Analysis Packages

As explained in Analysis Packages, analysis packages are structured Python classes that describe how CAPE’s analyzer component should conduct the analysis procedure for a given file inside the guest environment.

As you already know, you can create your packages and add them along with the default ones. Designing new packages is very easy and requires just a minimal understanding of programming and the Python language.

Getting started

As an example we’ll take a look at the default package for analyzing generic Windows executables (located at analyzer/windows/packages/

1from lib.common.abstracts import Package
3class Exe(Package):
4    """EXE analysis package."""
6    def start(self, path):
7        args = self.options.get("arguments")
8        return self.execute(path, args)

It seems easy, thanks to all methods inherited by the Package object. Let’s have a look at some of the main methods an analysis package inherits from the Package object:

 1from lib.api.process import Process
 2from lib.common.exceptions import CuckooPackageError
 4class Package:
 5    def start(self):
 6        raise NotImplementedError
 8    def check(self):
 9        return True
11    def execute(self, path, args):
12        dll = self.options.get("dll")
13        free = self.options.get("free")
14        suspended = True
15        if free:
16            suspended = False
18        p = Process()
19        if not p.execute(path=path, args=args, suspended=suspended):
20            raise CuckooPackageError("Unable to execute the initial process, "
21                                     "analysis aborted.")
23        if not free and suspended:
24            p.inject(dll)
25            p.resume()
26            p.close()
27            return
29    def finish(self):
30        if self.options.get("procmemdump"):
31            for pid in self.pids:
32                p = Process(pid=pid)
33                p.dump_memory()
34        return True
Let’s walk through the code:
  • Line 1: import the Process API class, which is used to create and manipulate Windows processes.

  • Line 2: import the CuckooPackageError exception, which is used to notify issues with the execution of the package to the analyzer.

  • Line 4: define the main class, inheriting object.

  • Line 5: define the start() function, which takes as an argument the path to the file to execute. It should be implemented by each analysis package.

  • Line 8: define the check() function.

  • Line 13: acquire the free option, which is used to define whether the process should be monitored or not.

  • Line 18: initialize a Process instance.

  • Line 19: try to execute the malware, if it fails it aborts the execution and notify the analyzer.

  • Line 23: check if the process should be monitored.

  • Line 24: inject the process with our DLL.

  • Line 25: resume the process from the suspended state.

  • Line 27: return the PID of the newly created process to the analyzer.

  • Line 29: define the finish() function.

  • Line 30: check if the procmemdump option was enabled.

  • Line 31: loop through the currently monitored processes.

  • Line 32: open a Process instance.

  • Line 33: take a dump of the process memory.


In this function you have to place all the initialization operations you want to run. This may include running the malware process, launching additional applications, taking memory snapshots, and more.


This function is executed by CAPE every second while the malware is running. You can use this function to perform any kind of recurrent operation.

For example, if in your analysis you are looking for just one specific indicator to be created (e.g. a file) you could place your condition in this function and if it returns False, the analysis will terminate straight away.

Think of it as “should the analysis continue or not?”.

For example:

def check(self):
    if os.path.exists("C:\\config.bin"):
        return False
        return True

This check() function will cause CAPE to immediately terminate the analysis whenever C:\config.bin is created.


Wraps the malware execution and deals with DLL injection.


This function is simply called by CAPE before terminating the analysis and powering off the machine. By default, this function contains an optional feature to dump the process memory of all the monitored processes.


Every package has automatically access to a dictionary containing all user-specified options (see Submit an Analysis).

Such options are made available in the attribute self.options. For example, let’s assume that the user specified the following string at submission:


The analysis package selected will have access to these values:

from lib.common.abstracts import Package

class Example(Package):

    def start(self, path):
        foo = self.options["foo"]
        bar = self.options["bar"]

    def check():
        return True

    def finish():
        return True

These options can be used for anything you might need to configure inside your package.

Package Configuration

Analysis packages can be “configured” before being started. Package configuration comes in two forms:

  1. Public configuration

  2. Private configuration

Public configuration is stored within the analysis package class itself. Private configuration is stored externally, as data added to CAPE at runtime, separate from the CAPE Python code.

Public Package Configuration

Public package configuration is stored directly in the analysis package itself. This form of configuration is useful when configuring the host execution environment before the analysis is started.

For example, here is a alternative PDF package with lowered security settings:

 1from lib.common.abstracts import Package
 2from lib.common.exceptions import CuckooPackageError
 3from lib.common.registry import *
 6class PDFLS(Package):
 7    """PDF analysis package, with lowered security settings."""
 9    PATHS = [
10        ("ProgramFiles", "Adobe", "Acrobat DC", "Acrobat", "Acrobat.exe"),
11    ]
13    def __init__(self, options=None, config=None):
14        """@param options: options dict."""
15        if options is None:
16            options = {}
17        self.config = config
18        self.options = options
19        self.options["pdf"] = "1"
21    def configure(self, target):
22        rootkey, subkey = "HKEY_CURRENT_USER", r"SOFTWARE\Adobe\Adobe Acrobat\DC"
23        set_regkey(rootkey, fr"{subkey}\Privileged", "bProtectedMmode", REG_DWORD, 0)
24        set_regkey(rootkey, fr"{subkey}\JSPrefs", "bEnableJS", REG_DWORD, 1)
25        set_regkey(rootkey, fr"{subkey}\JSPrefs", "bEnableGlobalSecurity", REG_DWORD, 0)
27    def start(self, path):
28        reader = self.get_path_glob("Acrobat.exe")
29        return self.execute(reader, f'"{path}"', path)

Private Package Configuration

Private package configuration is stored outside the analysis package class, in a module under the same name as the analysis package. This is useful when managing configuration of package capabilities separately is desired, for privacy reasons or otherwise.

For example, here is a private package configuration for exe analysis that disables ASLR for the target being analyzed:

 1# data/packages/
 2import lief
 4def configure(package, target):
 5    # here "package" refers to modules.packages.exe.Exe
 6    if package.options.get("disable-aslr"):
 7        pe_binary = lief.parse(target)
 8        old_flags = pe_binary.optional.header.dll_characteristics
 9        # unset DYNAMIC_BASE
10        new_flags = (old_flags & ~lief.PE.OptionalHeader.DLL_CHARACTERISTICS.DYNAMIC_BASE)
11        pe_binary.optional_header.dll_characteristics = new_flags
12        pe_binary.write(target)

Process API

The Process class provides access to different process-related features and functions. You can import it into your analysis packages with:

from lib.api.process import Process

You then initialize an instance with:

p = Process()

In case you want to open an existing process instead of creating a new one, you can specify multiple arguments:

  • pid: PID of the process you want to operate on.

  • h_process: handle of a process you want to operate on.

  • thread_id: thread ID of a process you want to operate on.

  • h_thread: handle of the thread of a process you want to operate on.

This class implements several methods that you can use in your scripts.


Opens an handle to a running process. Returns True or False in case of success or failure of the operation.

Return type:


Example Usage:

1p = Process(pid=1234)
3handle = p.h_process

Returns the exit code of the opened process. If it wasn’t already done before, exit_code() will perform a call to open() to acquire an handle to the process.

Return type:


Example Usage:

1p = Process(pid=1234)
2code = p.exit_code()

Calls exit_code() and verify if the returned code is STILL_ACTIVE, meaning that the given process is still running. Returns True or False.

Return type:


Example Usage:

1p = Process(pid=1234)
2if p.is_alive():
3    print("Still running!")

Returns the PID of the parent process of the opened process. If it wasn’t already done before, get_parent_pid() will perform a call to open() to acquire an handle to the process.

Return type:


Example Usage:

1p = Process(pid=1234)
2ppid = p.get_parent_pid()
Process.execute(path[, args=None[, suspended=False]])

Executes the file at the specified path. Returns True or False in case of success or failure of the operation.

  • path (string) – path to the file to execute

  • args (string) – arguments to pass to the process command line

  • suspended (boolean) – enable or disable suspended mode flag at process creation

Return type:


Example Usage:

1p = Process()
2p.execute(path="C:\\WINDOWS\\system32\\calc.exe", args="Something", suspended=True)

Resumes the opened process from a suspended state. Returns True or False in case of success or failure of the operation.

Return type:


Example Usage:

1p = Process()
2p.execute(path="C:\\WINDOWS\\system32\\calc.exe", args="Something", suspended=True)

Terminates the opened process. Returns True or False in case of success or failure of the operation.

Return type:


Example Usage:

1p = Process(pid=1234)
2if p.terminate():
3    print("Process terminated!")
5    print("Could not terminate the process!")
Process.inject([dll[, apc=False]])

Injects a DLL (by default “dll/capemon.dll”) into the opened process. Returns True or False in case of success or failure of the operation.

  • dll (string) – path to the DLL to inject into the process

  • apc (boolean) – enable to use QueueUserAPC() injection instead of CreateRemoteThread(), beware that if the process is in suspended mode, capemon will always use QueueUserAPC()

Return type:


Example Usage:

1p = Process()
2p.execute(path="C:\\WINDOWS\\system32\\calc.exe", args="Something", suspended=True)

Takes a snapshot of the given process’ memory space. Returns True or False in case of success or failure of the operation.

Return type:


Example Usage:

1p = Process(pid=1234)