Dependency "threemonpatch" incompatibility with Windows 7 SP1 #13
Description
Environment
Ubuntu 22.04 Desktop x64 on a MacBook Pro (Intel, 4 cores).
Windows Platform Used
- Version: Windows 7 Ultimate with SP1 Beta (Build 7601.16562).
- Arch: x64.
- Release Date: 2010-06-03.
My Goal
Analyze a malware in a Sandboxed Environment (Cuckoo3). This malware is old and can only be studied in Windows environments not updated with related patches; in particular, the first one was published in August 2010, so I need to use isos from before that date.
Issue Description
When creating snapshots, vmcloak detects the machine as compatible with threemonpatch (as it's win7x64), but after installing the patch, the machine is not able to boot anymore. Startup Repair Utility starts instead, showing a system corrupted file which prevents Windows from booting:
I tried multiple times to install the patch, also on another Windows 7 iso (Windows 7 Ultimate Build 7600 RTM x64) but with the same result. The file corrupted is named everytime different. That's probably dinamically generated by the patch executable.
Details on what I've done and How to Reproduce this behavior
- Perform full Cuckoo3 and VMcloak installation as specified at Official Documentation Page.
- Download the specified Windows ISO (Windows 7 Ultimate with SP1 Beta Build 7601.16562 or Windows 7 Ultimate Build 7600 RTM x64); I cannot post links here but copy-pasting the name into google will bring up archive pages with direct download links.
- Create vm using that iso with commands:
# As default user:
sudo mkdir -p /mnt/win7x64
sudo mount -o loop,ro ~/Downloads/<iso_name>.iso /mnt/win7x64
# As cuckoo user (sudo su --login cuckoo):
source vmcloak/venv/bin/activate
vmcloak --debug init \
--win7x64 \
--hddsize 128 --cpus 2 --ramsize 4096 \
--network 192.168.30.0/24 \
--vm qemu \
--ip 192.168.30.3 \
--iso-mount /mnt/win7x64 \
w7sp1naked br0- Clone the machine (creation process is long, it's better to have a cloned machine before breaking system with threemonpatch for further investigations):
vmcloak --debug clone w7sp1naked w7sp1- Install recommended dependecies:
vmcloak --debug install w7sp1 --recommended
# Some dependencies will fail to download or to install (dotnet4.7, vcredist2019, java7u80, wallpaper, ...)
# I've manually installed dotnet4.0 and vcredist2008 and vcredist2010...
#...this has been done creating an iso (with genisoimage), inserting it in cdrom device and booting the machine with qemu manually after vmcloak install command finishes- At last, snapshots are created, using the command:
vmcloak --debug snapshot --count 3 w7sp1 w7sp1-vm_ 192.168.30.100This command will fail creating the snapshots, because it'll first install finalize and threemonpatch deps. After applying the latter, the VM is rebooted in order to create the snaps, but it will never boot correctly again; using a simple VNC client like Remmina, is easy to connect to the VM on port 9289 and check that the System Startup Repair Utility (showed before in figure) is launched instead.
What I've already tried
Since the patch breaks the system, the most obvious solution was to add --nopatch option when creating snapshot with vmcloak. It works (the system boots and the snapshots are created), but this causes problems later when using the snapshot in Cuckoo3 with a submitted file, which replies with the following:
2025-09-09 11:28:31 ERROR [cuckoo.node.taskrunner]: Error during task run. error=Failed to execute payload on guest: Payload execution failed: Failed to load driver. Missing .sys or unpatched Windows?. Failed to load driver. Missing .sys or unpatched Windows?
The full portion of this log is attached to this message as cuckoo_submit_fail.log.
The full command is vmcloak --debug snapshot --nopatch --count 3 w7sp1 w7sp1-vm_ 192.168.30.100. To get the errors showed in the log, I imported them in cuckoo using cuckoo machine import qemu /home/cuckoo/.vmcloak/vms/qemu && cuckoo machine delete qemu example1, and later started cuckoo (cuckoo -d) submitting a file (cuckoo submit ~/my.exe).
Other Investigations
I searched for threemonpatch on google, trying to better understand what is this module for. There are no info I found about it; I suppose, also reading cuckoo log, that it's a module which cuckoo uses to analyze system events like API calls and similar. But I couldn't find what exactly the exe does to the system. In fact, the python module responsible for threemon (vmcloak/dependencies/threemonpatch.py), only downloads and runs the binary:
# Copyright (C) 2021 Hatching B.V.
# This file is part of VMCloak - http://www.vmcloak.org/.
# See the file 'docs/LICENSE.txt' for copying permission.
from vmcloak.abstract import Dependency
class ThreemonPatch(Dependency):
name = "threemonpatch"
tags = ["threemonpatch"]
exes = [
{
"arch": "amd64",
"urls": [
"https://hatching.dev/hatchvm/patchandgo_amd64_vmcloak.exe",
],
"sha1": "a8f8ed626b9fc9f66938ac034db4e8750664a6ac",
}
]
def run(self):
self.upload_dependency("C:\\patchandgo.exe")
self.a.execute("C:\\patchandgo.exe")
self.a.remove("C:\\patchandgo.exe")