Using signature helpers in original cuckoo sandbox

Question

Using signature helpers in original cuckoo sandbox

Jon045 opened this issue 5 years ago · comments

Hello,

I have deployed the base cuckoo sandbox from [https://github.com/cuckoosandbox/cuckoo].

My goal is to create self-defined signatures that detect API calls along with their arguments. I tried event signatures (using on_call method) but for some reason, the on_call API is not triggered even though the functions are being called by an executable. So I had no luck with the event signatures.

As per my knowledge, the base cuckoo sandbox does not implement the check_api and check_argument helpers given at . I was wondering If I could use the definitions given here. Is there anyway I can simply replace the abstracts.py defined here with the base cuckoo abstract.py without major changes and use the helpers to achieve my goal?

Let me know. Thanks.

doomedraven · Answer 1 · Tue Jul 30 2019 02:03:48 GMT+0800 (China Standard Time)

this repo is dead, you cant simply replay abstracts, bat you can adapt from one to another

Jon045 · Answer 2 · Tue Jul 30 2019 02:18:36 GMT+0800 (China Standard Time)

Oh I see. Can you guide me about the current practice which uses the on_call method?

Below is my scenario:

I wrote a C++ program which finds open windows using FindWindowA function and then matches a substring "agent.py" to check if cuckoo agent is running.

The above executable works fine and finds the appropriate window.

Then I wrote the signature as given below:

filter_apinames = [ "FindWindowA", ] def on_call(self, call, process): if call["api"] == "FindWindowA": print call["arguments"]["window_name"] if call["arguments"]["window_name"]=="C:\Users\guestwindows\Desktop\agent.py": self.mark_call() return True

On printing a string in the on_call function, I found out it is not being called. Although cuckoo detects the function "FindWindowA" in static analysis and moreover, on_call was previously being triggered and now for some reason it is not.

I also created a file extension detection signature just to see if it is working properly and that signature worked fine.

I am having a very hard time figuring this out so any help is highly appreciated. Thanks

doomedraven · Answer 3 · Tue Jul 30 2019 02:21:03 GMT+0800 (China Standard Time)

at least care about formatting, as that is so dirty to read, but looks good theorically

my suggestion read the abstracts + already existing signatures they should help, in mod/cape there is no self.mark_call, you can't use v2 abstracts on mod/cape, so go for abstracts and port it or use something what you need what is equivalent

Jon045 · Answer 4 · Tue Jul 30 2019 02:26:46 GMT+0800 (China Standard Time)

Apologies for bad formatting. New to posting issues on github.

What do you mean by mod/cape and v1/ v2 abstracts?

doomedraven · Answer 5 · Tue Jul 30 2019 02:28:07 GMT+0800 (China Standard Time)

cuckoo-modified is this repo, https://github.com/kevoreilly/CAPE/ is continue work on this

mod/cape based on cuckoo v1.3 with tons of improvements, go to read readme for more details, v2 is upstream https://github.com/cuckoosandbox/cuckoo