diff --git a/analyzer/windows/data/yara/UPX.yar b/analyzer/windows/data/yara/UPX.yar index 3ea137d40e4..7eff5275de2 100644 --- a/analyzer/windows/data/yara/UPX.yar +++ b/analyzer/windows/data/yara/UPX.yar @@ -2,8 +2,8 @@ rule UPX { meta: author = "kevoreilly" - description = "UPX dump on OEP (original entry point)" - cape_options = "bp0=$upx32*,bp0=$upx64*,hc0=1,action0=step2oep" + description = "UPX Unpacker: dump on OEP (original entry point)" + cape_options = "bp0=$upx32*,bp0=$upx64*,hc0=1,action0=step2oep,imprec=1" strings: $upx32 = {6A 00 39 C4 75 FA 83 EC ?? E9} $upx64 = {6A 00 48 39 C4 75 F9 48 83 EC [1-16] E9} diff --git a/analyzer/windows/dll/capemon.dll b/analyzer/windows/dll/capemon.dll index 0fb1e7a838c..33471b91a9c 100755 Binary files a/analyzer/windows/dll/capemon.dll and b/analyzer/windows/dll/capemon.dll differ diff --git a/analyzer/windows/dll/capemon_x64.dll b/analyzer/windows/dll/capemon_x64.dll index b8a0186709f..01f8fdb473f 100755 Binary files a/analyzer/windows/dll/capemon_x64.dll and b/analyzer/windows/dll/capemon_x64.dll differ diff --git a/changelog.md b/changelog.md index 30169c4f3d7..ad368bcfeb6 100644 --- a/changelog.md +++ b/changelog.md @@ -1,3 +1,16 @@ +### [18.02.2026] +* UPX Unpacker: enable import reconstruction +* Monitor updates: + * Fix issue with VerifyHeaders() checking EP RVA in file: FileOffsetFromRVA() + * Add pids to FILE_NEW, FILE_DEL & FILE_MOVE monitor messages to accompany analyzer fix + * New hooks: RtlRemoveVectoredExceptionHandler, UnhandledExceptionFilter, GetPhysicallyInstalledSystemMemory, K32EnumProcesses, WTSEnumerateProcessesW, WTSEnumerateProcessesExW, LdrGetDllHandleEx, WTGetSignatureInfo, RtlWow64SetThreadContext + * YaraHarness: add 'coverage' action to remove dll from system 'range' + * Trace: improve recognition and handling of distinct code regions during debugging/tracing, expand ProcessOEP() action to allow shellcode dumpingrefine StrTest(W) functions to filter more control characters from debugger log + * Add ntdll unhook protection (ntdll-unhook=1) via prevent_module_unhooking() from NtReadFile hook + * Add general hook protection (hook-protect=1) to protect hooks other than ntdll (ntdll-protect) - off by default + * Hooking: replace (allocating) convert_address_to_dll_name_and_offset() with non-allocating get_module_name() + * misc: prevent_module_unhooking() & gettib() + ### [11.02.2026] * Guacamole integration: * New dependency `channels[daphne]>=4.0.0` added. diff --git a/lib/cuckoo/core/data/tasking.py b/lib/cuckoo/core/data/tasking.py index e3716ba4dd6..5e827c21542 100644 --- a/lib/cuckoo/core/data/tasking.py +++ b/lib/cuckoo/core/data/tasking.py @@ -777,7 +777,7 @@ def set_status(self, task_id: int, status) -> Optional[Task]: @param status: status string @return: operation status """ - log.info("setstat task %d status %s",task_id,status) + log.info("setstat task %s status %s", task_id, status) task = self.session.get(Task, task_id) if not task: @@ -1004,7 +1004,7 @@ def list_tasks( if tags_tasks_like: stmt = stmt.where(Task.tags_tasks.like(f"%{tags_tasks_like}%")) if tags_tasks_not_like: - stmt = stmt.where(Task.tags_tasks.notlike(f"%{tags_tasks_not_like}%")) + stmt = stmt.where(func.coalesce(Task.tags_tasks, "").notlike(f"%{tags_tasks_not_like}%")) if task_ids: stmt = stmt.where(Task.id.in_(task_ids)) if user_id is not None: