Primary mentor: Claudio Guarnieri
Student: Dario Fernandes
Cuckoo Sandbox is a dynamic malware analysis system able to trace activities performed by a binary during its execution, including: relevant API calls, network traffic and screenshot.
With this data is possible to get a general understanding of the malware’s behavior.
At current stage, Cuckoo uses Microsoft Detours as Windows API hooking engine. However the approach adopted in Detours can be easily detected and subverted. Furthermore, certain traces left by Cuckoo and the Virtualization product being used (generally VirtualBox) can be identified by the malware, which would terminate its execution or triggering random actions to fool the system and the analyst.
The project aims to improve Cuckoo, implementing several anti-detection measures that will improve sensibly the sandbox stability.
The two big goals for this to be accomplished are:
Implement a brand new custom hooking engine designed to be as much detection-proof as possible, which will also allow us to get rid of Microsoft Detours and have a completely independent product.
Implement both usermode and kernelmode anti-detection measures to hide all components that could lead to sandbox fingerprintinting and detection.
1 - May 30th - Research through the various techniques used to hide process, files of the system and system drivers. Also get information on techniques used to detect userland hooking.
2 – June 20th – Implement the custom hooking engine that will be responsible for the modifications in the APIs used by the malware.
3 – July 4th – Finish custom hooking engine.
4 - July12th – Finish mid-term evaluation.
5 - July 25th – Release the first version of the componen that will hide cuckoo's presence (hideCuckoo) with kernel and usermode program.
6 – August 2nd – Release the final version of hideCuckoo.
7 – August 12th – Release the first version of the component which protect hideCuckoo from eventual detections and disable.
8 – August 18th – Release the final version of hideCuckoo protector.
9 – August 21th – Fix eventual problems and do the final tests.
10 – August 25th – Finish final evaluation.
1. Talk with mentor.
2. Get information about filter drivers.
3. Get information about custom hooking engines.
4. Work on a development plan.
Done in May 23rd - May 29th
1 - Deployed the development environment.
2 - Learn how to work with distorm, a disassembly library.
3 - Implement a program that disassembly a Windows API.
4 - Implement inline hooking in the beginning of a Windows API.
Done in May 30th - June 5th
1 - Implement inline hooking in the end of a Windows API.
2 - Port the inline hooking to work in a DLL. (Start)
Done in June 5th - June 13th
1 - Implement inline hooking to work with MOV EAX, JMP EAX.
2 - Implement a generic way to work with the API parameters.
3 - Implement a generic way to work with inline hooking methods.
Done in June 13th - June 20th
1 - Implement a generic way to work with the API parameters.
Done in June 20th - June 27th
1 - Rearrange the code to work as a DLL.
2 - Implement function that unhook APIs.
Done in June 27th - July4th
1 - Test with malware sample.
2 - Release the first version of the DLL.
3 - Fix some bugs.
Done in July 4th - July 11th
1 - Finish mid-term evaluation.
2 - Expand the DLL to deal with CALL instructions that use relative jump.
3 - Fix some bugs on the DLL.
4 - Release the first version of the DLL, integrated with Cuckoo.
Done in July 11th - July 18th
1 - Start planning hideCuckoo component.
2 - Improve the random selection of the customHooking.
3 - Fix some minor bugs.
Done in July 18th - July 25th
1 - Research how to hide a DLL used by some program.
Done in July 25th - August 1st
1 - Develop the hideCuckoo driver.
Done to August 1st - August 8th
1 - Develop the hideCuckoo driver.
2 - Develop the interface between the driver and userland applications.
Planned to August 8th - August 15th
1 - Finish the hideCuckoo driver.