Skip to content

[pull] master from kevoreilly:master #474

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pull merged 3 commits into from
May 20, 2026
Merged

[pull] master from kevoreilly:master #474

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
123ca91
Remove spurious sideloading-related code erroneously added in ccf4bb8
kevoreilly May 20, 2026
4150acd
fix unused var
doomedraven May 20, 2026
076eb14
cape_utils: add parser name to debug output
kevoreilly May 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 2 additions & 18 deletions analyzer/windows/lib/api/process.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -890,13 +890,13 @@ def inject(self, interest=None, nosleepskip=False):
bin_name = LOADER64_NAME
dll = CAPEMON64_NAME
bit_str = "64-bit"
side_dll = SIDELOADER64_NAME
# side_dll = SIDELOADER64_NAME
else:
ttd_name = TTD32_NAME
bin_name = LOADER32_NAME
dll = CAPEMON32_NAME
bit_str = "32-bit"
side_dll = SIDELOADER32_NAME
# side_dll = SIDELOADER32_NAME

bin_name = os.path.join(Path.cwd(), bin_name)
dll = os.path.join(Path.cwd(), dll)
Expand Down Expand Up @@ -925,22 +925,6 @@ def inject(self, interest=None, nosleepskip=False):
self.deploy_version_proxy(path)
return True

if self.detect_dll_sideloading(path):
try:
copy(dll, os.path.join(path, "capemon.dll"))
copy(side_dll, os.path.join(path, "version.dll"))
copy(os.path.join(Path.cwd(), "dll", f"{self.pid}.ini"), os.path.join(path, "config.ini"))
except OSError as e:
log.error("Failed to copy DLL: %s", e)
return False
log.info(
"%s DLL to sideload is %s, sideloader %s",
bit_str,
os.path.join(path, "capemon.dll"),
os.path.join(path, "version.dll"),
)
return True

log.info("%s DLL to inject is %s, loader %s", bit_str, dll, bin_name)

try:
Expand Down
6 changes: 3 additions & 3 deletions lib/cuckoo/common/cape_utils.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -199,7 +199,7 @@ def static_config_parsers(cape_name: str, file_path: str, file_data: bytes) -> d
# MalDuck
# Attempt to import a parser for the hit
if HAVE_CAPE_EXTRACTORS and cape_name in cape_malware_parsers:
log.debug("Running CAPE on %s", file_path)
log.debug("Running CAPE parser for %s on %s", cape_name, file_path)
try:
# changed from cape_config to cape_configraw because of avoiding overridden. duplicated value name.
if hasattr(cape_malware_parsers[cape_name], "extract_config"):
Expand All @@ -225,7 +225,7 @@ def static_config_parsers(cape_name: str, file_path: str, file_data: bytes) -> d

# DC3-MWCP
if HAS_MWCP and not parser_loaded and cape_name and cape_name in mwcp_decoders:
log.debug("Running MWCP on %s", file_path)
log.debug("Running MWCP parser for %s on %s", cape_name, file_path)
try:
report = mwcp.run(mwcp_decoders[cape_name], data=file_data)
reportmeta = report.as_dict_legacy()
Expand Down Expand Up @@ -260,7 +260,7 @@ def static_config_parsers(cape_name: str, file_path: str, file_data: bytes) -> d
)

elif HAS_MALWARECONFIGS and not parser_loaded and cape_name in rat_decoders:
log.debug("Running Malwareconfigs on %s", file_path)
log.debug("Running Malwareconfig parser for %s on %s", cape_name, file_path)
try:
module = False
file_info = fileparser.FileParser(rawdata=file_data)
Expand Down
Loading