From 751e8e58477185d22017a595181490f6d35abad2 Mon Sep 17 00:00:00 2001 From: enzok <7831008+enzok@users.noreply.github.com> Date: Wed, 29 Apr 2026 11:13:52 -0400 Subject: [PATCH 1/5] processing: add dbg_only mode for debugger-focused results --- lib/cuckoo/core/plugins.py | 12 +++++++++++- utils/process.py | 7 ++++++- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/lib/cuckoo/core/plugins.py b/lib/cuckoo/core/plugins.py index 7998a75b027..cb3dcbe5350 100644 --- a/lib/cuckoo/core/plugins.py +++ b/lib/cuckoo/core/plugins.py @@ -28,7 +28,7 @@ from lib.cuckoo.common.mapTTPs import mapTTP from lib.cuckoo.common.path_utils import path_exists from lib.cuckoo.common.scoring import calc_scoring -from lib.cuckoo.common.utils import add_family_detection +from lib.cuckoo.common.utils import add_family_detection, get_options from lib.cuckoo.core.database import Database from utils.community_blocklist import blocklist @@ -268,6 +268,8 @@ def __init__(self, task, results): self.cfg = processing_cfg self.cuckoo_cfg = Config() self.results = results + task_opts = get_options(task.get("options", "") or "") + self.dbg_only = str(task_opts.get("dbg_only", "")).strip().lower() in {"1", "true", "yes"} def process(self, module): """Run a processing module. @@ -346,6 +348,14 @@ def run(self): # If no modules are loaded, return an empty dictionary. if processing_list: processing_list.sort(key=lambda module: module.order) + if self.dbg_only: + allowed = {"AnalysisInfo", "BehaviorAnalysis", "Debug"} + processing_list = [module for module in processing_list if module.__name__ in allowed] + log.info( + "dbg_only enabled for task %s: running minimal processing modules: %s", + self.task.get("id"), + ", ".join(module.__name__ for module in processing_list) or "none", + ) # Run every loaded processing module. for module in processing_list: diff --git a/utils/process.py b/utils/process.py index 695c39888ad..c50ebc746a2 100644 --- a/utils/process.py +++ b/utils/process.py @@ -133,6 +133,8 @@ def process( setproctitle(f"{original_proctitle} [Task {task_id}]") results = {"statistics": {"processing": [], "signatures": [], "reporting": []}} try: + task_opts = get_options(task_dict.get("options", "") or "") + dbg_only = str(task_opts.get("dbg_only", "")).strip().lower() in {"1", "true", "yes"} if memory_debugging: gc.collect() log.info("(1) GC object counts: %d, %d", len(gc.get_objects()), len(gc.garbage)) @@ -145,7 +147,10 @@ def process( gc.collect() log.info("(3) GC object counts: %d, %d", len(gc.get_objects()), len(gc.garbage)) - RunSignatures(task=task_dict, results=results).run() + if not dbg_only: + RunSignatures(task=task_dict, results=results).run() + else: + log.info("dbg_only enabled for task %s: skipping signatures", task_id) if memory_debugging: gc.collect() log.info("(4) GC object counts: %d, %d", len(gc.get_objects()), len(gc.garbage)) From e282e124ad4d4482b4dcc4a0971c933d49980535 Mon Sep 17 00:00:00 2001 From: enzok <7831008+enzok@users.noreply.github.com> Date: Wed, 29 Apr 2026 15:11:25 -0400 Subject: [PATCH 2/5] web: add dbg_only to submission help tables --- web/templates/submission/index.html | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/web/templates/submission/index.html b/web/templates/submission/index.html index 93d451b45f7..0211701f038 100644 --- a/web/templates/submission/index.html +++ b/web/templates/submission/index.html @@ -442,6 +442,10 @@
Advance debug Enable debugging features + + dbg_only + Run minimal processing modules and skip signatures + @@ -860,6 +864,10 @@
Advance debug 1 = Report critical exceptions, 2 = All exceptions + + dbg_only + Run minimal processing modules and skip signatures + bp0...bp3 Hardware breakpoints (Address or Module:Export) From c7e4e317c636a979cc4a910704cdcb26f518f8a5 Mon Sep 17 00:00:00 2001 From: enzok <7831008+enzok@users.noreply.github.com> Date: Thu, 30 Apr 2026 08:15:55 -0400 Subject: [PATCH 3/5] processing: parse task options once and reuse dbg_only flag --- lib/cuckoo/common/utils.py | 10 ++++++++++ lib/cuckoo/core/plugins.py | 8 +++++--- utils/process.py | 11 +++++------ 3 files changed, 20 insertions(+), 9 deletions(-) diff --git a/lib/cuckoo/common/utils.py b/lib/cuckoo/common/utils.py index 5c468efddf6..28f52935a9b 100644 --- a/lib/cuckoo/common/utils.py +++ b/lib/cuckoo/common/utils.py @@ -827,6 +827,16 @@ def get_options(optstring: str): ) +def option_enabled(optstring: Union[str, None], option_name: str) -> bool: + """Return True when an option is set to a truthy value (1/true/yes).""" + return option_dict_enabled(get_options(optstring), option_name) + + +def option_dict_enabled(options: dict, option_name: str) -> bool: + """Return True when an already-parsed option is set to a truthy value (1/true/yes).""" + return str(options.get(option_name, "")).strip().lower() in {"1", "true", "yes"} + + # get iface ip def get_ip_address(ifname): s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) diff --git a/lib/cuckoo/core/plugins.py b/lib/cuckoo/core/plugins.py index cb3dcbe5350..a22d814d11e 100644 --- a/lib/cuckoo/core/plugins.py +++ b/lib/cuckoo/core/plugins.py @@ -28,7 +28,7 @@ from lib.cuckoo.common.mapTTPs import mapTTP from lib.cuckoo.common.path_utils import path_exists from lib.cuckoo.common.scoring import calc_scoring -from lib.cuckoo.common.utils import add_family_detection, get_options +from lib.cuckoo.common.utils import add_family_detection, get_options, option_dict_enabled from lib.cuckoo.core.database import Database from utils.community_blocklist import blocklist @@ -268,8 +268,10 @@ def __init__(self, task, results): self.cfg = processing_cfg self.cuckoo_cfg = Config() self.results = results - task_opts = get_options(task.get("options", "") or "") - self.dbg_only = str(task_opts.get("dbg_only", "")).strip().lower() in {"1", "true", "yes"} + task_opts = task.get("_options_parsed") + if not isinstance(task_opts, dict): + task_opts = get_options(task.get("options")) + self.dbg_only = option_dict_enabled(task_opts, "dbg_only") def process(self, module): """Run a processing module. diff --git a/utils/process.py b/utils/process.py index c50ebc746a2..740dcb79de8 100644 --- a/utils/process.py +++ b/utils/process.py @@ -39,7 +39,7 @@ from lib.cuckoo.common.config import Config from lib.cuckoo.common.constants import CUCKOO_ROOT from lib.cuckoo.common.path_utils import path_delete, path_exists, path_mkdir -from lib.cuckoo.common.utils import get_options +from lib.cuckoo.common.utils import get_options, option_dict_enabled from lib.cuckoo.core.database import Database, init_database from lib.cuckoo.core.data.task import ( TASK_COMPLETED, @@ -122,10 +122,10 @@ def process( task_dict = task.to_dict() or {} task_id = task_dict.get("id") or 0 + task_options = get_options(task_dict.get("options")) + task_dict["_options_parsed"] = task_options # cluster mode - main_task_id = False - if "main_task_id" in task_dict.get("options", ""): - main_task_id = get_options(task_dict["options"]).get("main_task_id", 0) + main_task_id = task_options.get("main_task_id", 0) if "main_task_id" in task_options else False # ToDo new logger here per_analysis_handler = init_per_analysis_logging(tid=str(task_id), debug=debug) @@ -133,8 +133,7 @@ def process( setproctitle(f"{original_proctitle} [Task {task_id}]") results = {"statistics": {"processing": [], "signatures": [], "reporting": []}} try: - task_opts = get_options(task_dict.get("options", "") or "") - dbg_only = str(task_opts.get("dbg_only", "")).strip().lower() in {"1", "true", "yes"} + dbg_only = option_dict_enabled(task_options, "dbg_only") if memory_debugging: gc.collect() log.info("(1) GC object counts: %d, %d", len(gc.get_objects()), len(gc.garbage)) From 61c33e27abb0c7ecc1dae42a7b9a563180a574f1 Mon Sep 17 00:00:00 2001 From: enzok <7831008+enzok@users.noreply.github.com> Date: Fri, 8 May 2026 09:17:20 -0400 Subject: [PATCH 4/5] Refactor: change option dbg_only to minproc --- lib/cuckoo/core/plugins.py | 6 +++--- utils/process.py | 6 +++--- web/templates/submission/index.html | 4 ++-- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/lib/cuckoo/core/plugins.py b/lib/cuckoo/core/plugins.py index a22d814d11e..ffea9f76540 100644 --- a/lib/cuckoo/core/plugins.py +++ b/lib/cuckoo/core/plugins.py @@ -271,7 +271,7 @@ def __init__(self, task, results): task_opts = task.get("_options_parsed") if not isinstance(task_opts, dict): task_opts = get_options(task.get("options")) - self.dbg_only = option_dict_enabled(task_opts, "dbg_only") + self.minproc = option_dict_enabled(task_opts, "minproc") def process(self, module): """Run a processing module. @@ -350,11 +350,11 @@ def run(self): # If no modules are loaded, return an empty dictionary. if processing_list: processing_list.sort(key=lambda module: module.order) - if self.dbg_only: + if self.minproc: allowed = {"AnalysisInfo", "BehaviorAnalysis", "Debug"} processing_list = [module for module in processing_list if module.__name__ in allowed] log.info( - "dbg_only enabled for task %s: running minimal processing modules: %s", + "minproc enabled for task %s: running minimal processing modules: %s", self.task.get("id"), ", ".join(module.__name__ for module in processing_list) or "none", ) diff --git a/utils/process.py b/utils/process.py index 740dcb79de8..8babe538cce 100644 --- a/utils/process.py +++ b/utils/process.py @@ -133,7 +133,7 @@ def process( setproctitle(f"{original_proctitle} [Task {task_id}]") results = {"statistics": {"processing": [], "signatures": [], "reporting": []}} try: - dbg_only = option_dict_enabled(task_options, "dbg_only") + minproc = option_dict_enabled(task_options, "minproc") if memory_debugging: gc.collect() log.info("(1) GC object counts: %d, %d", len(gc.get_objects()), len(gc.garbage)) @@ -146,10 +146,10 @@ def process( gc.collect() log.info("(3) GC object counts: %d, %d", len(gc.get_objects()), len(gc.garbage)) - if not dbg_only: + if not minproc: RunSignatures(task=task_dict, results=results).run() else: - log.info("dbg_only enabled for task %s: skipping signatures", task_id) + log.info("minproc enabled for task %s: skipping signatures", task_id) if memory_debugging: gc.collect() log.info("(4) GC object counts: %d, %d", len(gc.get_objects()), len(gc.garbage)) diff --git a/web/templates/submission/index.html b/web/templates/submission/index.html index 0211701f038..ed1053e1573 100644 --- a/web/templates/submission/index.html +++ b/web/templates/submission/index.html @@ -443,7 +443,7 @@
Advance Enable debugging features - dbg_only + minproc Run minimal processing modules and skip signatures @@ -865,7 +865,7 @@
Advance 1 = Report critical exceptions, 2 = All exceptions - dbg_only + minproc Run minimal processing modules and skip signatures From 3eaf9b6260ad2edab8766bea72ddf35d80825dab Mon Sep 17 00:00:00 2001 From: Kevin O'Reilly Date: Fri, 15 May 2026 18:09:32 +0100 Subject: [PATCH 5/5] Tweak Formbook config extractor yara --- analyzer/windows/data/yara/Formbook.yar | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/analyzer/windows/data/yara/Formbook.yar b/analyzer/windows/data/yara/Formbook.yar index e2e94223605..8c65140d05b 100644 --- a/analyzer/windows/data/yara/Formbook.yar +++ b/analyzer/windows/data/yara/Formbook.yar @@ -71,5 +71,5 @@ rule FormconfB $config = {40 55 53 56 57 41 54 41 55 41 56 41 57 48 8D AC 24 [4] 48 81 EC [2] 00 00 45 33 ?? 33 C0 4C 8B E9 4C 89} $sleep = {B9 88 13 00 00 FF D7 44 8B 9B [4] 41 81 FB 00 01 00 00 75 ?? 48 39 B3 [4] 74 ?? 8B 83 [4] 05 00 20 00 00 39 B0} condition: - 3 of them + $decoy and any of ($c2_*) and ($config or $sleep) }