Fix exit parent and LNK package from cmd to powershell (kevoreilly#2256)

* prevent analysis end with blocking shell * some LNK do not run when detonated by cmd. * Update lnk.py * fix test * fix lint
b34c0n5 · Aug 1, 2024 · 49524be · 49524be
1 parent dc4813f
commit 49524be
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 17 deletions.
diff --git a/analyzer/linux/lib/core/packages.py b/analyzer/linux/lib/core/packages.py
@@ -175,7 +175,7 @@ def strace_analysis(self):
  cmd = f"sudo strace -o /dev/stderr -s 800 -ttf {target_cmd}"
  # If nohuman is set to yes, it's possible to interact with interactive scripts or programs via VNC.
  if self.options.get("nohuman"):
- cmd = f"sudo strace -o /dev/stderr -s 800 -ttf xterm -hold -e {target_cmd} &"
+ cmd = f"sudo strace -o /dev/stderr -s 800 -ttf xterm -hold -e {target_cmd}"
  log.info(cmd)
  self.proc = subprocess.Popen(
  cmd, env={"XAUTHORITY": "/root/.Xauthority", "DISPLAY": ":0"}, stderr=subprocess.PIPE, shell=True

diff --git a/analyzer/windows/modules/packages/lnk.py b/analyzer/windows/modules/packages/lnk.py
@@ -1,4 +1,4 @@
-# Copyright (C) 2010-2015 Cuckoo Foundation, Optiv, Inc. ([email protected])
+# Copyright (C) 2010-2015 Cuckoo Foundation.
 # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
 # See the file 'docs/LICENSE' for copying permission.
 
@@ -7,23 +7,18 @@
 
 
 class LNK(Package):
- """LNK analysis package."""
+ """Windows LNK analysis package via powershell."""
 
  PATHS = [
- ("SystemRoot", "system32", "cmd.exe"),
+ # PS <= 5
+ ("SystemRoot", "sysnative", "WindowsPowerShell", "v*.0", "powershell.exe"),
+ ("SystemRoot", "system32", "WindowsPowerShell", "v*.0", "powershell.exe"),
  ]
- summary = "Executes a .lnk file using cmd.exe."
- description = """Uses cmd.exe with the "/wait" option to run a .lnk file.
- For context behind this command:
- /C Carries out the command specified by string and then terminates
- START Starts a separate window to run a specified program or command.
- /WAIT Start application and wait for it to terminate.
- "" The name of the separate window
- "path" The path of the uploaded sample
- The .lnk extension will be added automatically."""
+ summary = "Executes a sample file with powershell."
+ description = "Uses 'powershell Start-Process -FilePath <sample>' to run a .lnk file." 
 
  def start(self, path):
+ powershell = self.get_path_glob("PowerShell")
  path = check_file_extension(path, ".lnk")
- cmd_path = self.get_path("cmd.exe")
- cmd_args = f'/c start /wait "" "{path}"'
- return self.execute(cmd_path, cmd_args, path)
+ args = f'Start-Process -FilePath "{path}"'
+ return self.execute(powershell, args, path)
diff --git a/analyzer/windows/tests/test_analysis_packages.py b/analyzer/windows/tests/test_analysis_packages.py
@@ -204,7 +204,7 @@ def test_js_antivm(self):
  def test_lnk(self):
  pkg_class = self.class_from_analysis_package("modules.packages.lnk")
  obj = pkg_class()
- self.assertEqual("Executes a .lnk file using cmd.exe.", obj.summary)
+ self.assertEqual("Executes a sample file with powershell.", obj.summary)
 
  def test_mht(self):
  pkg_class = self.class_from_analysis_package("modules.packages.mht")