Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Some discussion about anti cuckoo monitor #49

Open
lynnux opened this issue Jun 14, 2017 · 1 comment
Open

Some discussion about anti cuckoo monitor #49

lynnux opened this issue Jun 14, 2017 · 1 comment

Comments

@lynnux
Copy link

lynnux commented Jun 14, 2017
edited
Loading

Currently, monitor hooks a lot functions in ring3, this can be easy detected by malwares. There is a project zer0m0n hook in ring0, but seems only a few functions.

I have an idea to avoid anti-cuckoo detection, which is based on qemu. In qemu, there are two mode emulation, one is kvm, one is tcg. When run in tcg mode, we can know the running state of the guest VMs, like the EIP of CPU registers. Then we can use the value of EIP to compare with the address of APIs, if they are equal, we can say that the API has been called, then we can record the parameters (must read the stack memory, it's another thing). This don't need any hook in guest VMs, the downside of this approach is may lack some features of now.

There already some projects based on qemu did this, but not mature. Like s2e , DECAF, and MBA
@doomedraven
Copy link

there work in progress on zer0mon integration ;)
about qemu, nice, but the problem what a lot of users prefer to use different hypervisors

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lynnux @doomedraven