Project Slot 2 - Pwnypot management integration with Cuckoo

Student: Tobias Jarmuzek (DE)
Primary mentor: Georg Wicherski (DE)
Backup mentor: Claudio Guarnieri (IT), Mark Schloesser (DE), supported by Shahriyar Jalayeri and Adel Karimi

Google Melange: https://www.google-melange.com/gsoc/proposal/review/google/gsoc2013/jamu/1

Project Overview:
Pwnypot client has currently no interface to let it receive tasks for automated analyses and to send results. All results are currently saved in files in the VM system and need to be processed manually.

The project's goal is to extend Pwnypot and Cuckoo to cooporate Cuckoo should be used as the managing application to send tasks to Pwnypot agents and also receives, processes stores the results to generate reports automatically.

Deliverables:

  • Analysis Package for Cuckoo
    As Cuckoo, Pwnypot watches the applications by dll injections. In order to use Pwnypot with Cuckoo it is necessary to implement an Analysis Package for Cuckoo. to inject the right dll into the applications
  • Data/Log-files-Transmissions
    The data generated by Pwnypot needs to be transfered to the processing host via some network protocol.
  • Cuckoo Processing Module
    The data that is generated by Pwnypot needs to be processed to be used for reports and further analysis inside Cuckoo.
  • Cuckoo Reporting Module
    The Reporting module uses the processed data from the Processing Module to create useful Reports on the collected shellcodes and malwares.

Optional: It would be nice to have a better configuration for the analysis time, which is currently defined in cuckoo. If there is still time left in the end, I would also like to extend the shellcode/ROP detection methods and work on the bypass circumvention issues.

Project Plan:

  • May 27th - June 17th: Community Bonding Period
    Get more familiar with the source code of PwnyPot and cuckoo
    Set up environment to build PwnyPot
  • June 17th : GSoC 2013 coding officially starts
  • June 17th - June 21st:
    Enable submission parameter dll to all analyzer packages useful with Pwnypot
  • June 21st - June 28th:
    Start implementing preprocessor definitions to use pwnypot output with cuckoo (output mainly, logging)
    stream files via netlogfile (analyzer/windows/lib/common/results.py)
    save output from PwnyPot on guest where Cuckoo does
  • June 28th - July 9th:
    Add new processing modules: rop, shellcode
    Adapt log file output syntax from cuckoo to allow more existing processing modules to run on output
  • July 9th - July 16th:
    Reports: extend template and results with Pwnypot specific outputs(ROP, Shellcode)
  • July 16th - July 26th:
    Create bson output on guest and transmit these structured outputs instead of raw files
  • July 29th: Midterm evaluation
  • July 30th - August 31st: Testing !
    Injection submission: test apc and remotethread injection with PwnyPot.dll and new submission dll option
    Processing: test processing of PwnyPot output: new modules rop, shellcode and also of existing modules if PwnyPot output can be made compatible to some of them
    Reporting: test correct output of results in different reporting modules: html, jsondump, etc.
    Use samples from Contagiodump to
  • August 31st - September 9th
    code documentation: what functionality has been changed and added?
    How to use new features?
  • September 16th: Pencils down

Project Source Code Repository:
https://github.com/jamu/cuckoo
https:///github.com/jamu/pwnypot

Student Weekly Blog: http://gsoc2013.honeynet.org/author/tobiasjarmuzek/

Project Useful Links:
[1] http://cuckoosandbox.org/
[2] https://github.com/shjalayeri/MCEDP