Merge branch 'master' into staging

Author: doomedraven

README.md

@@ -228,3 +228,4 @@ If you use CAPEv2 in your work, please cite it as specified in the "Cite this re
 
 ### Docs
 * [ReadTheDocs](https://capev2.readthedocs.io/en/latest/#)
+* [DeepWiki](https://deepwiki.com/kevoreilly/CAPEv2/1-overview) - AI generated, some might be wrong but generally pretty accurate.

agent/agent.py

@@ -9,7 +9,6 @@
 import http.server
 import ipaddress
 import json
-import multiprocessing
 import os
 import platform
 import random
@@ -25,9 +24,8 @@
 import time
 import traceback
 from io import StringIO
-from multiprocessing.synchronize import Event as EventClass
 from threading import Lock
-from typing import Iterable, Optional
+from typing import Iterable
 from zipfile import ZipFile
 
 try:
@@ -45,7 +43,7 @@
 if sys.maxsize > 2**32 and sys.platform == "win32":
     sys.exit("You should install python3 x86! not x64")
 
-AGENT_VERSION = "0.18"
+AGENT_VERSION = "0.19"
 AGENT_FEATURES = [
     "execpy",
     "execute",
@@ -97,7 +95,7 @@ def _missing_(cls, value):
 AGENT_BROWSER_EXT_PATH = ""
 AGENT_BROWSER_LOCK = Lock()
 ANALYZER_FOLDER = ""
-agent_mutexes: dict[str, str] = {}
+agent_mutexes: dict = {}
 """Holds handles of mutexes held by the agent."""
 state = {
     "status": Status.INIT,
@@ -180,7 +178,7 @@ def run(
         self,
         host: ipaddress.IPv4Address = ipaddress.IPv4Address("0.0.0.0"),
         port: int = 8000,
-        event: Optional[EventClass] = None,
+        event = None,
     ):
         socketserver.ThreadingTCPServer.allow_reuse_address = True
         self.s = socketserver.ThreadingTCPServer((str(host), port), self.handler)
@@ -324,8 +322,8 @@ def headers(self, obj):
 
 
 class request:
-    form: dict[str, str] = {}
-    files: dict[str, str] = {}
+    form: dict = {}
+    files: dict = {}
     client_ip = None
     client_port = None
     method = None
@@ -378,7 +376,7 @@ def get_subprocess_status():
     """Return the subprocess status."""
     async_subprocess = state.get("async_subprocess")
     message = "Analysis status"
-    exitcode = async_subprocess.exitcode
+    exitcode = async_subprocess.poll()
     if exitcode is None or (sys.platform == "win32" and exitcode == 259):
         # Process is still running.
         state["status"] = Status.RUNNING
@@ -713,9 +711,7 @@ def background_subprocess(command_args, cwd, base64_encode, shell=False):
 
 def spawn(args, cwd, base64_encode, shell=False):
     """Kick off a subprocess in the background."""
-    run_subprocess_args = [args, cwd, base64_encode, shell]
-    proc = multiprocessing.Process(target=background_subprocess, name=f"child process {args[1]}", args=run_subprocess_args)
-    proc.start()
+    proc = subprocess.Popen(args, cwd=cwd, shell=shell)
     state["status"] = Status.RUNNING
     state["description"] = ""
     state["async_subprocess"] = proc
@@ -799,7 +795,6 @@ def do_kill():
 
 
 if __name__ == "__main__":
-    multiprocessing.set_start_method("spawn")
     parser = argparse.ArgumentParser()
     parser.add_argument("host", nargs="?", default="0.0.0.0")
     parser.add_argument("port", type=int, nargs="?", default=8000)

agent/test_agent.py

@@ -9,6 +9,7 @@
 import pathlib
 import random
 import shutil
+import subprocess
 import sys
 import tempfile
 import time
@@ -39,8 +40,8 @@ class TestAgentFunctions:
     @mock.patch("sys.platform", "win32")
     def test_get_subprocess_259(self):
         mock_process_id = 999998
-        mock_subprocess = mock.Mock(spec=multiprocessing.Process)
-        mock_subprocess.exitcode = 259
+        mock_subprocess = mock.Mock(spec=subprocess.Popen)
+        mock_subprocess.poll = mock.Mock(return_value=259)
         mock_subprocess.pid = mock_process_id
         with mock.patch.dict(agent.state, {"async_subprocess": mock_subprocess}):
             actual = agent.get_subprocess_status()

analyzer/windows/bin/PPLinject.exe

@@ -6,7 +6,7 @@ rule DarkGateLoader
         cape_options = "bp0=$decrypt1+30,bp0=$decrypt2+29,action0=dump:eax::ebx,bp1=$decrypt3+80,action1=dumpsize:eax,bp2=$decrypt3+124,hc2=1,action2=dump:eax,count=0"
         packed = "b15e4b4fcd9f0d23d902d91af9cc4e01417c426e55f6e0b4ad7256f72ac0231a"
     strings:
-        $loader = {6C 6F 61 64 65 72}
+        $loader = "loader"
         $decrypt1 = {B? 01 00 00 00 8B [3] E8 [4] 8B D7 32 54 [4] 88 54 18 FF 4? 4? 75}
         $decrypt2 = {B? 01 00 00 00 8B [2] E8 [4] 8B D7 2B D3 [4] 88 54 18 FF 4? 4? 75}
         $decrypt3 = {89 85 [4] 8B 85 [4] 8B F0 8D BD [4] B? 10 [3] F3 A5 8B 85 [4] 33 D2 [2] 8B 85 [4] 99}

analyzer/windows/bin/PPLinject64.exe

@@ -3,16 +3,17 @@ rule Socks5Systemz
     meta:
         author = "kevoreilly"
         description = "Socks5Systemz config extraction"
-        cape_options = "br0=user32::wsprintfA,action1=string:[esp],count=0,typestring=Socks5Systemz Config"
+        cape_options = "br0=user32::wsprintfA,br1=ntdll::sprintf,action2=string:[esp],action3=string:[esp],count=0,typestring=Socks5Systemz Config"
         packed = "9b997d0de3fe83091726919a0dc653e22f8f8b20b1bb7d0b8485652e88396f29"
     strings:
         $chunk1 = {0F B6 84 8A [4] E9 [3] (00|FF)}
         $chunk2 = {0F B6 04 8D [4] E9 [3] (00|FF)}
-        $chunk3 = {0F B6 04 8D [4] E9 [3] (00|FF)}
-        $chunk4 = {0F B6 04 8D [4] E9 [3] (00|FF)}
-        $chunk5 = {66 0F 6F 05 [4] E9 [3] (00|FF)}
-        $chunk6 = {F0 0F B1 95 [4] E9 [3] (00|FF)}
-        $chunk7 = {83 FA 04 E9 [3] (00|FF)}
+        $chunk3 = {66 0F 6F 05 [4] E9 [3] (00|FF)}
+        $chunk4 = {F0 0F B1 95 [4] E9 [3] (00|FF)}
+        $chunk5 = {83 FA 04 E9 [3] (00|FF)}
+        $chunk6 = {8A 04 8D [4] E9 [3] (00|FF)}
+        $chunk7 = {83 C4 04 83 C4 04 E9}
+        $chunk8 = {83 C2 04 87 14 24 5C E9}
     condition:
-        uint16(0) == 0x5A4D and 6 of them
+        uint16(0) == 0x5A4D and 5 of them
 }