-
Notifications
You must be signed in to change notification settings - Fork 437
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Python x64 versions crash the analysis process #1680
Comments
nbargnesi
added a commit
to nbargnesi/CAPEv2
that referenced
this issue
Jul 28, 2023
This was referenced Jul 28, 2023
nbargnesi
added a commit
to nbargnesi/CAPEv2
that referenced
this issue
Jul 28, 2023
This fixes the crash referenced in kevoreilly#1680 with a architecture-agnostic strategy to process enumeration without NTDLL and struct unpacking.
This commit fixes the struct unpacking crash when a 64-bit Python is used. |
doomedraven
added a commit
that referenced
this issue
Jul 30, 2023
improve x86 Python requirements docs; #1680
can you PR this commit? |
Done. I think we should keep this issue open for some time - there will be more crashes and issues running under a x64 Python analyzer. |
doomedraven
added a commit
that referenced
this issue
Aug 5, 2023
partial fix for #1680, rewrite proc enum
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Both the docs and agent module say an x86 version of Python is required.
Under the covers the analysis process calls a bunch of low-level Windows libraries, unpacking the results of these calls into a series of structures defined in lib.common.defines. The analyzer assumes the structures use 32-bit sizes, and will crash if running under a 64-bit Python.
There are architecture independent ways of doing most of what the analyzer needs to do, but for now the x86 requirement is there based on how the analyzer is written.
Note, the agent module doesn't need to run under an x86 Python, only the analyzer process. CAPE just happens to use the same
sys.executable
for both.The text was updated successfully, but these errors were encountered: