[pull] master from kevoreilly:master

analyzer/windows/data/yara/HijackLoader.yar

@@ -0,0 +1,13 @@
+rule HijackLoaderStub
+{
+    meta:
+        author = "kevoreilly"
+        description = "HijackLoader Stub Executable"
+        cape_options = "dump-limit=0,dump"
+    strings:
+        $stub1 = {50 83 C0 10 50 56 8D 85 [4] 50 E8 [4] 83 C7 30 8D 85 [4] 3B F8 74 08 8B 35 [4] EB D3}
+        $stub2 = {33 C5 89 45 ?? (C6 45 ?? 00|C7 45 ?? 61 7A 2D 2D) 8D 45 ?? FF 75 ?? C7 45 ?? 30 39 41 5A 50 8D 45 (??|?? C7 45 ?? 61 7A 2D 2D) 50 E8}
+        $app = "\\app-" wide
+    condition:
+        2 of them
+}  

analyzer/windows/modules/auxiliary/amsi.py

@@ -31,6 +31,7 @@
 import sys
 import threading
 import uuid
+from contextlib import suppress
 
 logger = logging.getLogger(__name__)
 
@@ -1001,6 +1002,11 @@ def _unpackSimpleType(self, record, info, event_property):
 
         data = formatted_data.value
         # Convert the formatted data if necessary
+        if isinstance(data, str):
+            if out_type >= TDH_OUTTYPE_BYTE and out_type <= TDH_OUTTYPE_UNSIGNEDLONG:
+                with suppress(Exception):
+                    data = int(data)
+
         if out_type in TDH_CONVERTER_LOOKUP and type(data) is TDH_CONVERTER_LOOKUP[out_type]:
             data = TDH_CONVERTER_LOOKUP[out_type](data)
 

data/yara/CAPE/HijackLoader.yar

@@ -0,0 +1,13 @@
+rule HijackLoaderStub
+{
+    meta:
+        author = "kevoreilly"
+        description = "HijackLoader Stub Executable"
+        cape_type = "HijackLoader Payload"
+    strings:
+        $stub1 = {50 83 C0 10 50 56 8D 85 [4] 50 E8 [4] 83 C7 30 8D 85 [4] 3B F8 74 08 8B 35 [4] EB D3}
+        $stub2 = {33 C5 89 45 ?? (C6 45 ?? 00|C7 45 ?? 61 7A 2D 2D) 8D 45 ?? FF 75 ?? C7 45 ?? 30 39 41 5A 50 8D 45 (??|?? C7 45 ?? 61 7A 2D 2D) 50 E8}
+        $app = "\\app-" wide
+    condition:
+        2 of them
+}

utils/dist.py

@@ -1450,7 +1450,7 @@ def submit_tasks(self, node_name, pend_tasks_num, options_like=False, force_push
                     """
                     # 4. Apply the limit and execute the query.
                     to_upload = db.scalars(stmt.limit(pend_tasks_num)).all()
-                    
+
                     if not to_upload:
                         db.commit()
                         log.info("nothing to upload? How? o_O")

web/guac/views.py

@@ -35,37 +35,51 @@
     state = None
     recording_name = ""
 
-    conn = libvirt.open(machinery_dsn)
-    if conn:
-        try:
-            session_id, label, guest_ip = urlsafe_b64decode(session_data).decode("utf8").split("|")
-            recording_name = f"{task_id}_{session_id}"
-            dom = conn.lookupByName(label)
-            if dom:
-                state = dom.state(flags=0)
-        except Exception as e:
-            return render(
-                request,
-                "guac/error.html",
-                {"error_msg": f"{e}", "error": "remote session", "task_id": task_id},
-            )
-
-    if state:
-        if state[0] == 1:
-            vmXml = dom.XMLDesc(0)
-            root = ET.fromstring(vmXml)
-            graphics = root.find('./devices/graphics[@type="vnc"]')
-            vncport = graphics.get("port") if graphics else None
-            return render(
-                request,
-                "guac/index.html",
-                {
-                    "vncport": vncport,
-                    "session_id": session_id,
-                    "task_id": task_id,
-                    "recording_name": recording_name,
-                    "guest_ip": guest_ip,
-                },
-            )
-        else:
-            return render(request, "guac/wait.html", {"task_id": task_id})
+    try:
+        conn = libvirt.open(machinery_dsn)
+        if conn:
+            try:
+                session_id, label, guest_ip = urlsafe_b64decode(session_data).decode("utf8").split("|")
+                recording_name = f"{task_id}_{session_id}"
+                dom = conn.lookupByName(label)
+                if dom:
+                    state = dom.state(flags=0)
+            except Exception as e:
+                return render(
+                    request,
+                    "guac/error.html",
+                    {"error_msg": f"{e}", "error": "remote session", "task_id": task_id},
+                )
+
+            if state:
+                if state[0] == 1:
+                    vmXml = dom.XMLDesc(0)
+                    root = ET.fromstring(vmXml)
+                    graphics = root.find('./devices/graphics[@type="vnc"]')
+                    vncport = graphics.get("port") if graphics else None
+                    return render(
+                        request,
+                        "guac/index.html",
+                        {
+                            "vncport": vncport,
+                            "session_id": session_id,
+                            "task_id": task_id,
+                            "recording_name": recording_name,
+                            "guest_ip": guest_ip,
+                        },
+                    )
+                else:
+                    return render(request, "guac/wait.html", {"task_id": task_id})
+    finally:
+        if conn:
+            try:
+                conn.close()
+            except Exception:
+                pass
+
+    # Fallback return if something went wrong before rendering
+    return render(
+        request,
+        "guac/error.html",
+        {"error_msg": "Could not connect to hypervisor", "error": "remote session", "task_id": task_id},
+    )