Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Anti cuckoo and SIEM detect #142

Open
chigosec opened this issue Jul 24, 2018 · 7 comments
Open

Anti cuckoo and SIEM detect #142

chigosec opened this issue Jul 24, 2018 · 7 comments
Assignees
@ayoubfaouzi
Labels
enhancement

Comments

@chigosec
Copy link

anti cuckoo like this https://github.com/David-Reguera-Garcia-Dreg/anticuckoo
@ayoubfaouzi
Copy link
Owner

Hey @chigosec ,

Indeed, this is a good feature to add, I had it on my to-do list.

I will try to detect inline hooks in a global manner.

@ayoubfaouzi ayoubfaouzi self-assigned this Jul 24, 2018
@chigosec
Copy link
Author

Thx for your reply.
Great project!!!

@ayoubfaouzi
Copy link
Owner

ayoubfaouzi commented Jul 24, 2018
edited
Loading

@gsuberland what do you think of:

  1. reading the DLL (like kernel32.dll) from disk.
  2. check if signed and verified (in case, the sandbox provide a tampered dll).
  3. parse the exports and look for interesting API function:
  • CreateProcessInternalW
  • ShellExecuteExW
  • WriteProcessMemory
  • CreateDirectoryW
  • NtCreateFile
  • NtDeleteFile
  • NtAllocateVirtualMemory
  • NtMapViewOfSection
  • NtCreateKey
  • ...

Then we can just read X number of bytes and do a memcmp.

@gsuberland
Copy link
Collaborator

@LordNoteworthy I think we're already covering this in #139.

Checking if the DLL is signed and verified isn't much use because they can just hook the verification APIs. It may be useful as a separate check, although to be honest I'd just call GetModuleFileName on handles to a bunch of DLL modules and fail if the resultant path is not inside %sysdir% (query this via GetSystemDirectory). Checking the signed status seems irrelevant at that point.

The problem with memcmp'ing code in mem vs disk is that there are relocation fixups applied so the data won't match. You also run into the problem where the function EP is actually a jump to the implementation (E9 XX XX XX XX) so you'd have to heuristically detect that and resolve the jump address. I'm working on this for enhanced generic hook detection and the main module integrity check (#139) but it is non-trivial and involves parsing most of the structures for PE32 and PE64 files. But, once it's done, we'll have a generic PE parser API that we can use in any check.

@gsuberland
Copy link
Collaborator

I've opened #144 to cover the GetModuleFileName approach.

@ayoubfaouzi
Copy link
Owner

Hey @gsuberland I totally agree about the two points you made, let's go with your approach then.

@chigosec
Copy link
Author

Hey.
Sysmon and SIEM(security information and event management) has become mainstream and trend, such as graylog, logthym etc. These systems have their own log collection agents, we can detect it. I am sorry that I have not seen the real environment and cannot provide some useful information.

@chigosec chigosec changed the title Anti cuckoo Anti cuckoo And SIEM detect Jul 27, 2018
@chigosec chigosec changed the title Anti cuckoo And SIEM detect Anti cuckoo and SIEM detect Jul 27, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ayoubfaouzi ayoubfaouzi

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ayoubfaouzi @gsuberland @chigosec