From 1ce6dfa0643cf9c902c234fe0cf34f28a675f05c Mon Sep 17 00:00:00 2001 From: Nia Catlin <5470374+ncatlin@users.noreply.github.com> Date: Mon, 26 Jan 2026 15:03:12 +0000 Subject: [PATCH 1/4] convert string type property data to ints where applicable (#2867) * convert string type property data to ints where applicable * Apply suggestion from @gemini-code-assist[bot] Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * Refactor exception handling for data conversion Use contextlib's suppress to handle exceptions when converting formatted data to int. * Fix syntax error in suppress context manager --------- Co-authored-by: doomedraven Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --- analyzer/windows/modules/auxiliary/amsi.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/analyzer/windows/modules/auxiliary/amsi.py b/analyzer/windows/modules/auxiliary/amsi.py index 05750811be8..9e20572065b 100644 --- a/analyzer/windows/modules/auxiliary/amsi.py +++ b/analyzer/windows/modules/auxiliary/amsi.py @@ -31,6 +31,7 @@ import sys import threading import uuid +from contextlib import suppress logger = logging.getLogger(__name__) @@ -1001,6 +1002,11 @@ def _unpackSimpleType(self, record, info, event_property): data = formatted_data.value # Convert the formatted data if necessary + if isinstance(data, str): + if out_type >= TDH_OUTTYPE_BYTE and out_type <= TDH_OUTTYPE_UNSIGNEDLONG: + with suppress(Exception): + data = int(data) + if out_type in TDH_CONVERTER_LOOKUP and type(data) is TDH_CONVERTER_LOOKUP[out_type]: data = TDH_CONVERTER_LOOKUP[out_type](data) From ed76773ad37a2efe7a1ffac068a6ae1bb455aae7 Mon Sep 17 00:00:00 2001 From: doomedraven Date: Mon, 26 Jan 2026 16:03:47 +0100 Subject: [PATCH 2/4] Remove unnecessary blank line in dist.py --- utils/dist.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/utils/dist.py b/utils/dist.py index 5b9bb0b6fae..7ddf845a8c8 100644 --- a/utils/dist.py +++ b/utils/dist.py @@ -1450,7 +1450,7 @@ def submit_tasks(self, node_name, pend_tasks_num, options_like=False, force_push """ # 4. Apply the limit and execute the query. to_upload = db.scalars(stmt.limit(pend_tasks_num)).all() - + if not to_upload: db.commit() log.info("nothing to upload? How? o_O") From 01080909748bed725b1e517194189b2f19c29ee8 Mon Sep 17 00:00:00 2001 From: Kevin O'Reilly Date: Mon, 26 Jan 2026 18:24:17 +0000 Subject: [PATCH 3/4] HijackLoader payload extraction & detection (accompanying config parser in cape-parsers repo) --- analyzer/windows/data/yara/HijackLoader.yar | 13 +++++++++++++ data/yara/CAPE/HijackLoader.yar | 13 +++++++++++++ 2 files changed, 26 insertions(+) create mode 100644 analyzer/windows/data/yara/HijackLoader.yar create mode 100644 data/yara/CAPE/HijackLoader.yar diff --git a/analyzer/windows/data/yara/HijackLoader.yar b/analyzer/windows/data/yara/HijackLoader.yar new file mode 100644 index 00000000000..7e74dc0cdc7 --- /dev/null +++ b/analyzer/windows/data/yara/HijackLoader.yar @@ -0,0 +1,13 @@ +rule HijackLoaderStub +{ + meta: + author = "kevoreilly" + description = "HijackLoader Stub Executable" + cape_options = "dump-limit=0,dump" + strings: + $stub1 = {50 83 C0 10 50 56 8D 85 [4] 50 E8 [4] 83 C7 30 8D 85 [4] 3B F8 74 08 8B 35 [4] EB D3} + $stub2 = {33 C5 89 45 ?? (C6 45 ?? 00|C7 45 ?? 61 7A 2D 2D) 8D 45 ?? FF 75 ?? C7 45 ?? 30 39 41 5A 50 8D 45 (??|?? C7 45 ?? 61 7A 2D 2D) 50 E8} + $app = "\\app-" wide + condition: + 2 of them +} diff --git a/data/yara/CAPE/HijackLoader.yar b/data/yara/CAPE/HijackLoader.yar new file mode 100644 index 00000000000..01d8cff22ee --- /dev/null +++ b/data/yara/CAPE/HijackLoader.yar @@ -0,0 +1,13 @@ +rule HijackLoaderStub +{ + meta: + author = "kevoreilly" + description = "HijackLoader Stub Executable" + cape_type = "HijackLoader Payload" + strings: + $stub1 = {50 83 C0 10 50 56 8D 85 [4] 50 E8 [4] 83 C7 30 8D 85 [4] 3B F8 74 08 8B 35 [4] EB D3} + $stub2 = {33 C5 89 45 ?? (C6 45 ?? 00|C7 45 ?? 61 7A 2D 2D) 8D 45 ?? FF 75 ?? C7 45 ?? 30 39 41 5A 50 8D 45 (??|?? C7 45 ?? 61 7A 2D 2D) 50 E8} + $app = "\\app-" wide + condition: + 2 of them +} From ddabbfc7243fda76457580384a484416369cb172 Mon Sep 17 00:00:00 2001 From: doomedraven Date: Mon, 26 Jan 2026 19:39:31 +0100 Subject: [PATCH 4/4] Improve connection handling in views.py Refactor connection handling and error management for remote sessions. --- web/guac/views.py | 82 +++++++++++++++++++++++++++-------------------- 1 file changed, 48 insertions(+), 34 deletions(-) diff --git a/web/guac/views.py b/web/guac/views.py index 2223a8c449f..e090e7aa7e0 100644 --- a/web/guac/views.py +++ b/web/guac/views.py @@ -35,37 +35,51 @@ def index(request, task_id, session_data): state = None recording_name = "" - conn = libvirt.open(machinery_dsn) - if conn: - try: - session_id, label, guest_ip = urlsafe_b64decode(session_data).decode("utf8").split("|") - recording_name = f"{task_id}_{session_id}" - dom = conn.lookupByName(label) - if dom: - state = dom.state(flags=0) - except Exception as e: - return render( - request, - "guac/error.html", - {"error_msg": f"{e}", "error": "remote session", "task_id": task_id}, - ) - - if state: - if state[0] == 1: - vmXml = dom.XMLDesc(0) - root = ET.fromstring(vmXml) - graphics = root.find('./devices/graphics[@type="vnc"]') - vncport = graphics.get("port") if graphics else None - return render( - request, - "guac/index.html", - { - "vncport": vncport, - "session_id": session_id, - "task_id": task_id, - "recording_name": recording_name, - "guest_ip": guest_ip, - }, - ) - else: - return render(request, "guac/wait.html", {"task_id": task_id}) + try: + conn = libvirt.open(machinery_dsn) + if conn: + try: + session_id, label, guest_ip = urlsafe_b64decode(session_data).decode("utf8").split("|") + recording_name = f"{task_id}_{session_id}" + dom = conn.lookupByName(label) + if dom: + state = dom.state(flags=0) + except Exception as e: + return render( + request, + "guac/error.html", + {"error_msg": f"{e}", "error": "remote session", "task_id": task_id}, + ) + + if state: + if state[0] == 1: + vmXml = dom.XMLDesc(0) + root = ET.fromstring(vmXml) + graphics = root.find('./devices/graphics[@type="vnc"]') + vncport = graphics.get("port") if graphics else None + return render( + request, + "guac/index.html", + { + "vncport": vncport, + "session_id": session_id, + "task_id": task_id, + "recording_name": recording_name, + "guest_ip": guest_ip, + }, + ) + else: + return render(request, "guac/wait.html", {"task_id": task_id}) + finally: + if conn: + try: + conn.close() + except Exception: + pass + + # Fallback return if something went wrong before rendering + return render( + request, + "guac/error.html", + {"error_msg": "Could not connect to hypervisor", "error": "remote session", "task_id": task_id}, + )