forked from kevoreilly/capemon
-
Notifications
You must be signed in to change notification settings - Fork 0
/
config.h
274 lines (198 loc) · 6.03 KB
/
config.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
#ifndef __CONFIG_H
#define __CONFIG_H
/*
Cuckoo Sandbox - Automated Malware Analysis
Copyright (C) 2010-2012 Cuckoo Sandbox Developers
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#define EXCLUSION_MAX 128
#define BREAKPOINT_MAX 0x100
#define SYSBP_MAX 0x400
struct _g_config {
// name of the pipe to communicate with cuckoo
wchar_t pipe_name[MAX_PATH];
char logserver[MAX_PATH];
// results directory, has to be hidden
char results[MAX_PATH];
// results directory, has to be hidden
wchar_t w_results[MAX_PATH];
// analyzer directory, has to be hidden
char analyzer[MAX_PATH];
// analyzer directory, has to be hidden
wchar_t w_analyzer[MAX_PATH];
// python directory, has to be hidden
char pythonpath[MAX_PATH];
// python directory, has to be hidden
wchar_t w_pythonpath[MAX_PATH];
// capemon DLL directory
wchar_t dllpath[MAX_PATH];
// file of interest
wchar_t *file_of_interest;
// URL of interest
wchar_t *url_of_interest;
// Referrer for initial URL request
wchar_t *w_referrer;
char *referrer;
// if this mutex exists then we're shutting down
char shutdown_mutex[MAX_PATH];
// event set by analyzer when our process is potentially going to be terminated
// capemon itself will flush logs at this point, but the analyzer may take additional
// actions, like process dumping
char terminate_event_name[MAX_PATH];
// is this the first process or not?
int first_process;
// do we want to ignore "file of interest" and other forms of log reduction?
int full_logs;
// should we attempt anti-anti-sandbox/VM tricks ?
int no_stealth;
// how many milliseconds since startup
unsigned int startup_time;
// system volume serial number (for reproducing Milicenso)
unsigned int serial_number;
// system32 create time (for reproducing Milicenso)
FILETIME sys32_ctime;
// system volume information create time (for reproducing Milicenso)
FILETIME sysvol_ctime;
// do we force sleep-skipping despite threads?
int force_sleepskip;
// do we force flushing of each log?
int force_flush;
// Debugging level (1 = display exceptions, 2 = display all exceptions)
int debug;
// Default hook type (may be overridden for specific functions)
int hook_type;
// Disable hook content
int disable_hook_content;
// Disable api hooks based on excessive rate
unsigned int api_rate_cap;
// Disable api hooks based on excessive count
unsigned int api_cap;
// server ip and port
//unsigned int host_ip;
//unsigned short host_port;
// ntdll write protection
unsigned int ntdll_protect;
// ntdll remap protection
unsigned int ntdll_remap;
// Dropped files limit
unsigned int dropped_limit;
BOOLEAN suspend_logging;
char *excluded_apinames[EXCLUSION_MAX];
wchar_t *excluded_dllnames[EXCLUSION_MAX];
char *base_on_apiname[EXCLUSION_MAX];
char *dump_on_apinames[EXCLUSION_MAX];
wchar_t *coverage_modules[EXCLUSION_MAX];
int dump_on_api_type;
// exception logging (RtlDispatchException hook)
int log_exceptions;
// behavioural payload extraction options
int unpacker;
int injection;
int caller_regions;
// should we dump each process on exit/analysis timeout?
int procdump;
int procmemdump;
// should we attempt import reconstruction on each process dump? (slow)
int import_reconstruction;
// should we terminate processes after dumping on terminate_event?
int terminate_processes;
// dump regions containing c2
int dump_config_region;
// prevent monitoring child processes
int single_process;
// breakpoint logging to behavior log
int log_breakpoints;
// branch tracing
int branch_trace;
// for monitor testing
int standalone;
// interactive desktop
int interactive;
// for dumping of crypto API buffers
int dump_crypto;
// for dumping of crypto API ImportKey buffers
int dump_keys;
// for PlugX config & payload extraction
int plugx;
// syscall hooks
int syscall;
// Enable debugger
int debugger;
// Fake RDTSC
int fake_rdtsc;
// NOP RDTSCP
int nop_rdtscp;
// Adobe Reader settings
int pdf;
// TLS secret dump mode
int tlsdump;
// Registry API dump mode
int regdump;
// YARA scans
int yarascan;
// AMSI dumps (Win10+)
int amsidump;
// Minimal hook set
int minhook;
// Zero hook set
int zerohook;
// Microsoft Office hook set
int office;
// Mozilla Firefox hook set
int firefox;
// Google Chrome hook set
int chrome;
// Microsoft Edge hook set
int edge;
// Internet Explorer hook set
int iexplore;
// MSI hook set
int msi;
// Allow scans/dumps with loader lock held
int loaderlock_scans;
char *break_on_apiname;
char *break_on_modname;
char break_on_return[MAX_PATH];
BOOLEAN break_on_return_set;
BOOLEAN break_on_apiname_set;
BOOLEAN break_on_jit;
// debugger breakpoints
PVOID bp0, bp1, bp2, bp3;
BOOLEAN zerobp0, zerobp1, zerobp2, zerobp3;
PVOID bp4, bp5, bp6, bp7;
BOOLEAN zerobp4, zerobp5, zerobp6, zerobp7;
// break-on-return: brX
PVOID br0, br1, br2, br3;
// count
unsigned int count0, count1, count2, count3;
// Hit count
unsigned int hc0, hc1, hc2, hc3;
// Dump type
int dumptype0, dumptype1, dumptype2, dumptype3;
// Type strings
char typestring[MAX_PATH], typestring0[MAX_PATH], typestring1[MAX_PATH], typestring2[MAX_PATH], typestring3[MAX_PATH];
PVOID bp[BREAKPOINT_MAX], sysbp[SYSBP_MAX];
char *action[BREAKPOINT_MAX];
BOOLEAN loopskip;
int sysbpmode;
int trace_all;
int step_out;
int file_offsets;
int no_logs;
int disable_logging;
int base_on_alloc;
int base_on_caller;
char *trace_into_api[EXCLUSION_MAX];
};
extern struct _g_config g_config;
int read_config(void);
#endif