From 3566fb52304267815fca18f04b5b5cf5a5b72a58 Mon Sep 17 00:00:00 2001
From: doomedraven <abrukhovetskyy@google.com>
Date: Tue, 19 May 2026 10:47:48 +0000
Subject: [PATCH 1/3] FIX: Add cert_chain_signers filter to analysis_tags

---
 web/analysis/templatetags/analysis_tags.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/web/analysis/templatetags/analysis_tags.py b/web/analysis/templatetags/analysis_tags.py
index 523af0f35c2..0af931c41df 100644
--- a/web/analysis/templatetags/analysis_tags.py
+++ b/web/analysis/templatetags/analysis_tags.py
@@ -262,6 +262,7 @@ def split_csv(value):
         return [str(v).strip() for v in value if str(v).strip()]
     return [t.strip() for t in str(value).split(",") if t.strip()]
 
+@register.filter
 def cert_chain_signers(signers):
     return [s for s in (signers or []) if "Certificate Chain" in s.get("name", "")]
 

From 166aed016b84880ec77e7dd8b176bfc749f379a6 Mon Sep 17 00:00:00 2001
From: Kevin O'Reilly <kevoreilly@gmail.com>
Date: Tue, 19 May 2026 11:51:36 +0100
Subject: [PATCH 2/3] analyzer - build_parent_attribute_list(): remove debug
 output

---
 analyzer/windows/lib/api/process.py | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/analyzer/windows/lib/api/process.py b/analyzer/windows/lib/api/process.py
index 1a0a541379a..6eb459e1bf0 100644
--- a/analyzer/windows/lib/api/process.py
+++ b/analyzer/windows/lib/api/process.py
@@ -576,11 +576,9 @@ def build_parent_attribute_list(self) -> Tuple[LPVOID, Array[c_char], HANDLE]:
         if not KERNEL32.InitializeProcThreadAttributeList(attr_list, 1, 0, byref(cb_attribute_list_size)):
             log.error("InitializeProcThreadAttributeList(init)")
 
-        log.info("Successfully called InitializeProcThreadAttributeList")
         hwnd = windll.user32.GetShellWindow()
         explorer_pid = DWORD()
         windll.user32.GetWindowThreadProcessId(hwnd, byref(explorer_pid))
-        log.info("Explorer PID: %s", explorer_pid.value)
 
         raw_parent = KERNEL32.OpenProcess(PROCESS_CREATE_PROCESS, False, explorer_pid)
         if not raw_parent:
@@ -601,7 +599,6 @@ def build_parent_attribute_list(self) -> Tuple[LPVOID, Array[c_char], HANDLE]:
             KERNEL32.DeleteProcThreadAttributeList(attr_list)
             log.error("UpdateProcThreadAttribute")
 
-        log.info("build_parent_attribute_list returning")
         return attr_list, attr_buf, h_parent
 
     def log_process_tree(self, process_name):

From f58f8fd71323233fee5cae9710e7364287d896d0 Mon Sep 17 00:00:00 2001
From: Kevin O'Reilly <kevoreilly@gmail.com>
Date: Tue, 19 May 2026 12:24:10 +0100
Subject: [PATCH 3/3] tlsdump auxiliary module: update to work on 64-bit Python

---
 analyzer/windows/modules/auxiliary/tlsdump.py | 28 +++++++++++++------
 1 file changed, 20 insertions(+), 8 deletions(-)

diff --git a/analyzer/windows/modules/auxiliary/tlsdump.py b/analyzer/windows/modules/auxiliary/tlsdump.py
index 6a6c7033d47..34bcec7a6a0 100644
--- a/analyzer/windows/modules/auxiliary/tlsdump.py
+++ b/analyzer/windows/modules/auxiliary/tlsdump.py
@@ -3,18 +3,21 @@
 # See the file 'docs/LICENSE' for copying permission.
 
 import logging
-from ctypes import byref, c_void_p, sizeof
-
+from ctypes import byref, c_bool, c_void_p, sizeof
 from lib.api.process import Process
 from lib.common.abstracts import Auxiliary
 from lib.common.defines import KERNEL32, PROCESSENTRY32, TH32CS_SNAPPROCESS
 from lib.common.exceptions import CuckooError
 
 log = logging.getLogger(__name__)
+
 INVALID_HANDLE_VALUE_PTR = c_void_p(-1).value
 
 # Ensure snapshot handle is not truncated on 64-bit.
 KERNEL32.CreateToolhelp32Snapshot.restype = c_void_p
+# Ensure bool return types are not sign-extended on 64-bit.
+KERNEL32.Process32First.restype = c_bool
+KERNEL32.Process32Next.restype = c_bool
 
 
 class TLSDumpMasterSecrets(Auxiliary):
@@ -32,22 +35,33 @@ def __init__(self, options, config):
     def start(self):
         proc_info = PROCESSENTRY32()
         proc_info.dwSize = sizeof(PROCESSENTRY32)
+
         snapshot = KERNEL32.CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
         if snapshot in (None, INVALID_HANDLE_VALUE_PTR):
             log.warning("Failed to create process snapshot")
+            del self.options["tlsdump"]
             return
+
         flag = KERNEL32.Process32First(snapshot, byref(proc_info))
         pid = 0
+
         while flag:
-            if proc_info.sz_exeFile == b"lsass.exe":
+            exename = proc_info.sz_exeFile
+            if isinstance(exename, bytes):
+                exename = exename.decode("utf-8", errors="replace")
+            if exename == "lsass.exe":
                 pid = proc_info.th32ProcessID
                 log.info("lsass.exe found, pid %d", pid)
-                flag = 0
+                break
             flag = KERNEL32.Process32Next(snapshot, byref(proc_info))
+
         KERNEL32.CloseHandle(snapshot)
+
         if not pid:
             log.warning("Unable to find lsass.exe process")
+            del self.options["tlsdump"]
             return
+
         try:
             p = Process(options=self.options, config=self.config, pid=pid)
             filepath = p.get_filepath()
@@ -56,8 +70,6 @@ def start(self):
             if "process access denied" in e.message:
                 log.warning("You're not running the Agent as Administrator")
             else:
-                log.warning(
-                    "An unknown error occurred while trying to inject into the lsass.exe process to dump TLS master secrets: %s",
-                    e,
-                )
+                log.warning("An unknown error occurred while trying to inject into the lsass.exe process to dump TLS master secrets: %s", e)
+
         del self.options["tlsdump"]