[Win 10] Permssion denied error

[RoemIko]

About accounts on capesandbox.com

• Issues isn't the way to ask for account activation. Ping capesandbox in Twitter with your username

This is open source and you are getting free support so be friendly!

• Free support from doomedraven ended - no whiskey, no support. For updates check the documentation.

Prerequisites

Please answer the following questions for yourself before submitting an issue.

• [✔] I am running the latest version
• [✔ ] I did read the README!
• [✔ ] I checked the documentation and found no answer
• [✔ ] I checked to make sure that this issue has not already been filed
• [✔ ] I'm reporting the issue to the correct repository (for multi-repository projects)
• [✔ ] I have read and checked all configs (with all optional parts)

Expected Behavior

Expect the agent to work correctly with right permissions.

Current Behavior

Whenever i upload a sample it fails, because of permissions

Failure Information (for bugs)

Please help provide information about the failure if this is a bug. If it is not a bug, please remove the rest of this template.

Steps to Reproduce

Please provide detailed steps for reproducing the issue.

1. Upload sample
2. Choose Win 10
3. Submit

Context

Cape is running on Ubuntu 22.04 with KVM machinery which has Windows 10 64 bit device with python 3.10 32 bit running python has been added to path and the host is isolated and there is communication. The agent is running with highest priviliges from a scheduled task. Whenever i upload an sample it seems to fail at a certain point. I have tried many ways to get the agent running as admin which i assume is. I have set the C:/ drive for anyone to be accesible.
I have connected to the VM and see the directories being made, but it seems to fail the moment it tries to read the PID.ini file in /dll/.
The firewall has been shutoff and windows defender has also been turned off.

Any tips or ideas would be appreciated

Question	Answer
OS version	Ubuntu 22.04

Failure Logs

Logs from the web interface

2023-02-15 15:18:35,104 [root] INFO: Date set to: 20230216T12:49:15, timeout set to: 200
2023-02-16 12:49:17,366 [root] DEBUG: Starting analyzer from: C:\tmpxc7l_qzp
2023-02-16 12:49:17,366 [root] DEBUG: Storing results at: C:\SahBbkKy
2023-02-16 12:49:17,366 [root] DEBUG: Pipe server name: \\.\PIPE\pYQZHPmtE
2023-02-16 12:49:17,366 [root] DEBUG: Python path: C:\Users\ApaTolos\AppData\Local\Programs\Python\Python311-32
2023-02-16 12:49:17,382 [root] INFO: Analysis package "exe" has been specified
2023-02-16 12:49:17,382 [root] DEBUG: Importing analysis package "exe"...
2023-02-16 12:49:17,382 [root] DEBUG: Initializing analysis package "exe"...
2023-02-16 12:49:17,382 [root] DEBUG: New location of moved file: C:\Users\ApaTolos\AppData\Local\Temp\HelloWorld.exe
2023-02-16 12:49:17,382 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2023-02-16 12:49:17,382 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2023-02-16 12:49:17,382 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2023-02-16 12:49:17,382 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2023-02-16 12:49:17,994 [root] DEBUG: Importing auxiliary module "modules.auxiliary.browser"...
2023-02-16 12:49:18,024 [root] DEBUG: Importing auxiliary module "modules.auxiliary.curtain"...
2023-02-16 12:49:18,056 [root] DEBUG: Importing auxiliary module "modules.auxiliary.digisig"...
2023-02-16 12:49:18,151 [root] DEBUG: Importing auxiliary module "modules.auxiliary.disguise"...
2023-02-16 12:49:18,304 [root] DEBUG: Importing auxiliary module "modules.auxiliary.during_script"...
2023-02-16 12:49:18,304 [root] DEBUG: Importing auxiliary module "modules.auxiliary.evtx"...
2023-02-16 12:49:18,335 [root] DEBUG: Importing auxiliary module "modules.auxiliary.filepickup"...
2023-02-16 12:49:18,366 [root] DEBUG: Importing auxiliary module "modules.auxiliary.human"...
2023-02-16 12:49:18,382 [root] DEBUG: Importing auxiliary module "modules.auxiliary.permissions"...
2023-02-16 12:49:18,398 [root] DEBUG: Importing auxiliary module "modules.auxiliary.pre_script"...
2023-02-16 12:49:18,398 [root] DEBUG: Importing auxiliary module "modules.auxiliary.procmon"...
2023-02-16 12:49:18,398 [root] DEBUG: Importing auxiliary module "modules.auxiliary.screenshots"...
2023-02-16 12:49:18,429 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2023-02-16 12:49:18,638 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2023-02-16 12:49:18,638 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2023-02-16 12:49:18,648 [root] DEBUG: Importing auxiliary module "modules.auxiliary.sysmon"...
2023-02-16 12:49:18,663 [root] DEBUG: Importing auxiliary module "modules.auxiliary.tlsdump"...
2023-02-16 12:49:18,663 [root] DEBUG: Importing auxiliary module "modules.auxiliary.usage"...
2023-02-16 12:49:18,663 [root] DEBUG: Initialized auxiliary module "Browser"
2023-02-16 12:49:18,663 [root] DEBUG: Trying to start auxiliary module "Browser"...
2023-02-16 12:49:18,679 [root] DEBUG: Started auxiliary module "Browser"
2023-02-16 12:49:18,679 [root] DEBUG: Started auxiliary module Browser
2023-02-16 12:49:18,679 [root] DEBUG: Initialized auxiliary module "Curtain"
2023-02-16 12:49:18,679 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2023-02-16 12:49:18,679 [root] DEBUG: Started auxiliary module "Curtain"
2023-02-16 12:49:18,679 [root] DEBUG: Started auxiliary module Curtain
2023-02-16 12:49:18,679 [root] DEBUG: Initialized auxiliary module "DigiSig"
2023-02-16 12:49:18,679 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2023-02-16 12:49:18,679 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2023-02-16 12:49:19,366 [modules.auxiliary.digisig] DEBUG: File is not signed
2023-02-16 12:49:19,366 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2023-02-16 12:49:19,383 [root] DEBUG: Started auxiliary module "DigiSig"
2023-02-16 12:49:19,383 [root] DEBUG: Started auxiliary module DigiSig
2023-02-16 12:49:19,383 [root] DEBUG: Initialized auxiliary module "Disguise"
2023-02-16 12:49:19,383 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2023-02-16 12:49:19,383 [modules.auxiliary.disguise] INFO: Disguising GUID to 25e78f6a-04e3-4faa-b061-6ed0aed275b2
2023-02-16 12:49:19,383 [root] DEBUG: Started auxiliary module "Disguise"
2023-02-16 12:49:19,383 [root] DEBUG: Started auxiliary module Disguise
2023-02-16 12:49:19,383 [root] DEBUG: Initialized auxiliary module "Evtx"
2023-02-16 12:49:19,383 [root] DEBUG: Trying to start auxiliary module "Evtx"...
2023-02-16 12:49:19,383 [root] DEBUG: Started auxiliary module "Evtx"
2023-02-16 12:49:19,383 [root] DEBUG: Started auxiliary module Evtx
2023-02-16 12:49:19,383 [root] DEBUG: Initialized auxiliary module "FilePickup"
2023-02-16 12:49:19,383 [root] DEBUG: Trying to start auxiliary module "FilePickup"...
2023-02-16 12:49:19,383 [root] DEBUG: Started auxiliary module "FilePickup"
2023-02-16 12:49:19,383 [root] DEBUG: Started auxiliary module FilePickup
2023-02-16 12:49:19,383 [root] DEBUG: Initialized auxiliary module "Human"
2023-02-16 12:49:19,383 [root] DEBUG: Trying to start auxiliary module "Human"...
2023-02-16 12:49:19,398 [root] DEBUG: Started auxiliary module "Human"
2023-02-16 12:49:19,398 [root] DEBUG: Started auxiliary module Human
2023-02-16 12:49:19,398 [root] DEBUG: Initialized auxiliary module "Permissions"
2023-02-16 12:49:19,398 [root] DEBUG: Trying to start auxiliary module "Permissions"...
2023-02-16 12:49:19,398 [modules.auxiliary.permissions] DEBUG: Adjusting permissions for [WindowsPath('C:/tmpxc7l_qzp'), 'C:\\tmp*']
2023-02-16 12:49:35,320 [modules.auxiliary.permissions] WARNING: 'Modify admin' call was unable to complete in 15 seconds
2023-02-16 12:49:50,335 [modules.auxiliary.permissions] WARNING: 'Inheritance' call was unable to complete in 15 seconds
2023-02-16 12:49:50,335 [root] DEBUG: Started auxiliary module "Permissions"
2023-02-16 12:49:50,356 [root] DEBUG: Started auxiliary module Permissions
2023-02-16 12:49:50,398 [root] DEBUG: Initialized auxiliary module "Pre_script"
2023-02-16 12:49:50,398 [root] DEBUG: Trying to start auxiliary module "Pre_script"...
2023-02-16 12:49:50,429 [root] DEBUG: Started auxiliary module "Pre_script"
2023-02-16 12:49:50,446 [root] DEBUG: Started auxiliary module Pre_script
2023-02-16 12:49:50,460 [root] DEBUG: Initialized auxiliary module "Procmon"
2023-02-16 12:49:50,460 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2023-02-16 12:49:50,460 [root] DEBUG: Started auxiliary module "Procmon"
2023-02-16 12:49:50,460 [root] DEBUG: Started auxiliary module Procmon
2023-02-16 12:49:50,460 [root] DEBUG: Initialized auxiliary module "Screenshots"
2023-02-16 12:49:50,460 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2023-02-16 12:49:50,477 [root] DEBUG: Started auxiliary module "Screenshots"
2023-02-16 12:49:50,477 [root] DEBUG: Started auxiliary module Screenshots
2023-02-16 12:49:50,477 [root] DEBUG: Initialized auxiliary module "Sysmon"
2023-02-16 12:49:50,477 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2023-02-16 12:49:50,477 [root] DEBUG: Started auxiliary module "Sysmon"
2023-02-16 12:49:50,477 [root] DEBUG: Started auxiliary module Sysmon
2023-02-16 12:49:50,477 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2023-02-16 12:49:50,477 [root] DEBUG: Trying to start auxiliary module "TLSDumpMasterSecrets"...
2023-02-16 12:49:50,491 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 688
2023-02-16 12:49:50,757 [lib.api.process] INFO: Monitor config for process 688: C:\tmpxc7l_qzp\dll\688.ini
2023-02-16 12:49:50,789 [root] WARNING: Cannot execute auxiliary module TLSDumpMasterSecrets: [Errno 13] Permission denied: 'C:\\tmpxc7l_qzp\\dll\\688.ini'
2023-02-16 12:49:50,804 [root] DEBUG: Initialized auxiliary module "Usage"
2023-02-16 12:49:50,804 [root] DEBUG: Trying to start auxiliary module "Usage"...
2023-02-16 12:49:50,804 [root] DEBUG: Started auxiliary module "Usage"
2023-02-16 12:49:50,804 [root] DEBUG: Started auxiliary module Usage
2023-02-16 12:49:50,820 [root] DEBUG: Initialized auxiliary module "During_script"
2023-02-16 12:49:50,820 [root] DEBUG: Trying to start auxiliary module "During_script"...
2023-02-16 12:49:50,820 [root] DEBUG: Started auxiliary module "During_script"
2023-02-16 12:49:50,820 [root] DEBUG: Started auxiliary module During_script
2023-02-16 12:49:56,979 [root] INFO: Restarting WMI Service
2023-02-16 12:49:59,443 [lib.core.compound] INFO: C:\Users\ApaTolos\AppData\Local\Temp already exists, skipping creation
2023-02-16 12:49:59,521 [lib.api.process] INFO: Successfully executed process from path "C:\Users\ApaTolos\AppData\Local\Temp\HelloWorld.exe" with arguments "" with pid 772
2023-02-16 12:49:59,521 [lib.api.process] INFO: Monitor config for process 772: C:\tmpxc7l_qzp\dll\772.ini
2023-02-16 12:49:59,536 [root] INFO: You probably submitted the job with wrong package
Traceback (most recent call last):
  File "C:\tmpxc7l_qzp\analyzer.py", line 523, in run
    pids = self.package.start(self.target)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\tmpxc7l_qzp\modules\packages\exe.py", line 37, in start
    return self.execute(path, args, path)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\tmpxc7l_qzp\lib\common\abstracts.py", line 124, in execute
    p.inject(INJECT_QUEUEUSERAPC, interest)
  File "C:\tmpxc7l_qzp\lib\api\process.py", line 633, in inject
    self.write_monitor_config(interest, nosleepskip)
  File "C:\tmpxc7l_qzp\lib\api\process.py", line 551, in write_monitor_config
    with open(config_path, "w", encoding="utf-8") as config:
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
PermissionError: [Errno 13] Permission denied: 'C:\\tmpxc7l_qzp\\dll\\772.ini'

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "C:\tmpxc7l_qzp\analyzer.py", line 1389, in <module>
    success = analyzer.run()
              ^^^^^^^^^^^^^^
  File "C:\tmpxc7l_qzp\analyzer.py", line 529, in run
    raise CuckooError(f'The package "{package_name}" start function encountered an unhandled exception: {e}') from e
lib.common.exceptions.CuckooError: The package "modules.packages.exe" start function encountered an unhandled exception: [Errno 13] Permission denied: 'C:\\tmpxc7l_qzp\\dll\\772.ini'
2023-02-16 12:49:59,599 [root] WARNING: Folder at path "C:\SahBbkKy\debugger" does not exist, skipping
2023-02-16 12:49:59,599 [root] WARNING: Folder at path "C:\SahBbkKy\tlsdump" does not exist, skipping
2023-02-16 12:49:59,599 [root] INFO: Analysis completed

[doomedraven]

the answer is here #1371

[RoemIko]

@doomedraven you mean update CAPEv2 again?

[doomedraven]

no, due to the problem to run agent.py with proper permissions, looks like latest win10 broke something and you have to do research how to run it properly, or could be case that you didn't disable properly ms defender.

[C0WB0Y-Ducky]

@doomedraven could the problem not be windows 10 since both of us have had the same issue of running as admin or system but the agent itself?

[RoemIko]

I'll see if adding the agent to the HKLM registry key changes something

Edit: the agent is now running as a service and from the HKLM registry

[C0WB0Y-Ducky]

@RoemIko so when i run just as administrator i get alot of permission denied. However this last one i ran as system i got a permission denied but also got an error for modules.packages.exe

[RoemIko]

I dont have that problem i only receive a permission denied in the folder that the cape agent creates, where the .ini file is located. Even if i run the agent as a system account which is the highest account within Windows.

Both windows defender and windows firewall are turned off.

[RoemIko]

i have done the following on the windows host

reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v pizzatime /t REG_SZ /d "C:\tmp\agent.pyw"
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v pizzatime /t REG_SZ /d "C:\tmp\agent.pyw"
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices" /v pizzatime /t REG_SZ /d "C:\tmp\agent.pyw"
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" /v pizzatime /t REG_SZ /d "C:\tmp\agent.pyw"

[doomedraven]

What about winfows defender? El jue, 16 feb 2023 16:00, RoemIko ***@***.***> escribió:

…

i have done the following on the windows host reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v pizzatime /t REG_SZ /d "C:\tmp\agent.pyw" reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v pizzatime /t REG_SZ /d "C:\tmp\agent.pyw" reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices" /v pizzatime /t REG_SZ /d "C:\tmp\agent.pyw" reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" /v pizzatime /t REG_SZ /d "C:\tmp\agent.pyw" — Reply to this email directly, view it on GitHub <#1376 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAOFH34S5KYYJUAJR4JPXXDWXY6JRANCNFSM6AAAAAAU6FJ6SU> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[RoemIko]

That one is also disabled @doomedraven

[doomedraven]

What win10 build? Latest? El jue, 16 feb 2023 16:15, RoemIko ***@***.***> escribió:

…

That one is also disabled @doomedraven <https://github.com/doomedraven> — Reply to this email directly, view it on GitHub <#1376 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAOFH37DS5EAJRPCGX4OIMLWXY77TANCNFSM6AAAAAAU6FJ6SU> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[RoemIko]

version 22h2 OS build 19045.2006

[C0WB0Y-Ducky]

I'm running
Edition - Windows 10 Home
Version - 1903
OS Build - 18362.356

[doomedraven]

This one should be working just fine weird El jue, 16 feb 2023 16:49, RoemIko ***@***.***> escribió:

…

[image: image] <https://user-images.githubusercontent.com/45184251/219416944-6b5cdfb7-2e74-4d02-8377-49b922ef172a.png> version 22h2 OS build 19045.2006 — Reply to this email directly, view it on GitHub <#1376 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAOFH37PYUIUNCFPM3IRFR3WXZD7RANCNFSM6AAAAAAU6FJ6SU> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[C0WB0Y-Ducky]

I still havent found a solution to this. However quick question for you @RoemIko how did you setup sysmon did you install it on your windows snapshot or does the exe and xml just sit in the bin folder.

EDIT: I got sysmon working now back to trying to get this permission denied working