search

cuckoosandbox / cuckoo

Cuckoo Sandbox is an automated dynamic malware analysis system
http://www.cuckoosandbox.org
Other
5.55k stars 1.71k forks source link

Feature request: Full process path names #881

Closed frisk7 closed 8 years ago

frisk7 commented 8 years ago

Consider the following Json output:

"behavior": {
    "generic": [

... ... { "process_name": "svchost.exe", "ppid": 2504, "pid": 3140, "first_seen": 1461058106.375, "summary": { ... ...

Everything looks fine, right? Well, actually not. In this particular case, svchost.exe is not C:\Windows\system32\svchost.exe (which would be "normal" behavior), but C:\Users[removed]\AppData\Roaming\svchost.exe (which is absolutely not normal behavior), but determining this is a bit problematic without the full path name.

This is therefore a feature request to add a new field with the full path name - something like "process_name_r": "C:\Users[removed]\AppData\Roaming\svchost.exe",

jbremer commented 8 years ago

The process_path is already available in some other behavior entries, but I've added it just in case. Will push the commit later, thanks.

frisk7 commented 8 years ago

Yes, I know process_path is available elsewhere - however, in that location I do not have the ppid field, for example. Having this added in behavior/generic would just put all the information in one location, which makes things a bit easier.

Off topic: I am currently running an array of cuckooboxes as well as an array of...ehm...one of the best (and most expensive) regular commercial sandboxes. I wanted to congratulate you guys, as with 2.0, Cuckoobox has matched the performance of the other sandbox - with version 1.1, it was around 70% (performance measured as the ability to extract assorted features that allow us to determine the maliciousness of the sample in question)

So, great job.

jbremer commented 8 years ago

Thanks, that's always nice to hear. If you need any other help (as in, more than a couple of line changes) do let us know ;-)

jbremer commented 8 years ago

Did you verify this added functionality, @frisk7?

frisk7 commented 8 years ago

Is there an updated binary available for download? This actually became a low priority issue for me, as as I realized I could simply process behavior/processes instead of behavior/generic, so I had simply changed my code to avoid this, but I can check.

jbremer commented 8 years ago

Eh, no, it was just the following commit https://github.com/cuckoosandbox/cuckoo/commit/ea3ae5ea21fa068687d704339fc891e140274f93.

jbremer commented 8 years ago

Going to close this as resolved :) Thanks!