Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Win 10] Permssion denied error #1376

Closed
RoemIko opened this issue Feb 16, 2023 · 28 comments
Closed

[Win 10] Permssion denied error #1376

RoemIko opened this issue Feb 16, 2023 · 28 comments

Comments

@RoemIko
Copy link
Contributor

RoemIko commented Feb 16, 2023

About accounts on capesandbox.com

  • Issues isn't the way to ask for account activation. Ping capesandbox in Twitter with your username

This is open source and you are getting free support so be friendly!

  • Free support from doomedraven ended - no whiskey, no support. For updates check the documentation.

Prerequisites

Please answer the following questions for yourself before submitting an issue.

  • [✔] I am running the latest version
  • [✔ ] I did read the README!
  • [✔ ] I checked the documentation and found no answer
  • [✔ ] I checked to make sure that this issue has not already been filed
  • [✔ ] I'm reporting the issue to the correct repository (for multi-repository projects)
  • [✔ ] I have read and checked all configs (with all optional parts)

Expected Behavior

Expect the agent to work correctly with right permissions.

Current Behavior

Whenever i upload a sample it fails, because of permissions

Failure Information (for bugs)

Please help provide information about the failure if this is a bug. If it is not a bug, please remove the rest of this template.

Steps to Reproduce

Please provide detailed steps for reproducing the issue.

  1. Upload sample
  2. Choose Win 10
  3. Submit

Context

Cape is running on Ubuntu 22.04 with KVM machinery which has Windows 10 64 bit device with python 3.10 32 bit running python has been added to path and the host is isolated and there is communication. The agent is running with highest priviliges from a scheduled task. Whenever i upload an sample it seems to fail at a certain point. I have tried many ways to get the agent running as admin which i assume is. I have set the C:/ drive for anyone to be accesible.
I have connected to the VM and see the directories being made, but it seems to fail the moment it tries to read the PID.ini file in /dll/.
The firewall has been shutoff and windows defender has also been turned off.

Any tips or ideas would be appreciated

Question Answer
OS version Ubuntu 22.04

Failure Logs

Logs from the web interface

2023-02-15 15:18:35,104 [root] INFO: Date set to: 20230216T12:49:15, timeout set to: 200
2023-02-16 12:49:17,366 [root] DEBUG: Starting analyzer from: C:\tmpxc7l_qzp
2023-02-16 12:49:17,366 [root] DEBUG: Storing results at: C:\SahBbkKy
2023-02-16 12:49:17,366 [root] DEBUG: Pipe server name: \\.\PIPE\pYQZHPmtE
2023-02-16 12:49:17,366 [root] DEBUG: Python path: C:\Users\ApaTolos\AppData\Local\Programs\Python\Python311-32
2023-02-16 12:49:17,382 [root] INFO: Analysis package "exe" has been specified
2023-02-16 12:49:17,382 [root] DEBUG: Importing analysis package "exe"...
2023-02-16 12:49:17,382 [root] DEBUG: Initializing analysis package "exe"...
2023-02-16 12:49:17,382 [root] DEBUG: New location of moved file: C:\Users\ApaTolos\AppData\Local\Temp\HelloWorld.exe
2023-02-16 12:49:17,382 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2023-02-16 12:49:17,382 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2023-02-16 12:49:17,382 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2023-02-16 12:49:17,382 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2023-02-16 12:49:17,994 [root] DEBUG: Importing auxiliary module "modules.auxiliary.browser"...
2023-02-16 12:49:18,024 [root] DEBUG: Importing auxiliary module "modules.auxiliary.curtain"...
2023-02-16 12:49:18,056 [root] DEBUG: Importing auxiliary module "modules.auxiliary.digisig"...
2023-02-16 12:49:18,151 [root] DEBUG: Importing auxiliary module "modules.auxiliary.disguise"...
2023-02-16 12:49:18,304 [root] DEBUG: Importing auxiliary module "modules.auxiliary.during_script"...
2023-02-16 12:49:18,304 [root] DEBUG: Importing auxiliary module "modules.auxiliary.evtx"...
2023-02-16 12:49:18,335 [root] DEBUG: Importing auxiliary module "modules.auxiliary.filepickup"...
2023-02-16 12:49:18,366 [root] DEBUG: Importing auxiliary module "modules.auxiliary.human"...
2023-02-16 12:49:18,382 [root] DEBUG: Importing auxiliary module "modules.auxiliary.permissions"...
2023-02-16 12:49:18,398 [root] DEBUG: Importing auxiliary module "modules.auxiliary.pre_script"...
2023-02-16 12:49:18,398 [root] DEBUG: Importing auxiliary module "modules.auxiliary.procmon"...
2023-02-16 12:49:18,398 [root] DEBUG: Importing auxiliary module "modules.auxiliary.screenshots"...
2023-02-16 12:49:18,429 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2023-02-16 12:49:18,638 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2023-02-16 12:49:18,638 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2023-02-16 12:49:18,648 [root] DEBUG: Importing auxiliary module "modules.auxiliary.sysmon"...
2023-02-16 12:49:18,663 [root] DEBUG: Importing auxiliary module "modules.auxiliary.tlsdump"...
2023-02-16 12:49:18,663 [root] DEBUG: Importing auxiliary module "modules.auxiliary.usage"...
2023-02-16 12:49:18,663 [root] DEBUG: Initialized auxiliary module "Browser"
2023-02-16 12:49:18,663 [root] DEBUG: Trying to start auxiliary module "Browser"...
2023-02-16 12:49:18,679 [root] DEBUG: Started auxiliary module "Browser"
2023-02-16 12:49:18,679 [root] DEBUG: Started auxiliary module Browser
2023-02-16 12:49:18,679 [root] DEBUG: Initialized auxiliary module "Curtain"
2023-02-16 12:49:18,679 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2023-02-16 12:49:18,679 [root] DEBUG: Started auxiliary module "Curtain"
2023-02-16 12:49:18,679 [root] DEBUG: Started auxiliary module Curtain
2023-02-16 12:49:18,679 [root] DEBUG: Initialized auxiliary module "DigiSig"
2023-02-16 12:49:18,679 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2023-02-16 12:49:18,679 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2023-02-16 12:49:19,366 [modules.auxiliary.digisig] DEBUG: File is not signed
2023-02-16 12:49:19,366 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2023-02-16 12:49:19,383 [root] DEBUG: Started auxiliary module "DigiSig"
2023-02-16 12:49:19,383 [root] DEBUG: Started auxiliary module DigiSig
2023-02-16 12:49:19,383 [root] DEBUG: Initialized auxiliary module "Disguise"
2023-02-16 12:49:19,383 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2023-02-16 12:49:19,383 [modules.auxiliary.disguise] INFO: Disguising GUID to 25e78f6a-04e3-4faa-b061-6ed0aed275b2
2023-02-16 12:49:19,383 [root] DEBUG: Started auxiliary module "Disguise"
2023-02-16 12:49:19,383 [root] DEBUG: Started auxiliary module Disguise
2023-02-16 12:49:19,383 [root] DEBUG: Initialized auxiliary module "Evtx"
2023-02-16 12:49:19,383 [root] DEBUG: Trying to start auxiliary module "Evtx"...
2023-02-16 12:49:19,383 [root] DEBUG: Started auxiliary module "Evtx"
2023-02-16 12:49:19,383 [root] DEBUG: Started auxiliary module Evtx
2023-02-16 12:49:19,383 [root] DEBUG: Initialized auxiliary module "FilePickup"
2023-02-16 12:49:19,383 [root] DEBUG: Trying to start auxiliary module "FilePickup"...
2023-02-16 12:49:19,383 [root] DEBUG: Started auxiliary module "FilePickup"
2023-02-16 12:49:19,383 [root] DEBUG: Started auxiliary module FilePickup
2023-02-16 12:49:19,383 [root] DEBUG: Initialized auxiliary module "Human"
2023-02-16 12:49:19,383 [root] DEBUG: Trying to start auxiliary module "Human"...
2023-02-16 12:49:19,398 [root] DEBUG: Started auxiliary module "Human"
2023-02-16 12:49:19,398 [root] DEBUG: Started auxiliary module Human
2023-02-16 12:49:19,398 [root] DEBUG: Initialized auxiliary module "Permissions"
2023-02-16 12:49:19,398 [root] DEBUG: Trying to start auxiliary module "Permissions"...
2023-02-16 12:49:19,398 [modules.auxiliary.permissions] DEBUG: Adjusting permissions for [WindowsPath('C:/tmpxc7l_qzp'), 'C:\\tmp*']
2023-02-16 12:49:35,320 [modules.auxiliary.permissions] WARNING: 'Modify admin' call was unable to complete in 15 seconds
2023-02-16 12:49:50,335 [modules.auxiliary.permissions] WARNING: 'Inheritance' call was unable to complete in 15 seconds
2023-02-16 12:49:50,335 [root] DEBUG: Started auxiliary module "Permissions"
2023-02-16 12:49:50,356 [root] DEBUG: Started auxiliary module Permissions
2023-02-16 12:49:50,398 [root] DEBUG: Initialized auxiliary module "Pre_script"
2023-02-16 12:49:50,398 [root] DEBUG: Trying to start auxiliary module "Pre_script"...
2023-02-16 12:49:50,429 [root] DEBUG: Started auxiliary module "Pre_script"
2023-02-16 12:49:50,446 [root] DEBUG: Started auxiliary module Pre_script
2023-02-16 12:49:50,460 [root] DEBUG: Initialized auxiliary module "Procmon"
2023-02-16 12:49:50,460 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2023-02-16 12:49:50,460 [root] DEBUG: Started auxiliary module "Procmon"
2023-02-16 12:49:50,460 [root] DEBUG: Started auxiliary module Procmon
2023-02-16 12:49:50,460 [root] DEBUG: Initialized auxiliary module "Screenshots"
2023-02-16 12:49:50,460 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2023-02-16 12:49:50,477 [root] DEBUG: Started auxiliary module "Screenshots"
2023-02-16 12:49:50,477 [root] DEBUG: Started auxiliary module Screenshots
2023-02-16 12:49:50,477 [root] DEBUG: Initialized auxiliary module "Sysmon"
2023-02-16 12:49:50,477 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2023-02-16 12:49:50,477 [root] DEBUG: Started auxiliary module "Sysmon"
2023-02-16 12:49:50,477 [root] DEBUG: Started auxiliary module Sysmon
2023-02-16 12:49:50,477 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2023-02-16 12:49:50,477 [root] DEBUG: Trying to start auxiliary module "TLSDumpMasterSecrets"...
2023-02-16 12:49:50,491 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 688
2023-02-16 12:49:50,757 [lib.api.process] INFO: Monitor config for process 688: C:\tmpxc7l_qzp\dll\688.ini
2023-02-16 12:49:50,789 [root] WARNING: Cannot execute auxiliary module TLSDumpMasterSecrets: [Errno 13] Permission denied: 'C:\\tmpxc7l_qzp\\dll\\688.ini'
2023-02-16 12:49:50,804 [root] DEBUG: Initialized auxiliary module "Usage"
2023-02-16 12:49:50,804 [root] DEBUG: Trying to start auxiliary module "Usage"...
2023-02-16 12:49:50,804 [root] DEBUG: Started auxiliary module "Usage"
2023-02-16 12:49:50,804 [root] DEBUG: Started auxiliary module Usage
2023-02-16 12:49:50,820 [root] DEBUG: Initialized auxiliary module "During_script"
2023-02-16 12:49:50,820 [root] DEBUG: Trying to start auxiliary module "During_script"...
2023-02-16 12:49:50,820 [root] DEBUG: Started auxiliary module "During_script"
2023-02-16 12:49:50,820 [root] DEBUG: Started auxiliary module During_script
2023-02-16 12:49:56,979 [root] INFO: Restarting WMI Service
2023-02-16 12:49:59,443 [lib.core.compound] INFO: C:\Users\ApaTolos\AppData\Local\Temp already exists, skipping creation
2023-02-16 12:49:59,521 [lib.api.process] INFO: Successfully executed process from path "C:\Users\ApaTolos\AppData\Local\Temp\HelloWorld.exe" with arguments "" with pid 772
2023-02-16 12:49:59,521 [lib.api.process] INFO: Monitor config for process 772: C:\tmpxc7l_qzp\dll\772.ini
2023-02-16 12:49:59,536 [root] INFO: You probably submitted the job with wrong package
Traceback (most recent call last):
  File "C:\tmpxc7l_qzp\analyzer.py", line 523, in run
    pids = self.package.start(self.target)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\tmpxc7l_qzp\modules\packages\exe.py", line 37, in start
    return self.execute(path, args, path)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\tmpxc7l_qzp\lib\common\abstracts.py", line 124, in execute
    p.inject(INJECT_QUEUEUSERAPC, interest)
  File "C:\tmpxc7l_qzp\lib\api\process.py", line 633, in inject
    self.write_monitor_config(interest, nosleepskip)
  File "C:\tmpxc7l_qzp\lib\api\process.py", line 551, in write_monitor_config
    with open(config_path, "w", encoding="utf-8") as config:
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
PermissionError: [Errno 13] Permission denied: 'C:\\tmpxc7l_qzp\\dll\\772.ini'

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "C:\tmpxc7l_qzp\analyzer.py", line 1389, in <module>
    success = analyzer.run()
              ^^^^^^^^^^^^^^
  File "C:\tmpxc7l_qzp\analyzer.py", line 529, in run
    raise CuckooError(f'The package "{package_name}" start function encountered an unhandled exception: {e}') from e
lib.common.exceptions.CuckooError: The package "modules.packages.exe" start function encountered an unhandled exception: [Errno 13] Permission denied: 'C:\\tmpxc7l_qzp\\dll\\772.ini'
2023-02-16 12:49:59,599 [root] WARNING: Folder at path "C:\SahBbkKy\debugger" does not exist, skipping
2023-02-16 12:49:59,599 [root] WARNING: Folder at path "C:\SahBbkKy\tlsdump" does not exist, skipping
2023-02-16 12:49:59,599 [root] INFO: Analysis completed
@doomedraven
Copy link
Collaborator

the answer is here #1371

@RoemIko
Copy link
Contributor Author

RoemIko commented Feb 16, 2023

@doomedraven you mean update CAPEv2 again?

@doomedraven
Copy link
Collaborator

no, due to the problem to run agent.py with proper permissions, looks like latest win10 broke something and you have to do research how to run it properly, or could be case that you didn't disable properly ms defender.

@C0WB0Y-Ducky
Copy link

@doomedraven could the problem not be windows 10 since both of us have had the same issue of running as admin or system but the agent itself?

@RoemIko
Copy link
Contributor Author

RoemIko commented Feb 16, 2023

I'll see if adding the agent to the HKLM registry key changes something

Edit: the agent is now running as a service and from the HKLM registry

@C0WB0Y-Ducky
Copy link

@RoemIko so when i run just as administrator i get alot of permission denied. However this last one i ran as system i got a permission denied but also got an error for modules.packages.exe

@RoemIko
Copy link
Contributor Author

RoemIko commented Feb 16, 2023

I dont have that problem i only receive a permission denied in the folder that the cape agent creates, where the .ini file is located. Even if i run the agent as a system account which is the highest account within Windows.

Both windows defender and windows firewall are turned off.

@RoemIko
Copy link
Contributor Author

RoemIko commented Feb 16, 2023

i have done the following on the windows host

reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v pizzatime /t REG_SZ /d "C:\tmp\agent.pyw"
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v pizzatime /t REG_SZ /d "C:\tmp\agent.pyw"
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices" /v pizzatime /t REG_SZ /d "C:\tmp\agent.pyw"
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" /v pizzatime /t REG_SZ /d "C:\tmp\agent.pyw"

@doomedraven
Copy link
Collaborator

doomedraven commented Feb 16, 2023 via email

@RoemIko
Copy link
Contributor Author

RoemIko commented Feb 16, 2023

That one is also disabled @doomedraven

@doomedraven
Copy link
Collaborator

doomedraven commented Feb 16, 2023 via email

@RoemIko
Copy link
Contributor Author

RoemIko commented Feb 16, 2023

image
version 22h2 OS build 19045.2006

@C0WB0Y-Ducky
Copy link

I'm running
Edition - Windows 10 Home
Version - 1903
OS Build - 18362.356

@doomedraven
Copy link
Collaborator

doomedraven commented Feb 16, 2023 via email

@C0WB0Y-Ducky
Copy link

C0WB0Y-Ducky commented Feb 16, 2023

I still havent found a solution to this. However quick question for you @RoemIko how did you setup sysmon did you install it on your windows snapshot or does the exe and xml just sit in the bin folder.

EDIT: I got sysmon working now back to trying to get this permission denied working

@C0WB0Y-Ducky
Copy link

C0WB0Y-Ducky commented Feb 16, 2023

I believe i found where the issue stems from. But i do not know how to fix it.

2023-02-16 12:49:35,320 [modules.auxiliary.permissions] WARNING: 'Modify admin' call was unable to complete in 15 seconds
2023-02-16 12:49:50,335 [modules.auxiliary.permissions] WARNING: 'Inheritance' call was unable to complete in 15 seconds

These errors make me think that the permissions.py is not working correctly.

EDIT: Also if you look at the properties of the TMP directory that cape is creating. System does not have full control over the folder. With this in mind, it points me towards the permissions.py even more.

Edit2: Permissions.py uses icacls to make it Administrator not system....

@RoemIko
Copy link
Contributor Author

RoemIko commented Feb 16, 2023

@C0WB0Y-Ducky what happens if you alter the icacls to system?

@C0WB0Y-Ducky
Copy link

@RoemIko I have not tried yet, I went to the auxiliary.conf and turned off permissions, re running now so ill let you know if that was work around.

@C0WB0Y-Ducky
Copy link

@RoemIko I got farther by just turning the permissions auxiliary off than i have yet so in book thats a win.

@RoemIko
Copy link
Contributor Author

RoemIko commented Feb 16, 2023

Ah so there is a bug in permissions.py :)

@C0WB0Y-Ducky
Copy link

C0WB0Y-Ducky commented Feb 16, 2023

Yeah, I got a couple of access denied for disguise.
Permission denied for curtain, evtx and sysmon logs but am getting somewhere.
Probably need to snapshot and try to change the permssions.py for icacls to system.

Edit: To be honest I have no idea where to start on the icacls thing to change. I don't write in python much.

@RoemIko
Copy link
Contributor Author

RoemIko commented Feb 16, 2023

@doomedraven I have tried it too and can confirm it works now. Setting permissions to no makes the sandbox work properly

@doomedraven
Copy link
Collaborator

doomedraven commented Feb 16, 2023 via email

@C0WB0Y-Ducky
Copy link

If yall ever fix whatever permissions.py does please comment in here XD

@doomedraven
Copy link
Collaborator

@cccs-kevin i see that you is author of that aux module, any tip for them? https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/modules/auxiliary/permissions.py

@cccs-kevin
Copy link
Collaborator

Hey all, this auxiliary module was migrated over from a Cuckoo PR cuckoosandbox/cuckoo#3136 and the sole focus of this aux module was to prevent Ransomeware from having the permissions required to encrypt the Python and Cuckoo+CAPE analysis directory. Looks like the permissions are handled differently for these directories https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/modules/auxiliary/permissions.py#L29 with CAPE so I'll revise the module. PR coming soon

@doomedraven
Copy link
Collaborator

doomedraven commented Feb 16, 2023 via email

@doomedraven
Copy link
Collaborator

do git pull, Kevin pushed fix for you. i guess we can close the issue now?

@RoemIko RoemIko closed this as completed Feb 17, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants