Merge branch 'master' into staging

analyzer/linux/modules/auxiliary/filecollector.py

@@ -37,7 +37,7 @@ def stop(self):
 
         time.sleep(2)  # wait a while to process stuff in the queue
         self.do_run = False
-        self.thread.join()
+        self.thread.join(timeout=5)
 
     def __init__(self, options, config):
         Auxiliary.__init__(self, options, config)

analyzer/windows/analyzer.py

@@ -504,8 +504,6 @@ def run(self):
                 if mod_name in windows_modules:
                     mod_name += "_windows"
                 if hasattr(self.config, mod_name) and getattr(self.config, mod_name, False):
-                    log.debug('Importing auxiliary module "%s"...', name)
-                    __import__(name, globals(), locals(), ["dummy"])
                     # log.debug('Imported auxiliary module "%s"', name)
             except ImportError as e:
                 log.warning('Unable to import the auxiliary module "%s": %s', name, e)
@@ -527,7 +525,7 @@ def run(self):
             else:
                 log.debug("Started auxiliary module %s", module.__module__)
                 AUX_ENABLED.append(aux)
-    
+
         """
         # Inform zer0m0n of the ResultServer address.
         zer0m0n.resultserver(self.config.ip, self.config.port)

analyzer/windows/data/yara/SlowLoader.yar

@@ -0,0 +1,12 @@
+rule SlowLoader
+{
+    meta:
+        author = "kevoreilly"
+        description = "SlowLoader detonation aide for slow cpus (thread race)"
+        cape_options = "break-on-return=CreateProcessA,action0=sleep:1000,count=0"
+        packed = "f6eeb73ffb3e6d6cc48f74344cb590614db7e3116ba00a52aefd7dff468a60a5"
+    strings:
+        $code = {0F B6 44 07 08 0F B6 54 1F 08 03 C2 25 FF 00 00 80 79 07 48 0D 00 FF FF FF 40 89 45 ?? 6A 00}
+    condition:
+        any of them
+}

analyzer/windows/data/yara/Themida.yar

@@ -0,0 +1,12 @@
+rule Themida
+{
+    meta:
+        author = "kevoreilly"
+        description = "Themida detonation shim"
+        cape_options = "unhook-apis=NtSetInformationThread,force-sleepskip=0"
+        packed = "6337ff4cf413f56cc6c9a8e67f24b8d7f94f620eae06ac9f0b113b5ba82ea176"
+    strings:
+        $code = {FC 31 C9 49 89 CA 31 C0 31 DB AC 30 C8 88 E9 88 D5 88 F2 B6 08 66 D1 EB 66 D1 D8 73 09}
+    condition:
+        uint16(0) == 0x5A4D and all of them
+}

analyzer/windows/lib/common/constants.py

@@ -52,6 +52,7 @@
 
 ARCHIVE_OPTIONS = (OPT_FILE, OPT_PASSWORD)
 DLL_OPTIONS = (OPT_ARGUMENTS, OPT_DLLLOADER, OPT_FUNCTION)
+SERVICE_OPTIONS = (OPT_SERVICENAME, OPT_SERVICEDESC, OPT_ARGUMENTS)
 
 
 """ Excel, Word, and Powerpoint won't have macros enabled without interaction for
@@ -65,3 +66,11 @@
 TRUSTED_PATH_TEXT = (
     f"Use MS Office Trusted Path location {MSOFFICE_TRUSTED_PATH} unless the user has provided a '{OPT_CURDIR}' option."
 )
+
+DLL_OPTION_TEXT = f"""\
+Use the '{OPT_DLLLOADER}' option to set the name of the process loading the DLL (defaults to rundll32.exe).
+Use the '{OPT_ARGUMENTS}' option to set the arguments to be passed to the exported function(s).
+Use the '{OPT_FUNCTION}' option to set the name of the exported function/ordinal to execute.
+The default function is '#1'.
+Can be multiple function/ordinals split by colon. Ex: function=#1:#3 or #2-4
+"""

analyzer/windows/lib/common/defines.py

@@ -2,9 +2,9 @@
 # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
 # See the file 'docs/LICENSE' for copying permission.
 
+import sys
 from ctypes import (
     POINTER,
-    WINFUNCTYPE,
     Structure,
     Union,
     c_bool,
@@ -17,16 +17,20 @@
     c_ushort,
     c_void_p,
     c_wchar_p,
-    windll,
 )
 
-NTDLL = windll.ntdll
-KERNEL32 = windll.kernel32
-ADVAPI32 = windll.advapi32
-USER32 = windll.user32
-SHELL32 = windll.shell32
-PDH = windll.pdh
-PSAPI = windll.psapi
+if sys.platform == "win32":
+    from ctypes import WINFUNCTYPE, windll
+
+    NTDLL = windll.ntdll
+    KERNEL32 = windll.kernel32
+    ADVAPI32 = windll.advapi32
+    USER32 = windll.user32
+    SHELL32 = windll.shell32
+    PDH = windll.pdh
+    PSAPI = windll.psapi
+    EnumWindowsProc = WINFUNCTYPE(c_bool, POINTER(c_int), POINTER(c_int))
+    EnumChildProc = WINFUNCTYPE(c_bool, POINTER(c_int), POINTER(c_int))
 
 BYTE = c_ubyte
 USHORT = c_ushort
@@ -96,6 +100,7 @@
 ERROR_BROKEN_PIPE = 0x0000006D
 ERROR_MORE_DATA = 0x000000EA
 ERROR_PIPE_CONNECTED = 0x00000217
+ERROR_INVALID_HANDLE = 0x00000006
 
 WAIT_TIMEOUT = 0x00000102
 
@@ -137,6 +142,17 @@
 
 MAX_PATH = 260
 
+# Button messages
+BM_SETCHECK = 0x000000F1
+BM_GETCHECK = 0x000000F0
+# Button states
+BST_UNCHECKED = 0x0000
+BST_CHECKED = 0x0001
+BST_INDETERMINATE = 0x0002
+
+# Process cannot access the file because it is being used by another process.
+ERROR_SHARING_VIOLATION = 0x00000020
+
 
 class STARTUPINFO(Structure):
     _fields_ = [
@@ -311,7 +327,3 @@ class PDH_FMT_COUNTERVALUE(Structure):
         ("CStatus", DWORD),
         ("doubleValue", DOUBLE),
     ]
-
-
-EnumWindowsProc = WINFUNCTYPE(c_bool, POINTER(c_int), POINTER(c_int))
-EnumChildProc = WINFUNCTYPE(c_bool, POINTER(c_int), POINTER(c_int))

analyzer/windows/lib/core/packages.py

@@ -69,7 +69,7 @@ def choose_package(file_type, file_name, exports, target):
         return "rar"
     elif "Macromedia Flash" in file_type or file_name.endswith((".swf", ".fws")):
         return "swf"
-    elif file_name.endswith((".py", ".pyc")) or "Python script" in file_type:
+    elif file_name.endswith((".py", ".pyc")) or "Python script" in file_type or b"import" in file_content:
         return "python"
     elif file_name.endswith(".ps1"):
         return "ps1"
@@ -145,5 +145,7 @@ def choose_package(file_type, file_name, exports, target):
         return "archive"
     elif file_name.endswith(".a3x"):
         return "autoit"
+    elif file_name.endswith(("cmd", "bat")) or b"@echo off" in file_content:
+        return "batch"
     else:
         return "generic"