Anti Dbg/VM Checks and Malicious API File Behavior Checks #53
Conversation
…s and removes ssh defunct from remote sniffer.
|
Thanks for these - much appreciated. I'll look at adding the missing hook for NtSetInformationThread when I'm back from travels next week. There are already hooks for NtCreateThreadEx and NtSetContextThread which are in hook_thread.c, but I'll check that they all tie up when I get back. Also will look at adding the ThemeInitApiHook technique to the Injection package. The anti-debug signatures are useful but worth pointing out most of these checks don't apply to CAPE's debugger. Exceptions are of course adding a vectored handler and messing with debug registers with NtSetContextThread, but there is some protection against these in the hook code for that function and RtlAddVectoredExceptionHandler (hook_misc.c). |
|
Awesome! I hadn’t thought about protecting capemon yet. The focus was more about increasing accuracy of malware detection by behavior analysis.
There’s a few more hooks I need too, such as localalloc and localfree in order to detect flsalloc calls for indirect code execution.
Same with the atom calls, but maybe I missed support for those.
Tim
… On Jun 30, 2018, at 10:40 AM, kevoreilly ***@***.***> wrote:
Thanks for these - much appreciated. I'll look at adding the missing hook for NtSetInformationThread when I'm back from travels next week. There are already hooks for NtCreateThreadEx and NtSetContextThread which are in hook_thread.c, but I'll check that they all tie up when I get back.
Also will look at adding the ThemeInitApiHook technique to the Injection package.
The anti-debug signatures are useful but worth pointing out most of these checks don't apply to CAPE's debugger. Exceptions are of course adding a vectored handler and messing with debug registers with NtSetContextThread, but there is some protection against these in the hook code for that function and RtlAddVectoredExceptionHandler (hook_misc.c).
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
this is awesome stuff, I have some suggestion, @snemes and I, we started to do hunt of anticuckoos/monitor bugs, he pushed some fixes here, spender-sandbox/cuckoomon-modified#34 would be great to get them into monitor no? + we have much more found, I would like to speak with you @kevoreilly in PM for some related stuff if that possible |
|
+1 on the hardening of capemon with this patch.
Tim
…Sent from my iPhone
On Jul 1, 2018, at 8:16 AM, doomedraven ***@***.***> wrote:
this is awesome stuff, I have some suggestion, @snemes and I, we started to do hunt of anticuckoos/monitor bugs, he pushed some fixes here, spender-sandbox/cuckoomon-modified#34 would be great to get them into monitor no? + we have much more found, I would like to speak with you @kevoreilly in PM for some related stuff if that possible
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
Thanks @doomedraven and @snemes - I have patched capemon with these fixes, much appreciated. I submitted the sample mentioned in the pull request to public cape which works fine (https://cape.contextis.com/analysis/11883). I noticed that this sample is detected as CyberGate (via process dump) in the main task, and triggers an Injection task (#11885) which gets the config and the injected payloads. Happy days - this is what cape is all about! I am very keen to hear about any other fixes you might have, please feel free to email me at [email protected]. I really appreciate any contributions and I have a lot of things on my to-do list so any help would be great. I have been contacted by VirusTotal about the possibility of integrating results from the public instance with them, and am considering submitting to blackhat EU - both really exciting opportunities! Kev |
|
cool :) |
|
I’ve spoken at BH before and would be happy to review slides and content for critique before submission. I’m old school hacker so if ya get stuck anywhere with anything lemme know (people, topics) lemme know. Happy to help.
Also, Is virus total giving the project something in return? It’s a business for them, so look for the hidden reasons why. Again, Happy to help in any capacity.
Tim
… On Jul 2, 2018, at 5:31 AM, doomedraven ***@***.***> wrote:
cool :)
sound pretty cool. I will ping you today, and we will can discuss some stuff in private
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
I forgot to ask, are there hooks on NtQueryInformationProcess, GetTickCount, SetLastError/GetLastError, MoveFileWithProgressTransactedA/W ? Needed as well |
|
It's funny you ask as I have literally just finished adding a hook for NtQueryInformationProcess as well as NtSetInformationThread and NtQueryInformationThread. I will push these as soon as I have tested them! There are already hooks for MoveFileWithProgressTransactedW and GetLastError, but not for SetLastError. There is a hook for GetTickCount but it's not logged currently (so not visible to signatures for example) but this can of course be changed. |
|
As far as the BH submission goes I would really appreciate a review - not quite sure yet what to base the presentation around but I'll be putting thought into it over the next few days and will let you know what I come up with. The VT integration probably would only provide a bit of publicity but that is definitely something I would value at this stage - I still think it's not a project that's too well known about yet. I would love to get more users and contributors and see the project really take off. |
|
or more complainers what everything is broken/doesn't work for them is why I removed fork of cuckoo-mod after it died, I was starting to see very stupid issues |
|
Right I've just pushed the new capemon with new hooks for NtSetInformationThread, NtQueryInformationThread, and NtQueryInformationProcess, as well as expanding slightly the existing hook for NtSetInformationProcess. |
add ability to remove sample if exist --unique
Adds some anti debug/vm checks along with a few malicious api behavior checks.