Signature Errors with latest commits #56
Comments
|
This is my bad - I updated the hook for NtSetInformationProcess and failed to make sure the sigs that depend on it still work. Apologies - should be fixed in latest commit. |
|
Thanks. These errors were fixed. I did get the following error running a Ursnif sample. It decoded the config so not sure if it's a real issue. I'll let you decided. |
|
Good find. thanks for this |
|
Should be fixed now |
|
Damn actually this looks to be because I had a slightly different hook for NtCreateThreadEx for the Ursnif package. I had 'CreationFlags' to be more like the other hook creation functions whereas the current hook has 'CreateFlags' for this argument (it's not easy to find the actual prototype, some even have this as a BOOL CreateSuspended). I have a new version of the Ursnif package in the works which has 'CreateFlags' but I will need to publish this then switch the signature back again... |
|
Good find
…On Tue, Jul 10, 2018 at 2:13 PM, kevoreilly ***@***.***> wrote:
Damn actually this looks to be because I had a slightly different hook for
NtCreateThreadEx for the Ursnif package. I had 'CreationFlags' to be more
like the other hook creation functions whereas the current hook has
'CreateFlags' for this argument (it's not easy to find the actual
prototype, some even have this as a BOOL CreateSuspended). I have a new
version of the Ursnif package in the works which has 'CreateFlags' but I
will need to publish this then switch the signature back again...
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#56 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAhV894FYBoYRhDqXAc9KfGS_cd4O7t6ks5uFPzbgaJpZM4VIpdS>
.
|
|
Just got back from vacation. I added the CAPE commits since July 10th and am getting the following in my logs: |
|
I've just pushed a fix for this but this will unfortunately mean you will get sig errors with the Ursnif package as it had a different label for the NtCreateThreadEx argument (CreationFlags) - until I push an update to the Ursnif Dlls. I will try and get that done soon, I have an update in the works. |
|
That is the error I received with the latest commits on a non-Ursnif sample. I did check the MD5s to confirm that I have the latest analyzer DLLs. |
|
This should be fixed now (except for Ursnif package which I will update soon). |
|
Is there an updated DLL or just the Cape.py file? |
|
The majority of the DLLs already have the matching argument string 'CreateFlags'. The exception to this is the Ursnif DLLs (CreationFlags) but I have an updated version which I plan to release soon. |
|
OK understood. Thank you. |
|
Still getting this error. |
|
I'm confused - you seem to be getting the errors whether it's "CreateFlags" or "CreationFlags". The hook code for NtCreateThreadEx is in https://github.com/ctxis/capemon/blob/capemon/hook_thread.c and currently has "CreateFlags" which should correlate with the signature. |
|
i verified md5 values for the CAPE DLLs and they match your latest build. Verified I have the latest Cape.py. What else can I do to troubleshoot? |
|
Can you check the behavioural logs - search for the NtCreateThreadEx calls and see whether they are listed with 'CreateFlags' or 'CreationFlags' as argument. |
|
LOL. I was doing that as you were commenting. Looks like the correct call argument. So the hook is working. Maybe something with parsing the value? And... And... |
|
Should the method here be get_argument instead of get_raw_argument? |
|
Ignore my last comment. I changed the base and it seems to have fixed the issue (16 to 0): |
|
Damn this was my fault! Sorry about that, just pushed the fix. Thanks for your help. |
|
Glad to help. I'll close this out unless you want me to wait until you push the Ursnif update. |
|
I'll close this now but will try and get the Ursnif update published soon. |
I added the latest commits and am now getting the following errors. I've run multiple samples and get the same results.
The text was updated successfully, but these errors were encountered: