Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PPLInject64.exe Application Error #2424

Open
6 tasks done
ChrisThibodeaux opened this issue Dec 12, 2024 · 8 comments
Open
6 tasks done

PPLInject64.exe Application Error #2424

ChrisThibodeaux opened this issue Dec 12, 2024 · 8 comments

Comments

@ChrisThibodeaux
Copy link
Contributor

ChrisThibodeaux commented Dec 12, 2024

About accounts on capesandbox.com

  • Issues isn't the way to ask for account activation. Ping capesandbox in Twitter with your username

This is open source and you are getting free support so be friendly!

Prerequisites

Please answer the following questions for yourself before submitting an issue.

  • I am running the latest version
  • I did read the README!
  • I checked the documentation and found no answer
  • I checked to make sure that this issue has not already been filed
  • I'm reporting the issue to the correct repository (for multi-repository projects)
  • I have read and checked all configs (with all optional parts)

Expected Behavior

Please describe the behavior you are expecting. If your samples(x64) stuck in pending ensure that you set tags=x64 in hypervisor conf for x64 vms

Current Behavior

PLLInject64.exe error popup on all analysis runs. Same message body each time:

The application was unable to start correctly (0xc00000007b).
Click OK to close the application.

Failure Information (for bugs)

Don't think there is an actual error. In the logs, I am seeing successful injections into 64-bit processes.

Steps to Reproduce

Please provide detailed steps for reproducing the issue.

  1. Start analysis run
  2. View desktop
  3. PLLInject64.exe Application Error popup appears.

Context

  • Ubuntu 22.04 server
  • Windows 10 64-bit guest OS
  • KVM/QEMU/Libvirt
  • 32-bit Python on guest
Question Answer
Git commit 8211cf9
OS version Ubuntu 22.04 Host, Windows 10 x64 Guest

Failure Logs

[root] DEBUG: 7076: DLL loaded at 0x00007FFCDA7D0000: C:\Windows\SYSTEM32\kernel.appcore (0x12000 bytes).
[root] DEBUG: 7076: DLL loaded at 0x00007FFCDEF70000: C:\Windows\System32\clbcatq (0xa9000 bytes).
[root] DEBUG: 7076: DLL loaded at 0x00007FFCDD030000: C:\Windows\System32\bcryptPrimitives (0x83000 bytes).
[root] DEBUG: 5288: OpenProcessHandler: Injection info created for process 2568, handle 0x2cac: C:\Windows\System32\conhost.exe
[root] INFO: Announced starting service "b'VSS'"
[lib.api.process] INFO: Monitor config for <Process 704 services.exe>: C:\tmp0zaw4afp\dll\704.ini
[lib.api.process] INFO: 64-bit DLL to inject is C:\tmp0zaw4afp\dll\AsPcWgT.dll, loader C:\tmp0zaw4afp\bin\OFtcjPAX.exe
[root] DEBUG: Loader: Injecting process 704 with C:\tmp0zaw4afp\dll\AsPcWgT.dll.
[root] DEBUG: 848: CreateProcessHandler: Injection info set for new process 2352: C:\Windows\System32\slui.exe, ImageBase: 0x00007FF70B380000
[root] INFO: Announced 64-bit process name: slui.exe pid: 2352
[lib.api.process] INFO: Monitor config for <Process 2352 slui.exe>: C:\tmp0zaw4afp\dll\2352.ini
[root] DEBUG: Loader: Copied config file C:\tmp0zaw4afp\dll\704.ini to system path C:\704.ini
[root] DEBUG: Loader: Unable to open process, launched: PPLinject64.exe 704 C:\tmp0zaw4afp\dll\AsPcWgT.dll
[root] DEBUG: Successfully injected DLL C:\tmp0zaw4afp\dll\AsPcWgT.dll.
[lib.api.process] INFO: 64-bit DLL to inject is C:\tmp0zaw4afp\dll\AsPcWgT.dll, loader C:\tmp0zaw4afp\bin\OFtcjPAX.exe
[lib.api.process] INFO: Injected into 64-bit <Process 704 services.exe>
[root] DEBUG: Loader: Injecting process 2352 (thread 4156) with C:\tmp0zaw4afp\dll\AsPcWgT.dll.
[root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
[root] DEBUG: Successfully injected DLL C:\tmp0zaw4afp\dll\AsPcWgT.dll.

snappybee_dll_err_popup

@ChrisThibodeaux
Copy link
Contributor Author

Getting this on every run, whether I submit a DLL, archive, or PE. I don't believe this is an actual error, as it looks like the injection succeeds in the logs. I am mainly curious why this error message always shows.

Is this indication that I have incorrectly launched or configured something?

@kevoreilly
Copy link
Owner

Since you are not a new user - has this been happening ever since you started using cape?! Strange that this would crop up now all of a sudden...

But you have omitted a key piece of info.... I trust you are aware of the fact that 21H2 is currently the only version of win10 that pplinject is expected to work with. It is services.exe that is ppl by the way.

@ChrisThibodeaux
Copy link
Contributor Author

Whoops, sorry about that. Running on 21H2 with UAC disabled.

win_version2

I'm not seeing this error on my Azure deployment, but that one is running off of a ~5 month old commit and built using the Azure win10 image. Doing a bare metal deployment to take advantage of KVM's features this time around.

@kevoreilly
Copy link
Owner

Well PPLinject hasn't changed for a year or two...

@ChrisThibodeaux
Copy link
Contributor Author

Gotcha. I'll try to work my way back to the source of this and I'll update here if I find anything. Hoping this is a simple configuration issue on my end.

Thanks!

@kevoreilly
Copy link
Owner

PPLinject is invoked upon access denied obtaining target process handle so worth checking agent is elevated.

@ChrisThibodeaux
Copy link
Contributor Author

For sure running with agent elevated with curl returning {"message": "CAPE Agent!", "version": "0.18", "features": ["execpy", "execute", "pinning", "logs", "largefile", "unicodepath", "mutex", "browser_extension"], "is_user_admin": true}.

I've got UAC/Firewall disabled as well.
uac

I haven't had time to dig into this, but hoping that things calm down middle of next week and I will start throwing in some debugging.

@kevoreilly
Copy link
Owner

It's worth noting that the analysis log provides output from the loader, the snippet(s) relevant to PPLinject would be very helpful in shedding light. As I mentioned, PPLinject is only intended for injection into PPL processes which basically means services.exe. Altho there are occasionally other PPL processes, services injection is the principal reason for its existence in cape.

This means that only a subset of detonations invoke PPLinject and the vast majority only for a single process, services.exe.

So the log(s) as well as the type of sample(s) are highly pertinent.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants