[pull] master from kevoreilly:master

analyzer/windows/lib/api/process.py

@@ -576,11 +576,9 @@ def build_parent_attribute_list(self) -> Tuple[LPVOID, Array[c_char], HANDLE]:
         if not KERNEL32.InitializeProcThreadAttributeList(attr_list, 1, 0, byref(cb_attribute_list_size)):
             log.error("InitializeProcThreadAttributeList(init)")
 
-        log.info("Successfully called InitializeProcThreadAttributeList")
         hwnd = windll.user32.GetShellWindow()
         explorer_pid = DWORD()
         windll.user32.GetWindowThreadProcessId(hwnd, byref(explorer_pid))
-        log.info("Explorer PID: %s", explorer_pid.value)
 
         raw_parent = KERNEL32.OpenProcess(PROCESS_CREATE_PROCESS, False, explorer_pid)
         if not raw_parent:
@@ -601,7 +599,6 @@ def build_parent_attribute_list(self) -> Tuple[LPVOID, Array[c_char], HANDLE]:
             KERNEL32.DeleteProcThreadAttributeList(attr_list)
             log.error("UpdateProcThreadAttribute")
 
-        log.info("build_parent_attribute_list returning")
         return attr_list, attr_buf, h_parent
 
     def log_process_tree(self, process_name):

analyzer/windows/modules/auxiliary/tlsdump.py

@@ -3,18 +3,21 @@
 # See the file 'docs/LICENSE' for copying permission.
 
 import logging
-from ctypes import byref, c_void_p, sizeof
-
+from ctypes import byref, c_bool, c_void_p, sizeof
 from lib.api.process import Process
 from lib.common.abstracts import Auxiliary
 from lib.common.defines import KERNEL32, PROCESSENTRY32, TH32CS_SNAPPROCESS
 from lib.common.exceptions import CuckooError
 
 log = logging.getLogger(__name__)
+
 INVALID_HANDLE_VALUE_PTR = c_void_p(-1).value
 
 # Ensure snapshot handle is not truncated on 64-bit.
 KERNEL32.CreateToolhelp32Snapshot.restype = c_void_p
+# Ensure bool return types are not sign-extended on 64-bit.
+KERNEL32.Process32First.restype = c_bool
+KERNEL32.Process32Next.restype = c_bool
 
 
 class TLSDumpMasterSecrets(Auxiliary):
@@ -32,22 +35,33 @@ def __init__(self, options, config):
     def start(self):
         proc_info = PROCESSENTRY32()
         proc_info.dwSize = sizeof(PROCESSENTRY32)
+
         snapshot = KERNEL32.CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
         if snapshot in (None, INVALID_HANDLE_VALUE_PTR):
             log.warning("Failed to create process snapshot")
+            del self.options["tlsdump"]
             return
+
         flag = KERNEL32.Process32First(snapshot, byref(proc_info))
         pid = 0
+
         while flag:
-            if proc_info.sz_exeFile == b"lsass.exe":
+            exename = proc_info.sz_exeFile
+            if isinstance(exename, bytes):
+                exename = exename.decode("utf-8", errors="replace")
+            if exename == "lsass.exe":
                 pid = proc_info.th32ProcessID
                 log.info("lsass.exe found, pid %d", pid)
-                flag = 0
+                break
             flag = KERNEL32.Process32Next(snapshot, byref(proc_info))
+
         KERNEL32.CloseHandle(snapshot)
+
         if not pid:
             log.warning("Unable to find lsass.exe process")
+            del self.options["tlsdump"]
             return
+
         try:
             p = Process(options=self.options, config=self.config, pid=pid)
             filepath = p.get_filepath()
@@ -56,8 +70,6 @@ def start(self):
             if "process access denied" in e.message:
                 log.warning("You're not running the Agent as Administrator")
             else:
-                log.warning(
-                    "An unknown error occurred while trying to inject into the lsass.exe process to dump TLS master secrets: %s",
-                    e,
-                )
+                log.warning("An unknown error occurred while trying to inject into the lsass.exe process to dump TLS master secrets: %s", e)
+
         del self.options["tlsdump"]

web/analysis/templatetags/analysis_tags.py

@@ -262,6 +262,7 @@ def split_csv(value):
         return [str(v).strip() for v in value if str(v).strip()]
     return [t.strip() for t in str(value).split(",") if t.strip()]
 
+@register.filter
 def cert_chain_signers(signers):
     return [s for s in (signers or []) if "Certificate Chain" in s.get("name", "")]