Thanks for creating an issue! But first: did you read our community guidelines?
https://cuckoo.sh/docs/introduction/community.html
It seems to use Windows API to analyze Linux memory dump.
Cuckoo version: 2.0.7
2019-07-29 11:07:24,765 [cuckoo.processing.behavior] WARNING: Analysis results folder does not contain any behavior log files.
2019-07-29 10:27:51,506 [cuckoo.core.plugins] ERROR: Failed to run the processing module "Memory" for task #27:
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/cuckoo/core/plugins.py", line 246, in process
data = current.run()
File "/usr/local/lib/python2.7/dist-packages/cuckoo/processing/memory.py", line 1118, in run
return VolatilityManager(self.memory_path, osprofile).run()
File "/usr/local/lib/python2.7/dist-packages/cuckoo/processing/memory.py", line 1039, in run
results[plugin_name] = getattr(self.vol, plugin_name)()
File "/usr/local/lib/python2.7/dist-packages/cuckoo/processing/memory.py", line 172, in pslist
for process in command.calculate():
File "/usr/local/lib/python2.7/dist-packages/volatility-2.6.1-py2.7.egg/volatility/win32/tasks.py", line 88, in pslist
for p in get_kdbg(addr_space).processes():
File "/usr/local/lib/python2.7/dist-packages/volatility-2.6.1-py2.7.egg/volatility/win32/tasks.py", line 50, in get_kdbg
if obj.VolMagic(addr_space).KPCR.value:
File "/usr/local/lib/python2.7/dist-packages/volatility-2.6.1-py2.7.egg/volatility/obj.py", line 751, in __getattr__
return self.m(attr)
File "/usr/local/lib/python2.7/dist-packages/volatility-2.6.1-py2.7.egg/volatility/obj.py", line 733, in m
raise AttributeError("Struct {0} has no member {1}".format(self.obj_name, attr))
AttributeError: Struct VOLATILITY_MAGIC has no member KPCR
Update issue 1, I can't get the behavior analysis result.
In my testing, I always get the warning message "Netlog client requested banned path: logs/all.stap".
And I found in the resultserver.py
RESULT_UPLOADABLE = ("files", "shots", "buffer", "extracted", "memory")
RESULT_DIRECTORIES = RESULT_UPLOADABLE + ("reports", "logs")
def netlog_sanitize_fname(path):
"""Validate agent-provided path for result files"""
path = path.replace("\\", "/")
dir_part, name = os.path.split(path)
if dir_part not in RESULT_UPLOADABLE:
raise CuckooOperationalError("Netlog client requested banned path: %r"
% path)
if any(c in BANNED_PATH_CHARS for c in name):
for c in BANNED_PATH_CHARS:
path = path.replace(c, "X")
return path
In my result, the "dir_part" is "logs", but it is not in RESULT_UPLOADABLE. If I revise "if dir_part not in RESULT_UPLOADABLE:" to "if dir_part not in RESULT_DIRECTORIES:", everything works well.
Is it correct or I misunderstand something?
Can confirm this fixes it....
Thanks for posting an issue. The netlog warning is a bug. The logs path should be open for uploads from the analyzer. This is on my patch list. I am also working on some other bugs.
Sorry for the inconvenience.
Hi!
I had a similar problem using procmon module (which also does upload_to_host(self.procmon_xml, os.path.join("logs", "procmon.xml"))).
I modified the resultserver.py code as @myhsu says, and it has worked for me :)
Now, I regard that the code is correct! If this directory was uploadable, malware could overwrite other logs... Shouldn't modules write in other directories (like, the uploadable path files)?
Most helpful comment
Update issue 1, I can't get the behavior analysis result.
In my testing, I always get the warning message "Netlog client requested banned path: logs/all.stap".
And I found in the resultserver.py
In my result, the "dir_part" is "logs", but it is not in RESULT_UPLOADABLE. If I revise "if dir_part not in RESULT_UPLOADABLE:" to "if dir_part not in RESULT_DIRECTORIES:", everything works well.
Is it correct or I misunderstand something?