search

cuckoosandbox / cuckoo

Cuckoo Sandbox is an automated dynamic malware analysis system
http://www.cuckoosandbox.org
Other
5.56k stars 1.7k forks source link

Bug moving the mouse #345

Closed 0ca closed 10 years ago

0ca commented 10 years ago

Hi, The problem is in this module: https://github.com/cuckoobox/cuckoo/blob/master/analyzer/windows/modules/auxiliary/human.py

        while self.do_run:
            move_mouse()
            click_mouse()
            USER32.EnumWindows(EnumWindowsProc(foreach_window), 0)
            KERNEL32.Sleep(1000)

After moving randomly the mouse in the function move_mouse(), the mouse position is set to a fix position to do a click in the function click_mouse():

def click_mouse():
    # Move mouse to top-middle position.
    USER32.SetCursorPos(RESOLUTION["x"] / 2, 0)

And then the module makes a sleep of a second KERNEL32.Sleep(1000).

The problem is that the mouse position during ~999 milliseconds is in the top-middle so a program monitoring the mouse thinks that the mouse isn't moving :(

An easy way to fix this is invert the order of the instructions, so first we make a fix mouse click and immediately after we randomly move the mouse and wait one second.

        while self.do_run:
            click_mouse()            
            move_mouse()
            USER32.EnumWindows(EnumWindowsProc(foreach_window), 0)
            KERNEL32.Sleep(1000)

Best regards!

botherder commented 10 years ago

I'm not sure how inverting it would make a difference. Can you elaborate?

0ca commented 10 years ago

Sure.

In the original order:

        while self.do_run:
            move_mouse()
            click_mouse()
            USER32.EnumWindows(EnumWindowsProc(foreach_window), 0)
            KERNEL32.Sleep(1000)

First the mouse position is set randomly in the function move_mouse() with this code:

def move_mouse():
    x = random.randint(0, RESOLUTION["x"])
    y = random.randint(0, RESOLUTION["y"])

But inmediatily after is called the function click_mouse() where the mouse position is fixed to the top-middle of screen:

def click_mouse():
    # Move mouse to top-middle position.
    USER32.SetCursorPos(RESOLUTION["x"] / 2, 0)

After call move_mouse() and click_mouse() is call a function to autoclick forms and in the end is execute a sleep of 1 second is executed.

So the time that the cursor is in a random position is very very small. Only the time that the programs takes to execute one instruction. The rest of the time, the entire second of the sleep. the mouse is always in the top-middle of screen.

So a program that invoke GetCursorPos in two differents moments is VERY probably that the two positions are the same, the top-middle.

But this changes when you invert the order because during the second of the sleep the mouse is in a random position.

To test this you can analize pafish, an exe that detect VirtualMachines/Sandbox. It has a detection based in the mouse movement. https://github.com/a0rtega/pafish

PD: Sorry about my english :P

botherder commented 10 years ago

Ok, I understand what you mean and I guess it makes sense.