Environment
- CAPEv2: v2.5
- capemon: latest (2.5)
- Guest OS: Windows 10
- Analysis package: ps1
Description
When analyzing PowerShell scripts (.ps1) using the ps1 package,
the PowerShell process crashes immediately after loading propsys.dll,
before CLR (clr.dll) can initialize.
Symptoms
- PowerShell process terminates within 3-6 seconds
- clr.dll never loads
- curtain.log is always 36 bytes (empty)
- No behavioral logs captured
Stack Trace (from debug=2,force-flush=2)
Exception Code: c0000374 (STATUS_HEAP_CORRUPTION)
Fault Address: 7ffca9efb86b
ntdll.dll+0x78a3c
ntdll.dll+0x51276
capemon_x64.dll+0xc13a1 <-- heap corruption occurs here
ntdll.dll+0x511a5
ntdll.dll+0xff199
ntdll.dll+0xff163
ntdll.dll+0x107ee2
ntdll.dll+0x1081ca
ntdll.dll+0x10de51
Analysis
capemon hooks ntdll heap functions during CLR initialization.
The .NET CLR has strict heap integrity validation and detects
the corruption caused by capemon hooks, triggering
STATUS_HEAP_CORRUPTION and terminating the process.
Workarounds tested
| Option |
Result |
| free=1 |
Works (no monitoring) |
| disable_hook_content=1 |
Works (limited monitoring) |
| unhook-apis=RtlAllocateHeap:RtlFreeHeap:... |
Partial improvement |
| exclude-dlls=ntdll |
Partial improvement (2 more DLLs load) |
| pwsh=1 (PS 7) |
Not tested |
Expected Behavior
PowerShell should execute normally with full API hook monitoring.
Actual Behavior
PowerShell crashes before CLR initializes.
Only disable_hook_content=1 allows execution but with reduced monitoring.
Environment
Description
When analyzing PowerShell scripts (.ps1) using the ps1 package,
the PowerShell process crashes immediately after loading propsys.dll,
before CLR (clr.dll) can initialize.
Symptoms
Stack Trace (from debug=2,force-flush=2)
Exception Code: c0000374 (STATUS_HEAP_CORRUPTION)
Fault Address: 7ffca9efb86b
ntdll.dll+0x78a3c
ntdll.dll+0x51276
capemon_x64.dll+0xc13a1 <-- heap corruption occurs here
ntdll.dll+0x511a5
ntdll.dll+0xff199
ntdll.dll+0xff163
ntdll.dll+0x107ee2
ntdll.dll+0x1081ca
ntdll.dll+0x10de51
Analysis
capemon hooks ntdll heap functions during CLR initialization.
The .NET CLR has strict heap integrity validation and detects
the corruption caused by capemon hooks, triggering
STATUS_HEAP_CORRUPTION and terminating the process.
Workarounds tested
Expected Behavior
PowerShell should execute normally with full API hook monitoring.
Actual Behavior
PowerShell crashes before CLR initializes.
Only disable_hook_content=1 allows execution but with reduced monitoring.