C C++
Switch branches/tags
Nothing to show
Clone or download
Permalink
Failed to load latest commit information.
Release -c3 crash added, crashing when detects hk activity in the old stack area Aug 23, 2015
capstone added capstone Jun 22, 2015
.gitignore improved unhook detector Aug 17, 2015
LICENSE Initial commit Jun 14, 2015
README.md Update README.md Mar 26, 2018
anticuckoo.cpp -c3 crash added, crashing when detects hk activity in the old stack area Aug 23, 2015
anticuckoo.h
anticuckoo.sln
anticuckoo.vcxproj new crash poc added, detecting unhook thread Aug 15, 2015
anticuckoo.vcxproj.filters
main.cpp first beta version, cuckoo hooks detection & suspicius data in own me… Jun 14, 2015
misc.cpp
misc.h first beta version, cuckoo hooks detection & suspicius data in own me… Jun 14, 2015
poc_exe.h new crash poc added, detecting unhook thread Aug 15, 2015
stdafx.cpp Visual Studio Project Creation and basic project configuration added. Jun 14, 2015
stdafx.h
targetver.h Visual Studio Project Creation and basic project configuration added. Jun 14, 2015

README.md

anticuckoo

A tool to detect and crash Cuckoo Sandbox. Tested in Cuckoo Sandbox Official and Accuvant's Cuckoo version.

Anticuckoo can also detect other sandbox like FireEye (-c2):

ScreenShot

Reddit / netsec discussion about anticuckoo.

Features

  • Detection:
    • Cuckoo hooks detection (all kind of cuckoo hooks).
    • Suspicius data in own memory (without APIs, page per page scanning).
  • Crash (Execute with arguments) (out of a sandbox these args dont crash the program):
    • -c1: Modify the RET N instruction of a hooked API with a higher value. Next call to API pushing more args into stack. If the hooked API is called from the Cuckoo's HookHandler the program crash because it only pushes the real API args then the modified RET N instruction corrupt the HookHandler's stack.
    • -c2: Cuckoomon run threads inside the process, when the tool detects new threads crash!.
    • -c3: Crashing when detects hook handler activity in the old stack area.

The overkill methods can be useful. For example using the overkill methods you have two features in one: detection/crash and "a kind of Sleep" (Cuckoomon bypass long Sleeps calls).

Crash POCs is only a demostration. A real malware can be use this code to detect cuckoo without crashing it, ex only check the exception, esp etc and after make useless code.

TODO list

Cuckoo Detection

Submit Release/anticuckoo.exe to analysis in Cuckoo Sandbox. Check the screenshots (console output). Also you can check Accesed Files in Sumary:

ScreenShot

Accesed Files in Sumary (django web):

ScreenShot

Cuckoo Crash

Specify in submit options the crash argument, ex -c1 (via django web):

ScreenShot

And check Screenshots/connect via RDP/whatson connection to verify the crash. Ex -c1 via RDP:

Screenshot

TODO

  • Python process & agent.py detection - 70% DONE
  • Improve hook detection checking correct bytes in well known places (Ex Native APIs always have the same signatures etc.).
  • Cuckoo's TLS entry detection.

New ideas & PRs are wellcome.

Referenced by