doomedraven
commented
4 years ago yep, you can do it in monitor https://github.com/cuckoosandbox/monitor
Closed d0mnik closed 4 years ago
doomedraven
commented
4 years ago yep, you can do it in monitor https://github.com/cuckoosandbox/monitor
d0mnik
commented
4 years ago @doomedraven I can't find anything in the monitor docs that mentions anything about modifying return values. Am I missing something out?
doomedraven
commented
4 years ago check return value https://cuckoo-monitor.readthedocs.io/en/latest/hooks.html#available-blocks but the best it to go with C hooks so you can do whatever you want
d0mnik
commented
4 years ago @doomedraven isn't the return just a declaration of its type? or am I misunderstanding it?
doomedraven
commented
4 years ago yes is how default hooks declaration works, is why the best to go with C hooks https://cuckoo-monitor.readthedocs.io/en/latest/components.html#c-framework
d0mnik
commented
4 years ago @doomedraven so I would have to write custom C code for the APIs that I want to modify its return value?
doomedraven
commented
4 years ago yes
d0mnik
commented
4 years ago ok thank you for your help!!
doomedraven
commented
4 years ago you are welcome
d0mnik
commented
4 years ago @doomedraven which source file do I have to modify? I am quite lost at the layout. Or do I have create a new src file? If so, how do I integrate it into the existing source? Much Thanks!
doomedraven
commented
4 years ago well if you could for start say which hook you want to modify
d0mnik
commented
4 years ago @doomedraven can't think of one right off my head but let's say its IsDebuggerPresent. How can I go about modifying its return value
I am trying to configure Cuckoo to counter common anti-analysis tricks. Is there anyway to modify the return values of hooked API calls that might allow me to bypass some of those anti-analysis tricks?