Higher level functions?
Shawn-Shan opened this issue · comments
Hey,
Before anything, this is an awesome work and really glad people are working on this. Especially, anti-vm tools are more and more popular with newer malwares.
I wonder whether we can have some higher level functions that create some dummy files, cookies, etc. Also, add some technique to prevent anti-vm tools.
Also, how would we interact with malwares run from a cuckoo sandbox?
- Shawn
Hi, usually you should prepare your VM to bypass anti-vm techniques first.
Initially, this library was built to run as a cuckoo machinery, so there was no intention to add interaction capabilities. But it's something a library user can try to implement by using functions like take_screenshot_to_bytes
, put_mouse_events
and send_character_string
.
Thanks for the quick reply.
Do you know any automated packages that patch VM to bypass anti-vm detection? I tried VMcloak but it seems to be outdated
Honestly, I don't do deep malware analysis for the last couple of years, so I'm not the best person to give advice :) If I were you, I'll try to look at most recent forks of vmcloak and probably try something agentless like Drakvuf, or even try host-based analysis with OS running in RAM using Intel AMT.