Hey,

Before anything, this is an awesome work and really glad people are working on this. Especially, anti-vm tools are more and more popular with newer malwares.

I wonder whether we can have some higher level functions that create some dummy files, cookies, etc. Also, add some technique to prevent anti-vm tools.

Also, how would we interact with malwares run from a cuckoo sandbox?

• Shawn

Hi, usually you should prepare your VM to bypass anti-vm techniques first.
Initially, this library was built to run as a cuckoo machinery, so there was no intention to add interaction capabilities. But it's something a library user can try to implement by using functions like take_screenshot_to_bytes, put_mouse_events and send_character_string.

Thanks for the quick reply.

Do you know any automated packages that patch VM to bypass anti-vm detection? I tried VMcloak but it seems to be outdated

Honestly, I don't do deep malware analysis for the last couple of years, so I'm not the best person to give advice :) If I were you, I'll try to look at most recent forks of vmcloak and probably try something agentless like Drakvuf, or even try host-based analysis with OS running in RAM using Intel AMT.