jbremer
commented
9 years ago Hi,
Yes, thanks for the reminder, it has been on my todo list for quite a while, but I have to find the time for it to properly integrate it upstream ;)
Jurriaan
Open Tigzy opened 9 years ago
jbremer
commented
9 years ago Hi,
Yes, thanks for the reminder, it has been on my todo list for quite a while, but I have to find the time for it to properly integrate it upstream ;)
Jurriaan
Tigzy
commented
9 years ago Good to hear :+1: Keep up the good work!
botherder
commented
9 years ago There are several reasons why monitoring was kept in userland. Kernelmode monitoring doesn't give as much granularity and flexibility in what we can do. Besides being an incredible hassle to maintain for multiple platforms in the long run.
For what it's worth, we won't replace usermode hooking with kernelmode. Perhaps make them complementary at most.
Tigzy
commented
9 years ago "Kernelmode monitoring doesn't give as much granularity and flexibility in what we can do". Well, all NtXxxx APIs hooked in userland have their kernelmode equivalent with ZwXxxx.
I agree with the fact hooking SSDT isn't an easy task on multiple platforms, but the researcher can help a little bit on modern OSs with disabling patchguard. Not asking to replace the userland hooking but provide an option to choose a preferred way.
ghost
commented
5 years ago How is the development going on for this feature ? Any release dates yet ?
Hello There's a fact, malware can easily detect cuckoo hooks, even with the DLL hidden. Why not go deeper and do the analysis from kernel mode?
This is what zer0m0n does, why not integrate its development into cuckoo official repo? https://github.com/conix-security/zer0m0n