-
Notifications
You must be signed in to change notification settings - Fork 139
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Worker hangs up and drakrun waits forever for injection to finish #748
Comments
If DHCP fails, then VM will have no internet. What would be the preferable outcome? Run analysis without internet risking that dropper won't download main payload? Also, please provide drakvuf-sandbox commit hash/version. @psrok1 |
It should mark current analysis task as failed when timeout is reached or retry Right now workers are just dying over time, one by one, waiting forever for ipconfig to finish. Drakvuf is installed from .deb package:
|
Well it seems like it's injector fault:
After these logs we usually see some DHCP logs from I will come back with more info |
Uh it looks like bug in injector?
All workers end their life trying to make a trap on https://github.com/tklengyel/drakvuf/blob/main/src/libinjector/win/win_injector.c#L297 I see this address is assumed to be in user-mode address space (what is expected indeed) and it's part of trapping process in user-mode context to start injection. Drakvuf waits for int3 trap to be executed on |
I reopened an issue to track the problem here |
Describe the bug
Drakrun worker can't recover from Inject.CreateProc
cmd.exe /c ipconfig /release >nul
when it takes forever due to tenporary DHCP connection issuesI see that there is
timeout=120
set in provisioning part:drakvuf-sandbox/drakrun/drakrun/main.py
Lines 608 to 615 in 5017f9c
but
timeout
argument handling is not implemented:drakvuf-sandbox/drakrun/drakrun/injector.py
Lines 68 to 73 in 5017f9c
Output of the status checking commands
The text was updated successfully, but these errors were encountered: