Any interest in porting this feature over from the new Cuckoo 2.0 monitor? Based on a cursory review of the code, only two additional APIs in ncrypt.dll would need to be hooked: PRF and Ssl3GenerateKeyMaterial.

That's the simple part -- the part that will take more work is having a selective logger within lsass which can become a full cuckoomon if lsass is otherwise injected into during an analysis. Also need to merge in the rest of the infrastructure.

-Brad

To simplify things, how about just having a checkbox on the Submit page to enable injection of the full cuckoomon into lsass.exe?

which feature in cuckoo 2.0 are you referring to? Thanks