Comments (8)
Hi,
Sorry can I request some other APIs? I am just going to make this generic request including above ones:
Shellcode/Interesting:
UrlDownloadToCacheFile: Shellcode alternative to UrlDownloadToCacheFile (would be good to have stack pivot/exploit mode stuff on it too)
ShellExecuteA/W: Stackpivot/exploit mode added if possible. I tried this myself but it failed to work as I hoped although I will have another go as it is a good starting point for me given it is modifying an already existing hooked API.
WinExec: For shellcodes and things. Again with exploit mode stuff. This is used more with shellcode as a all in one simple execution.
DEP Bypass
SetProcessDEPPolicy: DEP Disable
NtSetInformationProcess: DEP Disable
from monitor.
Some of these have already been covered elsewhere. E.g., ShellExecuteA
as part of ShellExecuteExW
, but I'll work on adding some of these. Could you share some samples where adding these hooks improves the analysis (i.e., these functions are being used)?
from monitor.
Thanks for looking at this :-) Mostly shellcode/exploit behavior rather than specific samples but I will have a look. The ShellExecute I was meaning not for it to be added as a hook as I know it already is but to mark it for stackpivot like createprocess etc. is. This is to try and mark shellcode execution following ROP as generally we will see behaviours like the following after an exploit so trying to cover as much as possible for post exploit detection:
process creation: covered by martians sigs
network activity: Documents initiating network traffic etc. But with the URLDownloadToFile/CacheFile markings following stack pivot extends it to other files that aren't safe just to mark network activity with whitelisting.
code injection: Generic techniques. Really should just be covering all injection for malware like the CreateRemoteThread sig which covers this kind of thing.
dropped files: dropping file and executing it sig, writing exe on docs etc. covered already too.
I am thinking too given WinExec is legacy API it might even be the case of just marking it too for its use in non-executable documents as being very suspicious given it is one of these all in one kind of things for shellcode like UrlDownloadToFile is.
Also as mentioned here Atom hooks (NtAddAtom, NtAddAtomEx, NtFindAtom, NtDeleteAtom) could be useful too. http://volatility-labs.blogspot.co.uk/2012/09/movp-21-atoms-new-mutex-classes-and-dll.html:
spender-sandbox/cuckoomon-modified@ac11e57
from monitor.
On another though tangent about exploit analysis/detection. A stack pivot is where the original stack of the program is replaced with the new stack provided by the exploit. Would it be worth if a stack pivot has occured provide a stacktrace like on program crash potentially showing the ROP gadgets, shellcode and things and allowing for more analysis? Obviously there is ROPLess exploits about (hence other layers).
Another idea I was thinking of but don't have the skillset necessary to implement this. Also interesting generic exploit detection ideas here if you are interested https://www.defcon.org/images/defcon-21/dc-21-presentations/Thabet/DEFCON-21-Thabet-EDS-Exploitation-Detection-System-WP-Updated.pdf. Interesting ones are use-after-free and SEH corruption/overflow as well as others.
from monitor.
On some testing btw the exploit test tool can be handy (although with whitelisting in the sigs may not trigger but useful to do safe executions without playing with the exploits themselves although I will try and locate some examples. There are tests in it (if you look at manual for descriptons but tool is self explanatory) for WinExec and UrlDownloadToFile, ROP etc.
http://www.surfright.nl/en/downloads/
from monitor.
Hi,
Looking over some stuff I realised VirtualProtectEx does not appear to be hooked when I was doing some analysis. NtProtectVirtualMemory is fine and is hooked but could this please be added and also NtWow64WriteVirtualMemory64 (NtWriteVirtualMemory is also covered).
Thanks :-D
from monitor.
Hi,
Some more found during conversion. I am converting this signature while analysing a few samples: https://raw.githubusercontent.com/spender-sandbox/community-modified/master/modules/signatures/injection_explorer.py
I have found some APIs needed but not hooked (in the attached file if you want to look at list although many are done)
"SetWindowLongA", "SetWindowLongW", "SetWindowLongPtrA", "SetWindowLongPtrW"
On some of the samples I am looking at the cuckoo-modified signature is too specific and explorer is being injected without triggering the signature anyway so I am intending to simplify it which marking the relevant calls. The other thing I mean to ask is if given a PID can the process name be determined? i.e
API argument: process_id = 2100
get.pname_from_pid(process_id)
This I am hoping to use in the injection sigs to report in process being injected into and in this case only mark APIs where the process is explorer.exe :)
from monitor.
Can these be added to the to do list please (seen locky):
- GetCommandLineA/W
- GetDriveTypeA/W
Thanks
from monitor.
Related Issues (20)
- Install monitor help HOT 4
- Internal Server Error for url: http:/192.168.56.101:800/mkdtemp HOT 5
- monitor crash. attachment unzip password:virus HOT 6
- Add hook for RtlQueryEnvironmentVariable_U
- Weird output when compiling
- Missing symbol SIG_vbscript_COleScript_Compile_0
- Cuckoo Monitor integration HOT 1
- COleScript::Compile hook not working HOT 4
- Error creating function stub for advapi32!RegOpenKeyExW.
- Inject issue to malware service process by CreateService API HOT 6
- insn hook bug
- IWbemServices_ExecMethod api can not be monitored in win7 HOT 4
- Hooking additional functions HOT 3
- Virtual* function hook bug
- Change behaviour by cuckoo monitor HOT 4
- Debugging cuckoo monitor HOT 1
- Monitor leaks memory?
- Export the Sandbox results
- Configuring procmon filter
- Why does the RtlDispatchException function return true?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from monitor.