OutOfMemory exception on .NET samples w/ Win 10 #529
Comments
|
An update on this, I've managed to trace the problem back to this line in the capemon repository: https://github.com/kevoreilly/capemon/blob/capemon/misc.c#L817 If I comment this line and recompile capemon.dll, I do not get this OutOfMemory exception and the sample runs fine on Windows 10. I would make a PR to the capemon repository but I'm not sure how to adjust this call to memset. Sorry for making the issue in the CAPEv2 repository, I wasn't sure where the issue would be and figured more people would be watching this repo's issues. Let me know if there's anything I can do to help @kevoreilly. |
|
any good and valid issue is fine here or there :) the mon part is Kevin's so he can provide proper support on that |
|
Hi swthorn, I appreciate you creating this issue, so thanks a lot. I recreated the issue yesterday but hadn't yet replied as I didn't have a clue where to start looking... ... but now you have found a line in the monitor you have possibly done the hard bit! Let me test fixing this, then if all works I'll publish a fix asap. |
|
The original code ref for this technique has commented out the memset and marked it optional: http://www.openrce.org/blog/view/844/How_to_hide_dll Also removing the entry from the linked list is sufficient to achieve the function's goal, so the memset is technically superfluous; that and the fact it causes this issue means it will be gone momentarily :) |
|
That's good news, it seems as though other people had issues with this call to memset as well: kevoreilly/capemon#11 - I didn't know this issue was related initially. Thanks for your hard work on this project! |
|
Hmm I failed to properly read Michael's last post - it must be true that something is still referencing this entry, but if removing the memset solves the issue and still means the module is removed from the peb's linked list, that's good enough for me. I'll be sure to respond to that thread too, Cheers. |
|
Ok this should now be fixed! Please let me know if any further issues and thanks again for the help. |
Prerequisites
Please answer the following questions for yourself before submitting an issue.
Expected Behavior
I expect the .NET sample to run on the sandbox as it does on Windows 7. I understand that CAPE is sort of tailored to Windows 7, but was wondering what the upgrade path to Windows 10 looks like since Windows 7 has reached EOL
Current Behavior
When running a simple C# hello world program with .NET framework 4.5.2 (which is installed on the Windows 10 guest):
We get a OutOfMemory exception if we enable CAPE monitoring. If it's disabled, sample runs as expected indicating there is something in the monitoring script that causes problems.
With CAPE monitoring enabled:
With CAPE monitoring disabled:
Failure Information (for bugs)
I should have plenty of memory:
Steps to Reproduce
Please provide detailed steps for reproducing the issue.
Context
I think this may be an issue with the underlying Cuckoo framework as they have an open issue here about it: cuckoosandbox/cuckoo#2382
This may also be a relevant issue: kevoreilly/capemon#10 - though not sure as I still get the issue when I enabled min_hooks (and zero_hooks) from the capemon config.
The sample I have attached works fine on my Windows 7 CAPE VM and capesandbox.com
Since Cuckoo is not maintained anymore, I was hoping to submit this issue on CAPE to see if you guys may address this. Since windows 7 has reached EOL, what is the progress on converting CAPE to Windows 10?
Failure Logs
analysis.log
cuckoo.log file was empty.
HelloWorldNET.zip - exe sample
Please let me know if I've filled out this issue incorrectly and I will fix it.
The text was updated successfully, but these errors were encountered: