diff --git a/analyzer/windows/lib/api/process.py b/analyzer/windows/lib/api/process.py index 1a0a541379a..6eb459e1bf0 100644 --- a/analyzer/windows/lib/api/process.py +++ b/analyzer/windows/lib/api/process.py @@ -576,11 +576,9 @@ def build_parent_attribute_list(self) -> Tuple[LPVOID, Array[c_char], HANDLE]: if not KERNEL32.InitializeProcThreadAttributeList(attr_list, 1, 0, byref(cb_attribute_list_size)): log.error("InitializeProcThreadAttributeList(init)") - log.info("Successfully called InitializeProcThreadAttributeList") hwnd = windll.user32.GetShellWindow() explorer_pid = DWORD() windll.user32.GetWindowThreadProcessId(hwnd, byref(explorer_pid)) - log.info("Explorer PID: %s", explorer_pid.value) raw_parent = KERNEL32.OpenProcess(PROCESS_CREATE_PROCESS, False, explorer_pid) if not raw_parent: @@ -601,7 +599,6 @@ def build_parent_attribute_list(self) -> Tuple[LPVOID, Array[c_char], HANDLE]: KERNEL32.DeleteProcThreadAttributeList(attr_list) log.error("UpdateProcThreadAttribute") - log.info("build_parent_attribute_list returning") return attr_list, attr_buf, h_parent def log_process_tree(self, process_name): diff --git a/analyzer/windows/modules/auxiliary/tlsdump.py b/analyzer/windows/modules/auxiliary/tlsdump.py index 6a6c7033d47..34bcec7a6a0 100644 --- a/analyzer/windows/modules/auxiliary/tlsdump.py +++ b/analyzer/windows/modules/auxiliary/tlsdump.py @@ -3,18 +3,21 @@ # See the file 'docs/LICENSE' for copying permission. import logging -from ctypes import byref, c_void_p, sizeof - +from ctypes import byref, c_bool, c_void_p, sizeof from lib.api.process import Process from lib.common.abstracts import Auxiliary from lib.common.defines import KERNEL32, PROCESSENTRY32, TH32CS_SNAPPROCESS from lib.common.exceptions import CuckooError log = logging.getLogger(__name__) + INVALID_HANDLE_VALUE_PTR = c_void_p(-1).value # Ensure snapshot handle is not truncated on 64-bit. KERNEL32.CreateToolhelp32Snapshot.restype = c_void_p +# Ensure bool return types are not sign-extended on 64-bit. +KERNEL32.Process32First.restype = c_bool +KERNEL32.Process32Next.restype = c_bool class TLSDumpMasterSecrets(Auxiliary): @@ -32,22 +35,33 @@ def __init__(self, options, config): def start(self): proc_info = PROCESSENTRY32() proc_info.dwSize = sizeof(PROCESSENTRY32) + snapshot = KERNEL32.CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0) if snapshot in (None, INVALID_HANDLE_VALUE_PTR): log.warning("Failed to create process snapshot") + del self.options["tlsdump"] return + flag = KERNEL32.Process32First(snapshot, byref(proc_info)) pid = 0 + while flag: - if proc_info.sz_exeFile == b"lsass.exe": + exename = proc_info.sz_exeFile + if isinstance(exename, bytes): + exename = exename.decode("utf-8", errors="replace") + if exename == "lsass.exe": pid = proc_info.th32ProcessID log.info("lsass.exe found, pid %d", pid) - flag = 0 + break flag = KERNEL32.Process32Next(snapshot, byref(proc_info)) + KERNEL32.CloseHandle(snapshot) + if not pid: log.warning("Unable to find lsass.exe process") + del self.options["tlsdump"] return + try: p = Process(options=self.options, config=self.config, pid=pid) filepath = p.get_filepath() @@ -56,8 +70,6 @@ def start(self): if "process access denied" in e.message: log.warning("You're not running the Agent as Administrator") else: - log.warning( - "An unknown error occurred while trying to inject into the lsass.exe process to dump TLS master secrets: %s", - e, - ) + log.warning("An unknown error occurred while trying to inject into the lsass.exe process to dump TLS master secrets: %s", e) + del self.options["tlsdump"] diff --git a/web/analysis/templatetags/analysis_tags.py b/web/analysis/templatetags/analysis_tags.py index 523af0f35c2..0af931c41df 100644 --- a/web/analysis/templatetags/analysis_tags.py +++ b/web/analysis/templatetags/analysis_tags.py @@ -262,6 +262,7 @@ def split_csv(value): return [str(v).strip() for v in value if str(v).strip()] return [t.strip() for t in str(value).split(",") if t.strip()] +@register.filter def cert_chain_signers(signers): return [s for s in (signers or []) if "Certificate Chain" in s.get("name", "")]