search

cuckoosandbox / cuckoo

Cuckoo Sandbox is an automated dynamic malware analysis system
http://www.cuckoosandbox.org
Other
5.54k stars 1.7k forks source link

API : __anomaly__ #1030

Open nadamnr opened 8 years ago

nadamnr commented 8 years ago

This is not an issue, just want to ask about this API as I couldn't find it on windows API website .. and I saw it on some samples, below is an example: 

                {
                    "category": "__notification__", 
                    "status": 1, 
                    "stacktrace": [], 
                    "api": "__anomaly__", 
                    "return_value": 0, 
                    "arguments": {
                        "subcategory": "exception", 
                        "tid": 1084, 
                        "message": "Encountered 1025 exceptions, quitting.", 
                        "function_name": ""
                    }, 
                    "time": 1463475488.0, 
                    "tid": 1084, 
                    "flags": {}
                }

is Anomaly a real API or it just something named by cuckoo developers ... . if it has a page on windows website can someone please refer me to it ?

jbremer commented 8 years ago

The reason for this __anomaly__ to pop up is the fact that the monitor is throwing too many exceptions. Could you please share the entire analysis and/or some more information on what you're analyzing?

jbremer commented 8 years ago

Any update here @nadamnr ?

nadamnr commented 8 years ago

So just to confirm, the category "category": "__notification__"have four api which are : "api": "__anomaly__", "api": "__exception__",__missing__ and __process__ , an example of some of them is in the report, these are not really windows APIs which the sample did call like the others , right ? .. As they are not documented! I was confused by this page

and i think if I monitor the API calls with another tool I will not find these APIs mentioned above .

leeqwind commented 8 years ago

__anomaly__, __exception__, __missing__ and __process__ are really not APIs in any system modules of Windows OS. But they are in the monitor API list just because these events should be notified in some way "like an API". The macro MONITOR_FIRSTHOOKIDX defines where the REAL API hook index starts.

doomedraven commented 8 years ago
screen shot 2016-09-02 at 12 34 44

md5: b1da99b281905036a6baf330c1f19a33

PS with latest monitor from github, i don't this issue

Nwinternights commented 7 years ago

The latest monitor seems prone to exceptions/evasion. For example I came across to this last ransom but the analysis was not accurate (message: Encountered 1025 exceptions, quitting. subcategory: exception ....) Using @jbremer test monitor https://cuckoo.sh/8fd5b7ccebf2969d/san2san.tgz the analysis went smootly!! MD5 of the sample : 15f3c821f74ee1d594da5d38191bdf7e

jbremer commented 7 years ago

Good to hear @Nwinternights, we'll be pushing out the latest version in the upcoming release (most likely).