Ticket #185 (assigned bug)

Opened 3 months ago

Last modified 3 days ago

Installation problems with capture

Reported by: achak@cerias.purdue.edu Assigned to: kindlund (accepted)
Priority: normal Milestone:
Component: Capture Version: 1.02
Severity: none Keywords: capture, bat, install
Cc:

Description

After running CaptureBat-Setup.exe and restarting the vm, the captureBAT.exe does not seem to run. It does not give out any output.

Attachments

Change History

09/07/08 21:41:43 changed by kindlund

  • owner changed from xkovah to kindlund.
  • status changed from new to assigned.

Hi,

I assume you have installed the honeyclient code inside the user directory in the Cygwin environment, correct?

If so, could you please tell me the absolute path as to where your CaptureBAT.exe file is located?

For example, is it located here:

/home/Administrator/honeyclient/thirdparty/capture-mod/CaptureBAT.exe

This information should help us troubleshoot it further.

Thanks,

— Darien

09/08/08 22:36:43 changed by achak@cerias.purdue.edu

It is located in the folder as mentioned above. However, while trying to run the script outside of the cygwin environment, there is an error thata FTLLIB.dll is missing.

Thanks for all the help and sorry the delay.

Ankur

09/08/08 23:09:44 changed by kindlund

Okay, so from the /home/Administrator directory inside a Cygwin bash prompt, can you type: 

~/honeyclient/thirdparty/capture-mod/CaptureBAT.exe -c -l "C:\cygwin\tmp\realtime-changes.txt"

Once you execute this command, do you get any sort of output? If so, can you paste the output to this ticket?

Thanks,

— Darien

09/09/08 12:25:31 changed by achak@cerias.purdue.edu

I am not getting any output by running the above.

09/10/08 01:10:57 changed by kindlund

  • keywords set to capture, bat, install.
  • version changed from none to 1.02.

Okay, before you installed the CaptureBAT-Setup.exe file, did you install the Microsoft Visual C++ 2005 Redistributable Package, as per the directions on the wiki? If so, did that installer indicate that the library was successfully installed? (e.g., Can you see the "Microsoft Visual C++ 2005 Redistributable Package" listed in the Add/Remove Programs section of the Control Panel?)

Xeno, any thoughts on if there's anything else that may be the culprit?

— Darien

09/12/08 11:38:58 changed by achak@cerias.purdue.edu

The library had been successfully installed but it did not help.

09/12/08 12:54:50 changed by kindlund

Hi Ankur,

So, to be clear, when you run CaptureBAT.exe, does the process:

1) terminate?

2) or remain running, but just not provide any type of output?

If it's #2, then we can try and give you different switches at the command line to get some sort of additional output. Also, I assume you're running the CaptureBAT.exe from a Cygwin bash shell — and not by double-clicking on the .exe file, correct?

Thanks,

— Darien

11/19/08 05:49:20 changed by synphonica@gmail.com

Hello, i have this problem too. BTW, this problem exist in Capture HPC too.

I have Windows XP build 2600 without any service packs, with successfully installed Microsoft Visual C++ 2005 Redistributable Package.

Such error appears when we have Windows XP without Service Pack 2 installed. In Capture HPC i`ve workaround this problem by manually download FTLLIB.dll, and save it into C:\WINDOWS\SYSTEM32\

In HoneyClient, such workaround helps a bit. After manually download and install ftllib.dll, CaptureBAT.exe successfully executed, but gives this error:

Driver already loaded: CaptureProcessMonitor Driver already loaded: CaptureRegistryMonitor FileMonitor: WARNING - Filter driver not loaded (error: 80070002) waiting 3 seco nds to try again … (try 1 of 5) FileMonitor: WARNING - Filter driver not loaded (error: 80070002) waiting 3 seco nds to try again … (try 2 of 5)

so, we have started and working Registry and Process monitor. But we have FileMonitor stopped.

11/19/08 08:05:35 changed by xkovah

Ah, apparently we havn't documented it on the wiki, but Capture only supports XP SP2 or newer. I am not sure if the Capture authors are working on back-porting it or not. I will make this more explicit.

Xeno

Add/Change #185 (Installation problems with capture)




Change Properties
Action