Add TLS pcap decryption via GoGoRoboCap with SSLproxy MITM support

Adds per-analysis TLS interception and PCAP decryption pipeline:

SSLproxy auxiliary module (modules/auxiliary/SSLProxy.py):
- Per-analysis SSLproxy instance using autossl mode (detects TLS
  ClientHello on any port + STARTTLS upgrades, passthrough for non-TLS)
- NAT REDIRECT via rooter for VM traffic interception
- Cgroup-based VPN routing for SSLproxy upstream connections
- Single PCAP output (-X) with master key logging (-M)
- Activated per-task via sslproxy=1 option

GoGoRoboCap decryption processor (modules/processing/decryptpcap.py):
- Auto-detects best decryption method:
  - SSLproxy synthetic PCAPs: strips prepended TLS ClientHello via
    --sslproxy-clean so Suricata can do protocol identification, then
    merges cleaned output with original PCAP via mergecap
  - TLS keylog: collects keys from tlsdump, sslkeylogfile, and
    sslproxy master_keys.log for GoGoRoboCap decryption
- Configurable via pcapsrc option (auto/pcap_with_keylog/sslproxy_synth_pcap)
- Produces dump_decrypted.pcap and dump_mixed.pcap

Network and Suricata integration:
- Both modules auto-use dump_mixed.pcap when available
- Suricata HTTP/2 header parsing (pseudo-headers, control frame filtering)
- HTTP/2 passlist filtering via :authority header

UI changes:
- pcapzip download bundles all available PCAPs (original, decrypted,
  mixed, sslproxy raw, sslproxy clean)
- Download buttons for decrypted and mixed PCAPs on network page
- Fix _suricata_http.html method field name

Java package (jar.py):
- Prefer javaw.exe, fall back to java.exe
- JAVA_TOOL_OPTIONS trust store override when sslproxy active
  (-Djavax.net.ssl.trustStoreType=Windows-ROOT)

sslkeylogfile.py:
- Document that Schannel KeyLogging registry key must be set in VM
  snapshot (requires reboot, cannot be enabled at runtime)

Author: wmetcalf

analyzer/windows/modules/auxiliary/sslkeylogfile.py

@@ -11,7 +11,14 @@
 
 
 class SslKeyLogFile(Auxiliary):
-    """Collect SSLKEYLOGFILE logs from guests."""
+    """Collect SSLKEYLOGFILE logs from guests.
+
+    For Schannel (Windows native TLS) key capture, the registry key
+    HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\KeyLogging
+    must have Enable=1 (REG_DWORD). This requires a reboot to take effect, so
+    it should be baked into the VM snapshot — not set at runtime.
+    This module handles setting the SSLKEYLOGFILE path at analysis start.
+    """
 
     def __init__(self, options, config):
         Auxiliary.__init__(self, options, config)

analyzer/windows/modules/packages/jar.py

@@ -2,14 +2,28 @@
 # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
 # See the file 'docs/LICENSE' for copying permission.
 
+import logging
+import os
+
 from lib.common.abstracts import Package
 from lib.common.constants import OPT_CLASS
 
+log = logging.getLogger(__name__)
+
 
 class Jar(Package):
     """Java analysis package."""
 
     PATHS = [
+        # javaw.exe preferred (no console window)
+        ("ProgramFiles", "Java", "jre*", "bin", "javaw.exe"),
+        ("ProgramFiles", "Java", "jdk*", "bin", "javaw.exe"),
+        ("ProgramFiles", "Java", "jdk-*", "bin", "javaw.exe"),
+        ("ProgramFiles", "Microsoft", "jdk-*", "bin", "javaw.exe"),
+        ("ProgramFiles", "Eclipse Adoptium", "jdk-*", "bin", "javaw.exe"),
+        ("ProgramFiles", "Eclipse Adoptium", "jre-*", "bin", "javaw.exe"),
+        ("ProgramFiles", "OpenJDK", "jdk-*", "bin", "javaw.exe"),
+        # java.exe fallback
         ("ProgramFiles", "Java", "jre*", "bin", "java.exe"),
         ("ProgramFiles", "Java", "jdk*", "bin", "java.exe"),
         ("ProgramFiles", "Java", "jdk-*", "bin", "java.exe"),
@@ -18,15 +32,31 @@ class Jar(Package):
         ("ProgramFiles", "Eclipse Adoptium", "jre-*", "bin", "java.exe"),
         ("ProgramFiles", "OpenJDK", "jdk-*", "bin", "java.exe"),
     ]
-    summary = "Executes a java class using java.exe."
-    description = f"""Uses 'java.exe -jar [path]' to run the given sample.
-    However, if the '{OPT_CLASS}' option is specified, use
-    'java.exe -cp [path] [class]' to run the named java class."""
+    summary = "Executes a .jar file using javaw.exe (or java.exe)."
+    description = f"""Uses 'javaw.exe -jar [path]' to run the given sample.
+    Falls back to java.exe if javaw.exe is not available.
+    If the '{OPT_CLASS}' option is specified, uses '-cp [path] [class]'
+    to run the named java class instead."""
     option_names = (OPT_CLASS,)
 
     def start(self, path):
         java = self.get_path_glob("Java")
         class_path = self.options.get("class")
 
+        java_opts = []
+        # When SSLproxy MITM is active, tell Java to use the Windows
+        # certificate store so it trusts the MITM CA without needing
+        # to import it into Java's cacerts keystore.
+        if self.options.get("sslproxy"):
+            java_opts.extend([
+                "-Djavax.net.ssl.trustStoreType=Windows-ROOT",
+                "-Djavax.net.ssl.trustStore=NUL",
+            ])
+
+        if java_opts:
+            os.environ["JAVA_TOOL_OPTIONS"] = " ".join(java_opts)
+            log.info("Set JAVA_TOOL_OPTIONS=%s", os.environ["JAVA_TOOL_OPTIONS"])
+
         args = f'-cp "{path}" {class_path}' if class_path else f'-jar "{path}"'
+        log.info("Executing: %s %s", java, args)
         return self.execute(java, args, path)

conf/default/processing.conf.default

@@ -122,6 +122,14 @@ country_lookup = no
 # For ipinfo use: Free IP to Country + IP to ASN
 maxmind_database = data/GeoLite2-Country.mmdb
 
+[decryptpcap]
+enabled = yes
+# Path to GoGoRoboCap binary (relative to CUCKOO_ROOT or absolute)
+gogorobocap = data/gogorobocap/gogorobocap-linux-amd64
+# Decryption source: auto (default), pcap_with_keylog, or sslproxy_synth_pcap
+# auto: uses sslproxy synthetic pcap when available, falls back to keylog decryption
+pcapsrc = auto
+
 [pcapng]
 enabled = no
 

conf/default/sslproxy.conf.default

@@ -0,0 +1,14 @@
+[cfg]
+# Path to sslproxy binary
+bin = /usr/local/bin/sslproxy
+
+# CA certificate and key for MITM signing.
+# The CA must be trusted by guest VMs (imported into the Windows certificate store).
+# Generate with:
+#   openssl req -new -x509 -days 3650 -keyout ca.key -out ca.crt -nodes \
+#     -subj "/CN=My MITM CA" -addext "basicConstraints=critical,CA:TRUE"
+ca_cert = data/sslproxy/ca.crt
+ca_key = data/sslproxy/ca.key
+
+# Interface where VMs connect (must match your hypervisor network interface)
+interface = virbr0

data/gogorobocap/gogorobocap-linux-amd64

@@ -494,6 +494,20 @@ def init_rooter():
     except Exception as e:
         log.debug("An unexpected error occurred while checking UFW status: %s", e)
 
+    # SSLproxy shared NFQUEUE infrastructure (DIVERT chain + TPROXY routing)
+    try:
+        sslproxy_conf = Config("sslproxy")
+        log.info("SSLproxy config loaded: %s", bool(sslproxy_conf))
+        if sslproxy_conf:
+            nfqueue_mark = str(sslproxy_conf.cfg.get("nfqueue_mark", 100))
+            log.info("SSLproxy calling sslproxy_nfqueue_enable with mark=%s", nfqueue_mark)
+            rooter("sslproxy_nfqueue_enable", nfqueue_mark)
+            log.info("SSLproxy NFQUEUE shared infrastructure enabled (mark=%s)", nfqueue_mark)
+        else:
+            log.info("SSLproxy config not found, skipping NFQUEUE init")
+    except Exception as e:
+        log.warning("SSLproxy NFQUEUE init failed: %s", e, exc_info=True)
+
 
 def init_routing():
     """Initialize and check whether the routing information is correct."""

lib/cuckoo/core/startup.py

@@ -0,0 +1,205 @@
+import logging
+import os
+import shlex
+import signal
+import socket
+import subprocess
+
+from contextlib import closing
+from threading import Thread
+
+from lib.cuckoo.common.abstracts import Auxiliary
+from lib.cuckoo.common.config import Config
+from lib.cuckoo.common.constants import CUCKOO_ROOT
+from lib.cuckoo.core.rooter import rooter
+
+log = logging.getLogger(__name__)
+
+sslproxy_cfg = Config("sslproxy")
+
+
+class SSLProxy(Auxiliary):
+    """Per-analysis SSLproxy TLS interception with STARTTLS support.
+
+    Uses a single SSLproxy autossl listener per analysis. All VM TCP traffic is
+    NAT REDIRECT'd to it. SSLproxy detects TLS ClientHello on any port and
+    STARTTLS upgrades, intercepts them with MITM, and passes non-TLS through.
+
+    Enabled per-task via the ``sslproxy=1`` task option.
+    """
+
+    def __init__(self):
+        Auxiliary.__init__(self)
+        Thread.__init__(self)
+        self.sslproxy_thread = None
+
+    def start(self):
+        self.sslproxy_thread = SSLProxyThread(self.task, self.machine)
+        self.sslproxy_thread.start()
+        return True
+
+    def stop(self):
+        if self.sslproxy_thread:
+            self.sslproxy_thread.stop()
+
+
+class SSLProxyThread(Thread):
+    """Thread controlling per-analysis SSLproxy instance."""
+
+    def __init__(self, task, machine):
+        Thread.__init__(self)
+        self.task = task
+        self.machine = machine
+        self.storage_dir = os.path.join(CUCKOO_ROOT, "storage", "analyses",
+                                        str(self.task.id), "sslproxy")
+        self.proc = None
+        self.log_file = None
+        self.do_run = True
+        self._rooter_enabled = False
+
+        # Config
+        self.sslproxy_bin = sslproxy_cfg.cfg.get("bin")
+        self.ca_cert = sslproxy_cfg.cfg.get("ca_cert")
+        self.ca_key = sslproxy_cfg.cfg.get("ca_key")
+        self.interface = sslproxy_cfg.cfg.get("interface")
+
+        # Single autossl port handles everything
+        self.proxy_port = self._get_unused_port()
+        self.resultserver_port = str(getattr(self.machine, 'resultserver_port', 2042))
+
+        # Determine routing table for upstream VPN routing
+        routing_conf = Config("routing")
+        self.route = self.task.route or routing_conf.routing.route
+        self.rt_table = ""
+        if self.route and self.route not in ("none", "None", "drop", "false", "inetsim", "tor"):
+            if hasattr(routing_conf, self.route):
+                entry = routing_conf.get(self.route)
+                self.rt_table = str(getattr(entry, 'rt_table', ''))
+            elif self.route.startswith("tun"):
+                self.rt_table = self.route
+            elif self.route == "internet":
+                self.rt_table = str(routing_conf.routing.rt_table) if routing_conf.routing.rt_table else ""
+
+    def _get_unused_port(self):
+        with closing(socket.socket(socket.AF_INET, socket.SOCK_STREAM)) as s:
+            s.bind(("", 0))
+            s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+            return str(s.getsockname()[1])
+
+    def _is_sslproxy_requested(self):
+        """Check if sslproxy=1 is set in task options."""
+        for opt in (self.task.options or "").split(","):
+            opt = opt.strip()
+            if "=" in opt:
+                key, val = opt.split("=", 1)
+                if key.strip() == "sslproxy":
+                    return val.strip() not in ("0", "no", "false", "")
+        return False
+
+    def run(self):
+        log.info("SSLProxy thread running for task %s", self.task.id)
+        if not self._is_sslproxy_requested():
+            log.info("SSLProxy not requested for task %s, skipping", self.task.id)
+            return
+
+        if not self.do_run:
+            return
+
+        if not self.proxy_port:
+            log.error("SSLProxy failed to allocate port")
+            return
+
+        # Set up NAT REDIRECT: all VM TCP (except ResultServer) → SSLproxy autossl listener
+        try:
+            rooter("sslproxy_enable", self.interface, self.machine.ip,
+                   self.proxy_port, self.resultserver_port, self.rt_table)
+            self._rooter_enabled = True
+        except Exception as e:
+            log.exception("Failed to enable SSLproxy iptables rules: %s", e)
+            return
+
+        try:
+            self._start_sslproxy()
+        except Exception as e:
+            log.error("Failed to start SSLproxy for task %s: %s", self.task.id, e)
+            self._disable_rooter()
+
+    def _start_sslproxy(self):
+        """Build command and launch SSLproxy process."""
+        os.makedirs(self.storage_dir, exist_ok=True)
+
+        conn_log = os.path.join(self.storage_dir, "connections.log")
+        master_keys = os.path.join(self.storage_dir, "master_keys.log")
+        pcap_file = os.path.join(self.storage_dir, "sslproxy.pcap")
+
+        # Build command as a list to avoid shell injection
+        sslproxy_cmd = [
+            self.sslproxy_bin, "-D",
+            "-k", self.ca_key, "-c", self.ca_cert,
+            "-l", conn_log, "-X", pcap_file, "-M", master_keys,
+            "-u", "root", "-o", "VerifyPeer=no", "-P",
+            "autossl", "0.0.0.0", self.proxy_port, "up:80",
+        ]
+
+        # Launch in per-VM cgroup so iptables cgroup match can route upstream through VPN.
+        # We need bash to write $$ to cgroup.procs before exec'ing sslproxy.
+        cgroup_procs = f"/sys/fs/cgroup/sslproxy/{self.machine.ip}/cgroup.procs"
+        shell_cmd = "echo $$ > {} 2>/dev/null; exec {}".format(
+            shlex.quote(cgroup_procs),
+            " ".join(shlex.quote(arg) for arg in sslproxy_cmd),
+        )
+        popen_args = ["sudo", "bash", "-c", shell_cmd]
+
+        self.log_file = open(os.path.join(self.storage_dir, "sslproxy.log"), "w")
+        self.log_file.write(" ".join(sslproxy_cmd) + "\n")
+        self.log_file.flush()
+
+        try:
+            self.proc = subprocess.Popen(popen_args, stdout=self.log_file,
+                                         stderr=self.log_file, shell=False,
+                                         start_new_session=True)
+        except (OSError, subprocess.SubprocessError):
+            self.log_file.close()
+            self.log_file = None
+            raise
+
+        log.info("Started SSLproxy PID %d for task %s (autossl port=%s, VM=%s)",
+                 self.proc.pid, self.task.id, self.proxy_port, self.machine.ip)
+
+    def _disable_rooter(self):
+        """Remove per-VM iptables rules."""
+        if not self._rooter_enabled:
+            return
+        try:
+            rooter("sslproxy_disable", self.interface, self.machine.ip,
+                   self.proxy_port, self.resultserver_port, self.rt_table)
+            self._rooter_enabled = False
+        except Exception as e:
+            log.error("Failed to disable SSLproxy iptables rules: %s", e)
+
+    def stop(self):
+        self.do_run = False
+
+        try:
+            if self.proc and self.proc.poll() is None:
+                log.info("Stopping SSLproxy for task %s", self.task.id)
+                try:
+                    os.killpg(os.getpgid(self.proc.pid), signal.SIGTERM)
+                    self.proc.wait(timeout=10)
+                except subprocess.TimeoutExpired:
+                    log.warning("SSLproxy did not exit gracefully, killing")
+                    try:
+                        os.killpg(os.getpgid(self.proc.pid), signal.SIGKILL)
+                        self.proc.wait(timeout=5)
+                    except OSError:
+                        pass
+                except OSError:
+                    pass  # Process already exited
+        except Exception as e:
+            log.error("Failed to stop SSLproxy: %s", e)
+        finally:
+            self.proc = None
+            if self.log_file:
+                self.log_file.close()
+                self.log_file = None
+            self._disable_rooter()