dario.fernandes's blog

cuckooHide - Hiding CuckooBox from trivial detection mechanism

The last part of Google Summer of Code 2011 was used to implement
a Windows Kernel Driver responsible for hiding files and folders.
This new component will be used to conceal Cuckoo Box components,
present in the environment analysis. With this measure it's possible to
avoid that some malware detect CuckooBox through some environment check,
looking for specific files or folders.

The Driver was implemented as a Filter Driver to maintain it independent
of the Windows version used in the environment, not using any kind

cHook - The new CuckooBox Hooking Engine

Cuckoo Sandbox is a malware analysis system capable to outline the
behavior of a malware during its execution.
In order to generate such results, Cuckoo performs hooking of a number
of selected Windows functions, intercept their calls and after storing
the relevant informations and eventually performing additional actions,
returns the exection to the original code.

Until now it made use of latest Microsoft Detours Express. Part of the
work of this Google Summer of Code was to implement a custom hooking
engine to completely replace the old one.

Syndicate content