Skip to content

[pull] master from kevoreilly:master #316

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pull merged 2 commits into from
Oct 22, 2025
Merged

[pull] master from kevoreilly:master #316

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7ee5743
Remove obsolete 'suspended' parameter from PROCESS monitor message & …
kevoreilly Oct 22, 2025
8a7731c
Add monitor injection to previously unused RESUME: monitor handler _h…
kevoreilly Oct 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 4 additions & 10 deletions analyzer/windows/analyzer.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1241,6 +1241,7 @@ def _handle_service(self, servname):
def _handle_resume(self, data):
# RESUME:2560,3728'
self.analyzer.LASTINJECT_TIME = timeit.default_timer()
self._handle_process(data)

def _handle_shutdown(self, data):
"""Handle attempted shutdowns/restarts.
Expand Down Expand Up @@ -1334,16 +1335,9 @@ def _handle_process(self, data):
suspended = False
process_id = thread_id = None
# We parse the process ID.
suspended, data = data.split(b":")
if b"," not in data:
if data.isdigit():
process_id = int(data)
elif data.count(b",") == 1:
process_id, param = data.split(b",")
thread_id = None
process_id = int(process_id) if process_id.isdigit() else None
if param.isdigit():
thread_id = int(param)
pid_s, tid_s = data.split(b",", 1)
process_id = int(pid_s)
thread_id = int(tid_s)
if process_id and not ANALYSIS_TIMED_OUT:
if process_id not in (self.analyzer.pid, self.analyzer.ppid):
# We inject the process only if it's not being
Expand Down
Binary file modified analyzer/windows/dll/capemon.dll
View file
Open in desktop
Binary file not shown.
Binary file modified analyzer/windows/dll/capemon_x64.dll
View file
Open in desktop
Binary file not shown.
13 changes: 13 additions & 0 deletions changelog.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,16 @@
### [22.10.2025]
* Remove obsolete 'suspended' parameter from PROCESS monitor message
* Monitor updates:
* WriteMemoryHandler: prevent analysis log spam for small PE writes
* Cap per-process messages to prevent detonation slow-down & failure in e.g. 9f8333d81c13ea426953b758140836cff2cf7e7f32e36738f118c6257c6efd34
* Experimental debugger action 'guard' to trap on guard violation
* (origin/capemon, origin/HEAD) YaraHarness: write rules canary detection to analysis log
* YaraHarness: simplify 'dump' option
* Deprecate Win7 wow64 breakpoint workaround
* Implement Gemini suggestions from #111
* Merge pull request #111 from StephanTLavavej/unordered_map
* Improve NtContinueHandler debug register stealth/protection to allow detonation of e.g. 8443224de889424012ba57ec075fec219104fffa8c3ae13a2db27b4ba9d71a3b

### [13.10.2025]
* Monitor updates:
* Fix debug output for dump-limit config setting
Expand Down
Loading