capemon/config.h at capemon · reverseame/capemon

History

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

#ifndef __CONFIG_H

#define __CONFIG_H

/*

Cuckoo Sandbox - Automated Malware Analysis

This program is free software: you can redistribute it and/or modify

it under the terms of the GNU General Public License as published by

the Free Software Foundation, either version 3 of the License, or

(at your option) any later version.

This program is distributed in the hope that it will be useful,

but WITHOUT ANY WARRANTY; without even the implied warranty of

MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

GNU General Public License for more details.

You should have received a copy of the GNU General Public License

along with this program. If not, see <http://www.gnu.org/licenses/>.

*/

#define EXCLUSION_MAX 128

#define BREAKPOINT_MAX 0x100

#define SYSBP_MAX 0x400

struct _g_config {

// name of the pipe to communicate with cuckoo

wchar_t pipe_name[MAX_PATH];

char logserver[MAX_PATH];

// results directory, has to be hidden

char results[MAX_PATH];

// results directory, has to be hidden

wchar_t w_results[MAX_PATH];

// analyzer directory, has to be hidden

char analyzer[MAX_PATH];

// analyzer directory, has to be hidden

wchar_t w_analyzer[MAX_PATH];

// python directory, has to be hidden

char pythonpath[MAX_PATH];

// python directory, has to be hidden

wchar_t w_pythonpath[MAX_PATH];

// capemon DLL directory

wchar_t dllpath[MAX_PATH];

// file of interest

wchar_t *file_of_interest;

// URL of interest

wchar_t *url_of_interest;

// Referrer for initial URL request

wchar_t *w_referrer;

char *referrer;

// if this mutex exists then we're shutting down

char shutdown_mutex[MAX_PATH];

// event set by analyzer when our process is potentially going to be terminated

// capemon itself will flush logs at this point, but the analyzer may take additional

// actions, like process dumping

char terminate_event_name[MAX_PATH];

// is this the first process or not?

int first_process;

// do we want to ignore "file of interest" and other forms of log reduction?

int full_logs;

// should we attempt anti-anti-sandbox/VM tricks ?

int no_stealth;

// how many milliseconds since startup

unsigned int startup_time;

// system volume serial number (for reproducing Milicenso)

unsigned int serial_number;

// system32 create time (for reproducing Milicenso)

FILETIME sys32_ctime;

// system volume information create time (for reproducing Milicenso)

FILETIME sysvol_ctime;

// do we force sleep-skipping despite threads?

int force_sleepskip;

// do we force flushing of each log?

int force_flush;

// Debugging level (1 = display exceptions, 2 = display all exceptions)

int debug;

// Default hook type (may be overridden for specific functions)

int hook_type;

// Disable hook content

int disable_hook_content;

// Disable api hooks based on excessive rate

unsigned int api_rate_cap;

// Disable api hooks based on excessive count

unsigned int api_cap;

// server ip and port

//unsigned int host_ip;

//unsigned short host_port;

// ntdll write protection

unsigned int ntdll_protect;

// ntdll remap protection

unsigned int ntdll_remap;

// Dropped files limit

unsigned int dropped_limit;

BOOLEAN suspend_logging;

char *excluded_apinames[EXCLUSION_MAX];

wchar_t *excluded_dllnames[EXCLUSION_MAX];

char *base_on_apiname[EXCLUSION_MAX];

char *dump_on_apinames[EXCLUSION_MAX];

wchar_t *coverage_modules[EXCLUSION_MAX];

int dump_on_api_type;

// exception logging (RtlDispatchException hook)

int log_exceptions;

// behavioural payload extraction options

int unpacker;

int injection;

int caller_regions;

// should we dump each process on exit/analysis timeout?

int procdump;

int procmemdump;

// should we attempt import reconstruction on each process dump? (slow)

int import_reconstruction;

// should we terminate processes after dumping on terminate_event?

int terminate_processes;

// dump regions containing c2

int dump_config_region;

// prevent monitoring child processes

int single_process;

// breakpoint logging to behavior log

int log_breakpoints;

// branch tracing

int branch_trace;

// for monitor testing

int standalone;

// interactive desktop

int interactive;

// for dumping of crypto API buffers

int dump_crypto;

// for dumping of crypto API ImportKey buffers

int dump_keys;

// for PlugX config & payload extraction

int plugx;

// syscall hooks

int syscall;

// Enable debugger

int debugger;

// Fake RDTSC

int fake_rdtsc;

// NOP RDTSCP

int nop_rdtscp;

// Adobe Reader settings

int pdf;

// TLS secret dump mode

int tlsdump;

// Registry API dump mode

int regdump;

// YARA scans

int yarascan;

// AMSI dumps (Win10+)

int amsidump;

// Minimal hook set

int minhook;

// Zero hook set

int zerohook;

// Microsoft Office hook set

int office;

// Mozilla Firefox hook set

int firefox;

// Google Chrome hook set

int chrome;

// Microsoft Edge hook set

int edge;

// Internet Explorer hook set

int iexplore;

// MSI hook set

int msi;

// Allow scans/dumps with loader lock held

int loaderlock_scans;

char *break_on_apiname;

char *break_on_modname;

char break_on_return[MAX_PATH];

BOOLEAN break_on_return_set;

BOOLEAN break_on_apiname_set;

BOOLEAN break_on_jit;

// debugger breakpoints

PVOID bp0, bp1, bp2, bp3;

BOOLEAN zerobp0, zerobp1, zerobp2, zerobp3;

PVOID bp4, bp5, bp6, bp7;

BOOLEAN zerobp4, zerobp5, zerobp6, zerobp7;

// break-on-return: brX

PVOID br0, br1, br2, br3;

// count

unsigned int count0, count1, count2, count3;

// Hit count

unsigned int hc0, hc1, hc2, hc3;

// Dump type

int dumptype0, dumptype1, dumptype2, dumptype3;

// Type strings

char typestring[MAX_PATH], typestring0[MAX_PATH], typestring1[MAX_PATH], typestring2[MAX_PATH], typestring3[MAX_PATH];

PVOID bp[BREAKPOINT_MAX], sysbp[SYSBP_MAX];

char *action[BREAKPOINT_MAX];

BOOLEAN loopskip;

int sysbpmode;

int trace_all;

int step_out;

int file_offsets;

int no_logs;

int disable_logging;

int base_on_alloc;

int base_on_caller;

char *trace_into_api[EXCLUSION_MAX];

};

extern struct _g_config g_config;

int read_config(void);

#endif

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

config.h

config.h

Files

config.h

Latest commit

History

config.h

File metadata and controls