David-Reguera-Garcia-Dreg / Anticuckoo
Licence: mit
A tool to detect and crash Cuckoo Sandbox
Stars: ✭ 233
Programming Languages
c
50402 projects - #5 most used programming language
Projects that are alternatives of or similar to Anticuckoo
Corehook
A library that simplifies intercepting application function calls using managed code and the .NET Core runtime
Stars: ✭ 191 (-18.03%)
Mutual labels: hooking, x86
Teamviewer permissions hook v1
A proof of concept injectable C++ dll, that uses naked inline hooking and direct memory modification to change your TeamViewer permissions.
Stars: ✭ 297 (+27.47%)
Mutual labels: hooking, x86
Urmem
[x86] Simple C++11 header-only cross-platform memhack library (hooks, patches, pointers, sig scan)
Stars: ✭ 76 (-67.38%)
Mutual labels: hooking, x86
Subhook
Simple hooking library for C/C++ (x86 only, 32/64-bit, no dependencies)
Stars: ✭ 470 (+101.72%)
Mutual labels: hooking, x86
RenHook
An open-source x86 / x86-64 hooking library for Windows.
Stars: ✭ 80 (-65.67%)
Mutual labels: x86, hooking
Pwnshop
Exploit Development, Reverse Engineering & Cryptography
Stars: ✭ 167 (-28.33%)
Mutual labels: x86
Xdpw
XD Pascal: A small embeddable self-hosting Pascal compiler for Windows. Supports Go-style methods and interfaces
Stars: ✭ 199 (-14.59%)
Mutual labels: x86
Iat patcher
Persistent IAT hooking application - based on bearparser
Stars: ✭ 170 (-27.04%)
Mutual labels: hooking
80x86
80186 compatible SystemVerilog CPU core and FPGA reference design
Stars: ✭ 220 (-5.58%)
Mutual labels: x86
Mcsema
Framework for lifting x86, amd64, aarch64, sparc32, and sparc64 program binaries to LLVM bitcode
Stars: ✭ 2,198 (+843.35%)
Mutual labels: x86
Asm Cli
Interactive shell of assembly language(X86/X64) based on unicorn and keystone
Stars: ✭ 211 (-9.44%)
Mutual labels: x86
anticuckoo
A tool to detect and crash Cuckoo Sandbox. Tested in Cuckoo Sandbox Official and Accuvant's Cuckoo version.
Anticuckoo can also detect other sandbox like FireEye (-c2):
Reddit / netsec discussion about anticuckoo.
Features
-
Detection:
- Cuckoo hooks detection (all kind of cuckoo hooks).
- Suspicius data in own memory (without APIs, page per page scanning).
-
Crash (Execute with arguments) (out of a sandbox these args dont crash the program):
- -c1: Modify the RET N instruction of a hooked API with a higher value. Next call to API pushing more args into stack. If the hooked API is called from the Cuckoo's HookHandler the program crash because it only pushes the real API args then the modified RET N instruction corrupt the HookHandler's stack.
- -c2: Cuckoomon run threads inside the process, when the tool detects new threads crash!.
- -c3: Crashing when detects hook handler activity in the old stack area.
The overkill methods can be useful. For example using the overkill methods you have two features in one: detection/crash and "a kind of Sleep" (Cuckoomon bypass long Sleeps calls).
Crash POCs is only a demostration. A real malware can be use this code to detect cuckoo without crashing it, ex only check the exception, esp etc and after make useless code.
Cuckoo Detection
Submit Release/anticuckoo.exe to analysis in Cuckoo Sandbox. Check the screenshots (console output). Also you can check Accesed Files in Sumary:
Accesed Files in Sumary (django web):
Cuckoo Crash
Specify in submit options the crash argument, ex -c1 (via django web):
And check Screenshots/connect via RDP/whatson connection to verify the crash. Ex -c1 via RDP:
TODO
- Python process & agent.py detection - 70% DONE
- Improve hook detection checking correct bytes in well known places (Ex Native APIs always have the same signatures etc.).
- Cuckoo's TLS entry detection.
New ideas & PRs are wellcome.
Referenced by
- Stealthy, Hypervisor-based Malware Analysis - Tamas K Lengyel: https://www.slideshare.net/tklengyel/stealthy-hypervisorbased-malware-analysis
- Brad Spengler (grsecurity) nice words: https://github.com/brad-accuvant/community-modified/commit/29587d691242a9ba890877f623fdf2447fe4336f
- Reddit / netsec discussion about anticuckoo: https://www.reddit.com/r/netsec/comments/3atvmb/anticuckoo_a_tool_to_detect_and_crash_cuckoo/
- Multiple Instance Learning for Malware Classification - Jan Stiborek, Tomáš Pevný, Martin Rehák: https://arxiv.org/pdf/1705.02268.pdf
- To Catch a Ratter: Monitoring the Behavior of Amateur DarkComet RAT Operators in the Wild - Brown Farinholt, Mohammad Rezaeirad, Paul Pearce, Hitesh Dharmdasani, Haikuo Yin, Stevens Le Blondk, Damon McCoy, Kirill Levchenko: http://damonmccoy.com/papers/rat-sp17.pdf
- Hack&Beers Cadiz Análisis de Malware Cuckoo Sandbox - Mario Alberto Parra Alonso: https://www.slideshare.net/MarioAlbertoParraAlo/hackbeers-cadiz-anlisis-de-malware-cuckoo-sandbox
- Defense in Depth: Detonation Technologies: http://blog.inquest.net/blog/2018/03/12/defense-in-depth-detonation-technologies/
- Dynamic Reconfiguration of Intrusion Detection Systems - Jan Stiborek: https://dspace.cvut.cz/bitstream/handle/10467/73562/Disertace_Stiborek_2017.pdf
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].