeb
2018-06-08 08:54:21,539 [analyzer] DEBUG: Started auxiliary module Reboot
2018-06-08 08:54:21,743 [analyzer] DEBUG: Started auxiliary module RecentFiles
2018-06-08 08:54:21,743 [analyzer] DEBUG: Started auxiliary module Screenshots
2018-06-08 08:54:21,743 [modules.auxiliary.sendkeys] INFO: Módulo SendKeys cargado pero inactivo
2018-06-08 08:54:21,743 [analyzer] DEBUG: Started auxiliary module sendkeys
2018-06-08 08:54:21,743 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2018-06-08 08:54:21,757 [lib.api.process] ERROR: Usuario no limitado
2018-06-08 08:54:25,757 [lib.api.process] INFO: Successfully executed process from path u'C:\Users\JUANCI1\AppData\Local\Temp\ProbaTor_setup.exe' with arguments '' and pid 1536
2018-06-08 08:54:26,023 [analyzer] DEBUG: Loaded monitor into process with pid 1536
2018-06-08 08:54:26,164 [analyzer] ERROR: mode
2018-06-08 08:54:26,180 [analyzer] ERROR: 0
2018-06-08 08:54:26,197 [analyzer] INFO: Injected into process with pid 304 and name u'calc.exe'
2018-06-08 08:54:26,197 [analyzer] DEBUG: Received request to inject pid=1536, but we are already injected there.
2018-06-08 08:54:26,243 [analyzer] DEBUG: Received request to inject pid=304, but we are already injected there.
2018-06-08 08:54:26,555 [lib.api.process] INFO: Memory dump of process with pid 304 completed
2018-06-08 08:54:26,571 [analyzer] INFO: Added new file to list with pid 1536 and path \Device\ConDrv
2018-06-08 08:54:26,789 [analyzer] DEBUG: Loaded monitor into process with pid 304
2018-06-08 08:54:47,382 [analyzer] INFO: Added new file to list with pid 1536 and path C:\Users\JuanCierva\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malguar.exe
2018-06-08 08:54:49,056 [analyzer] INFO: Added new file to list with pid 1536 and path C:\Users\JuanCierva\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malguar2.exe
2018-06-08 08:54:50,523 [analyzer] INFO: Added new file to list with pid 1536 and path C:\calc.exe
2018-06-08 08:54:51,243 [analyzer] INFO: Added new file to list with pid 1536 and path C:\descargao.exe
2018-06-08 08:56:32,993 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2018-06-08 08:56:32,993 [analyzer] WARNING: File at path "u'\device\condrv'" does not exist, skip.
2018-06-08 08:56:33,007 [analyzer] INFO: Analysis completed.
marta@marta:/.cuckoo/storage/analyses/634$ cat ../635/analysis.log
2018-06-08 08:54:12,000 [analyzer] DEBUG: Starting analyzer from: C:\tmpdkm1gi
2018-06-08 08:54:12,030 [analyzer] DEBUG: Pipe server name: ??\PIPE\lDrcIDKxRQMYDGcCuYAGRr
2018-06-08 08:54:12,030 [analyzer] DEBUG: Log pipe server name: ??\PIPE\kyVpvtTrTSGdrxLGz
2018-06-08 08:54:12,030 [analyzer] INFO: Searching for installing files
2018-06-08 08:54:12,046 [analyzer] ERROR: No files for autoinstall
2018-06-08 08:54:12,046 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2018-06-08 08:54:12,046 [analyzer] INFO: Automatically selected analysis package "exe"
2018-06-08 08:54:17,358 [analyzer] DEBUG: Started auxiliary module DbgView
2018-06-08 08:54:18,015 [analyzer] DEBUG: Started auxiliary module Disguise
2018-06-08 08:54:18,296 [analyzer] DEBUG: Loaded monitor into process with pid 492
2018-06-08 08:54:18,296 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2018-06-08 08:54:18,296 [analyzer] DEBUG: Started auxiliary module Human
2018-06-08 08:54:18,296 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2018-06-08 08:54:18,296 [analyzer] DEBUG: Started auxiliary module OpenWeb
2018-06-08 08:54:18,296 [analyzer] DEBUG: Started auxiliary module Reboot
2018-06-08 08:54:18,453 [analyzer] DEBUG: Started auxiliary module RecentFiles
2018-06-08 08:54:18,453 [analyzer] DEBUG: Started auxiliary module Screenshots
2018-06-08 08:54:18,453 [modules.auxiliary.sendkeys] INFO: Módulo SendKeys cargado pero inactivo
2018-06-08 08:54:18,453 [analyzer] DEBUG: Started auxiliary module sendkeys
2018-06-08 08:54:18,453 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2018-06-08 08:54:23,078 [lib.api.process] ERROR: Usuario no limitado
2018-06-08 08:54:23,203 [lib.api.process] INFO: Successfully executed process from path u'C:\Users\juan\AppData\Local\Temp\ProbaTor_setup.exe' with arguments '' and pid 2364
2018-06-08 08:54:23,437 [analyzer] DEBUG: Loaded monitor into process with pid 2364
2018-06-08 08:54:23,467 [analyzer] ERROR: mode
2018-06-08 08:54:23,467 [analyzer] ERROR: 0
2018-06-08 08:54:23,500 [analyzer] INFO: Injected into process with pid 1260 and name u'calc.exe'
2018-06-08 08:54:23,655 [analyzer] DEBUG: Loaded monitor into process with pid 1260
2018-06-08 08:54:23,717 [analyzer] DEBUG: Received request to inject pid=1260, but we are already injected there.
2018-06-08 08:54:41,790 [analyzer] ERROR: mode
2018-06-08 08:54:41,790 [analyzer] ERROR: 0
2018-06-08 08:54:41,822 [analyzer] INFO: Injected into process with pid 2072 and name u'cmd.exe'
2018-06-08 08:54:41,947 [analyzer] DEBUG: Loaded monitor into process with pid 2072
2018-06-08 08:54:41,961 [analyzer] DEBUG: Received request to inject pid=2072, but we are already injected there.
2018-06-08 08:54:42,009 [analyzer] ERROR: mode
2018-06-08 08:54:42,009 [analyzer] ERROR: 0
2018-06-08 08:54:42,025 [analyzer] INFO: Injected into process with pid 2372 and name u'PING.EXE'
2018-06-08 08:54:42,227 [analyzer] DEBUG: Loaded monitor into process with pid 2372
2018-06-08 08:54:42,509 [analyzer] INFO: Added new file to list with pid 2364 and path C:\Users\juan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malguar.exe
2018-06-08 08:54:42,711 [analyzer] INFO: Added new file to list with pid 2364 and path C:\Users\juan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malguar2.exe
2018-06-08 08:54:42,711 [analyzer] INFO: Error dumping file from path "C:\Users\juan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malguar2.exe": [Errno 13] Permission denied: u'C:\Users\juan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malguar2.exe'
2018-06-08 08:54:42,727 [analyzer] INFO: Added new file to list with pid 2364 and path C:\calc.exe
2018-06-08 08:54:42,822 [analyzer] INFO: Process with pid 2072 has terminated
2018-06-08 08:54:43,430 [analyzer] INFO: Added new file to list with pid 2364 and path C:\descargao.exe
2018-06-08 08:54:43,493 [analyzer] ERROR: mode
2018-06-08 08:54:43,493 [analyzer] ERROR: 0
2018-06-08 08:54:43,540 [analyzer] INFO: Injected into process with pid 2568 and name u'cmd.exe'
2018-06-08 08:54:43,665 [analyzer] DEBUG: Loaded monitor into process with pid 2568
2018-06-08 08:54:43,680 [analyzer] DEBUG: Received request to inject pid=2568, but we are already injected there.
2018-06-08 08:54:43,743 [analyzer] ERROR: mode
2018-06-08 08:54:43,743 [analyzer] ERROR: 0
2018-06-08 08:54:43,775 [analyzer] INFO: Injected into process with pid 1608 and name u'sc.exe'
2018-06-08 08:54:43,822 [analyzer] INFO: Process with pid 2372 has terminated
2018-06-08 08:54:43,915 [analyzer] DEBUG: Loaded monitor into process with pid 1608
2018-06-08 08:54:51,290 [analyzer] DEBUG: Received request to inject pid=1608, but we are already injected there.
2018-06-08 08:54:51,322 [analyzer] ERROR: mode
2018-06-08 08:54:51,336 [analyzer] ERROR: 0
2018-06-08 08:54:51,352 [analyzer] INFO: Injected into process with pid 2756 and name u'cmd.exe'
2018-06-08 08:54:51,509 [analyzer] DEBUG: Loaded monitor into process with pid 2756
2018-06-08 08:54:51,822 [analyzer] INFO: Process with pid 2568 has terminated
2018-06-08 08:54:52,822 [analyzer] INFO: Process with pid 1608 has terminated
2018-06-08 08:56:26,822 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2018-06-08 08:56:26,836 [analyzer] INFO: Analysis completed.

Windows 81x32

2018-06-08 08:54:04,993 [analyzer] DEBUG: Starting analyzer from: C:\tmpnq9b9u
2018-06-08 08:54:05,071 [analyzer] DEBUG: Pipe server name: ??\PIPE\LeOogKWOQPoRognGvENAz
2018-06-08 08:54:05,071 [analyzer] DEBUG: Log pipe server name: ??\PIPE\cITSvdclDbicPhniYcIFBDsTXDGPAAuW
2018-06-08 08:54:05,071 [analyzer] INFO: Searching for installing files
2018-06-08 08:54:05,071 [analyzer] ERROR: No files for autoinstall
2018-06-08 08:54:05,071 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2018-06-08 08:54:05,101 [analyzer] INFO: Automatically selected analysis package "exe"
2018-06-08 08:54:18,868 [analyzer] DEBUG: Started auxiliary module DbgView
2018-06-08 08:54:19,322 [analyzer] DEBUG: Started auxiliary module Disguise
2018-06-08 08:54:21,539 [analyzer] DEBUG: Loaded monitor into process with pid 532
2018-06-08 08:54:21,539 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2018-06-08 08:54:21,539 [analyzer] DEBUG: Started auxiliary module Human
2018-06-08 08:54:21,539 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2018-06-08 08:54:21,539 [analyzer] DEBUG: Started auxiliary module OpenWeb
2018-06-08 08:54:21,539 [analyzer] DEBUG: Started auxiliary module Reboot
2018-06-08 08:54:21,743 [analyzer] DEBUG: Started auxiliary module RecentFiles
2018-06-08 08:54:21,743 [analyzer] DEBUG: Started auxiliary module Screenshots
2018-06-08 08:54:21,743 [modules.auxiliary.sendkeys] INFO: Módulo SendKeys cargado pero inactivo
2018-06-08 08:54:21,743 [analyzer] DEBUG: Started auxiliary module sendkeys
2018-06-08 08:54:21,743 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2018-06-08 08:54:21,757 [lib.api.process] ERROR: Usuario no limitado
2018-06-08 08:54:25,757 [lib.api.process] INFO: Successfully executed process from path u'C:\Users\JUANCI~1\AppData\Local\Temp\ProbaTor_setup.exe' with arguments '' and pid 1536
2018-06-08 08:54:26,023 [analyzer] DEBUG: Loaded monitor into process with pid 1536
2018-06-08 08:54:26,164 [analyzer] ERROR: mode
2018-06-08 08:54:26,180 [analyzer] ERROR: 0
2018-06-08 08:54:26,197 [analyzer] INFO: Injected into process with pid 304 and name u'calc.exe'
2018-06-08 08:54:26,197 [analyzer] DEBUG: Received request to inject pid=1536, but we are already injected there.
2018-06-08 08:54:26,243 [analyzer] DEBUG: Received request to inject pid=304, but we are already injected there.
2018-06-08 08:54:26,555 [lib.api.process] INFO: Memory dump of process with pid 304 completed
2018-06-08 08:54:26,571 [analyzer] INFO: Added new file to list with pid 1536 and path \Device\ConDrv
2018-06-08 08:54:26,789 [analyzer] DEBUG: Loaded monitor into process with pid 304
2018-06-08 08:54:47,382 [analyzer] INFO: Added new file to list with pid 1536 and path C:\Users\JuanCierva\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malguar.exe
2018-06-08 08:54:49,056 [analyzer] INFO: Added new file to list with pid 1536 and path C:\Users\JuanCierva\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malguar2.exe
2018-06-08 08:54:50,523 [analyzer] INFO: Added new file to list with pid 1536 and path C:\calc.exe
2018-06-08 08:54:51,243 [analyzer] INFO: Added new file to list with pid 1536 and path C:\descargao.exe
2018-06-08 08:56:32,993 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2018-06-08 08:56:32,993 [analyzer] WARNING: File at path "u'\device\condrv'" does not exist, skip.
2018-06-08 08:56:33,007 [analyzer] INFO: Analysis completed.

Hello,
I think the problem with the Monitor dll for the 64bit analyses still exist within the IE8. I compiled the current Monitor Branch and when I start an analysis within the Internet Explorer ( with the new dll files) especially on a x64 Host, the Internet Explorer is always crashing at the beginning of the analysis. Please see the attached picture:

Best regards,

I am using Cuckoo R2. I ran a office dropper that used WMI to create a process via WMI (
https://msdn.microsoft.com/en-us/library/aa389388(v=vs.85).aspx) . The sample didn't have any behavioral details in the report for the process (powershell) created via WMI. So, this could be a way to bypass certain parts of cuckoo's monitoring.

SAMPLE MD5: 9572b94b6a635a7b8347caf73fe1afd1

As a beginner, I don't know where API are hooked in source code? I need some help,thinks!

It's not clear how to use Monitor to Monitor an application,
Please brief us on the operation method.

Currently, monitor hooks a lot functions in ring3, this can be easy detected by malwares. There is a project zer0m0n hook in ring0, but seems only a few functions.

I have an idea to avoid anti-cuckoo detection, which is based on qemu. In qemu, there are two mode emulation, one is kvm, one is tcg. When run in tcg mode, we can know the running state of the guest VMs, like the EIP of CPU registers. Then we can use the value of EIP to compare with the address of APIs, if they are equal, we can say that the API has been called, then we can record the parameters (must read the stack memory, it's another thing). This don't need any hook in guest VMs, the downside of this approach is may lack some features of now.

There already some projects based on qemu did this, but not mature. Like s2e , DECAF, and MBA

Hello!

Is there any way to define some additional functions to be hooked? I've found some .rst files, which contain definitions of hooked functions. What is this .rst format? Can I modify these files in order to hook some other functions?

Thanks in advance!

Any time I run any .doc through my Windows 10 x86 VM I get a crash:

Using Microsoft Office 2007 Ultimate, happy to provide any additional info

I found this repository when the inject-x64.exe and inject-x86.exe of cuckoo sandbox threw this error:
“[-] Error dropping configuration file: 5”

Taking a look at inject.c, I see that it's trying to move the configuration file directly under C:\ drive, and it's hardcoded.
Makes sense, because error code 5 means Access Denied.

I have 2 ideas for a fix:

1. Not moving the config file at all... Why does it even need to happen?
2. If the moving really has to happen, there could at least be an optional argument that specifies the directory.

I bumped into this article:
http://www.malwaretech.com/2013/09/fighting-hooks-with-hooks-sandbox-escape.html

This guy show a way (with example code) to escape hook, by making LoadLibrary load a fresh copy of a specific dll.
He also mentions that there's no available code that replicated LoadLibrary behaviour and that this is very complex - but now there's also https://github.com/fancycode/MemoryModule, so it makes it real easy to load a library without going through LoadLibrary.

This makes the cuckoo monitor unreliable for the next gen malware... Are there other known methods to trace the API calls?

how can i integrate the monitor and community to my cuckoo-master ?

thx

cuckoo version 2.0.7
I found that when I open some documents which contains marco,stack exception will happen
and when I remove Virtual* function's hook in g_hooks var in the file of hooks.c,the problem disappeared

Is there any documentation other than cuckoo monitor's documentation which provides information about creating a new hook or modifying an existing one in the monitor.

For instance, in the monitor, we have a hook named DeleteFileW which detects the deletion of any file during the analysis. If we want to modify it to detect the deletion of a particular file, named employee.txt, what changes do we need to make in the block of the DeleteFileW in file.rst and why.

Hi,

Looking through this I noticed it covers VBE6 https://github.com/cuckoosandbox/monitor/blob/master/sigs/office.rst. This I was hoping would lead me to be able to dynamically analyze office files better and create signatures for this (something I have wanted for a while in cuckoo given all the office downloaders).

Now I don't really understand the hooking or I think have the ability to add in the hooks myself unless there is an easy framework for this being done which doesn't take too much tinkering but I think other vbe versions need covered.

For instance I have office 2010 on some of my images; this from what I understand utilises vbe7.dll. and instrumentation of this covered here for windbg: https://hiddencodes.wordpress.com/2015/05/18/instrument-microsoft-office-applications-to-defeat-macro-obfuscations/. So as well as vbe6_StringConcat things like vbe7_StringConcat would need hooked too as well as other versions of office to handle this?

If it should be hooking vbe6 in office 2010 onwards I can see it is not showing these hooked results on mine so if you let me know what info you need to investigate why and I will provide. Thank you very much.

I was trying to analyse a sample with Cuckoo Sandbox 2.0.7 and the analyzer logs shows:
2019-11-06 13:14:21,000 [analyzer] CRITICAL: Error creating function stub for advapi32!RegCloseKey.
2019-11-06 13:14:21,015 [analyzer] CRITICAL: Error creating function stub for advapi32!RegOpenKeyExW.
I would like to know what causes such an error and is there anyway I can attempt to fix it?

I recently encountered a sample that used NtSetInformationFile to rename a file. This callback is present in the signatures (under sigs/file_native.rst), but only handles the 'remove' case.
The file renamed this way could not be upload since the agent could not correctly determine the location of the file at the end of the execution.

I tried to implement the signalling of the renaming function, but I could not come up with a clean solution on handling the case where the RootDirectory HANDLE is not NULL.

Hi,

Looking through analysis results would it please be possible to add in the following hooks in the IE hooks (https://github.com/cuckoosandbox/monitor/blob/master/sigs/iexplore.rst)?

• JsEval
• COleScript_ParseScriptText
• JsParseScript
• JsRunScript

This should hopefully help to cover more exploit kit activity. Below I have included the stuff for cuckoo-modified for these hooks (https://github.com/spender-sandbox/cuckoomon-modified/blob/MSVC/hook_special.c); doesn't mean a lot to me about how to go about it but thought it may be useful to someone in the know :-)

HOOKDEF_NOTAIL(WINAPI, JsEval,
    PVOID Arg1,
    PVOID Arg2,
    PVOID Arg3,
    int Index,
    DWORD *scriptobj
) {
#ifndef _WIN64
    PWCHAR jsbuf;
    PUCHAR p;
#endif
    int ret = 0;

    /* TODO: 64-bit support*/
#ifdef _WIN64
    return ret;
#else

HOOKDEF_NOTAIL(WINAPI, JsRunScript,
    const wchar_t *script,
    PVOID SourceContext,
    const wchar_t *sourceUrl,
    PVOID *result
) {
    int ret = 0;

    LOQ_zero("browser", "uu", "Script", script, "Source", sourceUrl);
    return ret;
}

HOOKDEF(PVOID, WINAPI, JsParseScript,
    const wchar_t *script,
    PVOID SourceContext,
    const wchar_t *sourceUrl,
    PVOID *result
) {
    PVOID ret = Old_JsParseScript(script, SourceContext, sourceUrl, result);

    LOQ_zero("browser", "uu", "Script", script, "Source", sourceUrl);

    return ret;
}
    p = (PUCHAR)scriptobj[4 * Index - 2];
    jsbuf = *(PWCHAR *)(p + 8);
    if (jsbuf)
        LOQ_ntstatus("browser", "u", "Javascript", jsbuf);

    return ret;
#endif
}

HOOKDEF(int, WINAPI, COleScript_ParseScriptText,
    PVOID Arg1,
    PWCHAR ScriptBuf,
    PVOID Arg3,
    PVOID Arg4,
    PVOID Arg5,
    PVOID Arg6,
    PVOID Arg7,
    PVOID Arg8,
    PVOID Arg9,
    PVOID Arg10
) {
    int ret = Old_COleScript_ParseScriptText(Arg1, ScriptBuf, Arg3, Arg4, Arg5, Arg6, Arg7, Arg8, Arg9, Arg10);
    LOQ_ntstatus("browser", "u", "Script", ScriptBuf);
    return ret;
}

I have error when i use monitor-x86.dll (os guest XP-SP3) with cuckoo branch monitor.

Hi, jbremer.

I find a problem about log_api function in cuckoo monitor.

Perhaps the statement argnum--; in log_api function is faulty.

In g_explain_paramtypes array, i notice that there are some '!' characters in front of the real type character(such as 'b' or 'B') in some parameter type strings of some apis, I think it means that the parameter buffer should be recorded with no truncation.

But I find that there are some different places when processing with '!' character in log_explain and log_api functions.

log_explain function records every called api information(such as parameter names, parameter types, flag values and flag bitmasks, etc) before every time firstly recording the real information of the current call of the specific api.

In log_explain function, There is a for loop processing with the parameter type array and the parameter name array. I find at first it converts variable argnum (started from 2) to the char array argidx which will be used to mark the parameter index in bson, then it judges if the *fmt value is equal to '!', if it is true, the variable argnum will be decreased 1, then the current frame will be skipped and the for loop continues. Each time of the loop it makes variable fmt and argnum increase 1. It makes sure that the '!' character will not be recorded to the argument type bson array.

void log_explain(uint32_t index)
...
    for (uint32_t argnum = 2; *fmt != 0; argnum++, fmt++) {
        ultostr(argnum, argidx, 10);

        // Handle overrides.
        if(*fmt == '!') {
            argnum--;
            continue;
        }
...

In log_api function, I also find the similar processing. In the for loop processing with parameter list, at first argnum will be also converted to a char buffer idx, then argnum increases 1. Then, there is a judge of *fmt being equal to '!'. Equally, if it is true, variable override will be assigned to 1, and argnum decrease 1. Then fmt increase 1, and so on.

void log_api(uint32_t index, int is_success, uintptr_t return_value,
    uint64_t hash, last_error_t *lasterr, ...)
...
    int argnum = 2, override = 0;
    for (const char *fmt = sig_paramtypes(index); *fmt != 0; fmt++) {
        ultostr(argnum++, idx, 10);

        // Limitation override. Instead of displaying this right away in the
        // report we turn it into a buffer (much like the dropped files).
        if(*fmt == '!') {
            override = 1;
            argnum--;
            fmt++;
        }
...

Then there is the problem. In the case with '!' character in the parameter type string, in log_explain function, when *fmt == '!', argnum--, then it continues, and the for-loop will make both argnum and fmt increase 1. Then when fmt pointing the 'b' or 'B' character after '!', fmt has increased twice, and argnum has increased once; But in log_api function, when *fmt == '!', argnum--, fmt increase 1 instead of the "continue". It means that when fmt pointing the 'b' or 'B' character after '!', fmt has increased twice, and argnum has increased 0 time.

It causes a problem:

If there is an other parameter type character after the current 'b' or 'B' in the same parameter type string, the argnum of it will be duplicate with the argnum of 'b' or 'B'.

So is the statement argnum--; faulty?

I find that in most case of the type string with '!' character in g_explain_paramtypes array, "!b" or "!B" is at the end of the string, there is no character after "!b" or "!B" so the mistake in log_api function will not cause some practical problems.

But there are still some exceptions: the parameter type strings of CryptEncrypt, CryptProtectData, CryptProtectMemory, RtlCompressBuffer put the "!b" substring at the beginning of the parameter string, so that it is in front of the other common parameter type characters, then the problem happens.

I have been unable to analyze PDFs when behavioral analysis is set to run. The only way a PDF will run is with process injection disabled.

My setup is this:

• Latest version of cuckoo and monitor pulled down last night.
• guest VMs: win7sp0, both x64 and x86 exhibit same behavior
• Adobe Reader - have tried multiple versions of 10, 11 and even the latest version
• I noticed this problem with 2.0RC1 and then went to the latest code last night in hopes it would be fixed.

Here's a similar report of this problem.
https://community.cuckoosandbox.org/t/analysing-pdf-files-problems/167/5

Here's one of the latest logs.

2016-09-17 13:16:53,000 [analyzer] DEBUG: Starting analyzer from: C:\ttyxxqdsfy
2016-09-17 13:16:53,030 [analyzer] DEBUG: Pipe server name: \\.\PIPE\ukqVCXhgyzRUfDFdJpx
2016-09-17 13:16:53,030 [analyzer] DEBUG: Log pipe server name: \\.\PIPE\iwUIJiDwLIovEsnxsunAYgPlfaKqoTYq
2016-09-17 13:16:53,030 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2016-09-17 13:16:53,030 [analyzer] INFO: Automatically selected analysis package "pdf"
2016-09-17 13:16:54,371 [analyzer] DEBUG: Started auxiliary module Disguise
2016-09-17 13:16:54,825 [analyzer] WARNING: Unable to find the correct offsets for functions of: 64-bit kernel32.dll (with timestamp 0x4a5bdfdf)
2016-09-17 13:16:54,825 [analyzer] WARNING: Unable to find the correct offsets for functions of: 64-bit kernel32.dll (with timestamp 0x4a5bdfdf)
2016-09-17 13:16:54,839 [analyzer] DEBUG: Loaded monitor into process with pid 492
2016-09-17 13:16:54,855 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2016-09-17 13:16:54,855 [analyzer] DEBUG: Started auxiliary module Human
2016-09-17 13:16:54,855 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2016-09-17 13:16:54,855 [analyzer] DEBUG: Started auxiliary module Reboot
2016-09-17 13:16:54,964 [analyzer] DEBUG: Started auxiliary module RecentFiles
2016-09-17 13:16:54,964 [analyzer] DEBUG: Started auxiliary module Screenshots
2016-09-17 13:16:55,588 [lib.api.process] INFO: Successfully executed process from path 'C:\\Program Files (x86)\\Adobe\\Reader 11.0\\Reader\\AcroRd32.exe' with arguments [u'C:\\Users\\user\\AppData\\Local\\Temp\\webcast.pdf'] and pid 2688
2016-09-17 13:16:56,276 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4a5bdbde)
2016-09-17 13:16:56,276 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4a5bdbde)
2016-09-17 13:16:56,509 [analyzer] DEBUG: Loaded monitor into process with pid 2688
2016-09-17 13:16:56,775 [analyzer] DEBUG: Received request to inject pid=2688, but we are already injected there.
2016-09-17 13:16:57,414 [analyzer] CRITICAL: Encountered an unknown process while in monitoring mode: "C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AcroRd32.exe" --channel=2688.1.478146051 --type=renderer  "C:\Users\user\AppData\Local\Temp\webcast.pdf"!
2016-09-17 13:16:57,460 [analyzer] INFO: Injected into process with pid 2800 and name u'\u8320\u0235'
2016-09-17 13:16:57,492 [analyzer] DEBUG: Received request to inject pid=2800, but we are already injected there.
2016-09-17 13:16:57,803 [lib.api.process] INFO: Memory dump of process with pid 2800 completed
2016-09-17 13:19:11,109 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2016-09-17 13:19:13,825 [lib.api.process] INFO: Memory dump of process with pid 2688 completed
2016-09-17 13:19:14,198 [lib.api.process] INFO: Memory dump of process with pid 2800 completed
2016-09-17 13:19:14,198 [analyzer] INFO: Terminating remaining processes before shutdown.
2016-09-17 13:19:14,198 [lib.api.process] INFO: Successfully terminated process with pid 2688.
2016-09-17 13:19:14,198 [lib.api.process] INFO: Successfully terminated process with pid 2800.
2016-09-17 13:19:14,198 [analyzer] INFO: Analysis completed.

Any ideas?

I found the issue the cuckoo monitor doesn't inject the malware service process by CreateServiceAPI.

The cuckoo monitor tracks the Windows API Calls related to Windows Service
https://github.com/cuckoosandbox/monitor/blob/master/sigs/services.rst
However it didn't add the spawn service PID to add monitor process list.

My Cuckoo environments are following.
I use Cuckoo v2.0.6 and Cuckoo v2.0.7.
I tested by Cuckoo monitors which version hashes are "e071e63a66e831163a40abc45109fdf71fee829e" and
"2deb9ccd75d5a7a3fe05b2625b03a8639d6ee36b"

I think that was enabled and succeeded in the old cuckoomon.
For example, this public CAPE's analysis could inject the service process.
https://capesandbox.com/analysis/8790/#
https://cape.contextis.com/analysis/116015/#

They are recent Emotet malware.
SHA256:
0caf8d097eb1865c30dedef5b77dcc7391ab1315ef9c9d3ffb4615f46444853e
0a97eac011861579aede08a858014590e4f814ef3050ba4cba0d90c217723293

Emotet executes the main C2 procedure under the spawn service process when executed by admin privilege.
As you know, Emotet is on the rise.

Please teach any clue for patching the code to solve this issue.