capemon: The monitor DLL for CAPE: Config And Payload Extraction (https://github.com/kevoreilly/CAPEv2).
Much of the functionality of CAPE is contained within the monitor; the CAPE debugger, extracted payloads, process dumps and import reconstruction are implemented within capemon. CAPE's loader is also part of this project.
capemon is derived from cuckoomon-modified from spender-sandbox (https://github.com/spender-sandbox/cuckoomon-modified) from which it inherits the API hooking engine. It also includes a PE dumping engine and import reconstruction derived from Scylla (https://github.com/NtQuery/Scylla), WOW64Ext Library from ReWolf (http://blog.rewolf.pl/) and W64oWoW64 from George Nicolaou.
If you need to locally inspect the code of capemon and/or modify it, it is recommended to download Microsoft Visual Studio. The following instructions were performed using the latest version at the time of writing, MSVS2022 Community (64-bit, Version 17.4.2).
First you have to clone this repo. Then, in Visual Studio you can select the Open a project or solution
option and specify the folder where you cloned it. When asked about updating the configuration files (aka Retarget Project), you can click OK, allowing Visual Studio to update the 3 configuration files.
You must select the Release
configuration before building the solution. Select the target platform (either Win32 or x64), and go to Build -> Build Solution or Build Capemon. If there are no compilation errors, in the Release folder of your repo (for Win32) or x64/Release (for x64) you will find capemon.dll
or capemon_x64.dll
. These are the libraries you want to place into your CAPEv2 directory so the modified libraries are used during analysis. The specific path is: CAPEv2/analyzer/windows/dll/
. If required, the loader binaries (loader.exe
or loader_x64.exe
) should be copied to CAPEv2/analyzer/windows/bin/
.
If you want to add more hooks to capemon or change those already existing, you can take a look at past commits that did just that. You can do so by searching for commits containing "hook for" in its description (or any other keyword combination). For instance, you can take a look at the commit that added the hook for GetCommandLineA
.
There are three main files that define the hooks implemented in capemon:
- hooks.h. This file contains the definition of the hook (
HOOKDEF
) using Windows SAL notation. That is,HOOKDEF(ReturnValue, CallingConvention, ApiName, _ParameterAnnotation_ ParameterName)
. - hooks.c. This file defines the hooks that will be employed depending upon the configuration selected when submitting the analysis. Please notice there are several
hook_t
arrays. For example,hook_t full_hooks[]
,hook_t min_hooks[]
orhook_t office_hooks[]
, among others. You should add the hooks you want capemon to perform in the corresponding array. By default,full_hooks
is executed (so probably you want to add your hooks there). The hooks must be added using the following naming pattern:HOOK(dllname, ApiName)
. - hook_{category}.c (Link is just an example, in this case hook_process.c). This set of files is where the implementation of each hook is defined. When defining the behavior of a given hook, you must copy the corresponding definition from the
hooks.h
file and write the code. Remember you can call the original function withOld_{ApiName}
.