search

cuckoosandbox / cuckoomon

DEPRECATED - replaced with "monitor"
122 stars 82 forks source link

detect strings from memory #17

Closed AmihaiN closed 11 years ago

AmihaiN commented 11 years ago

Print all of the strings from the running process memory. this could help analyzing some malwares with packers.

jbremer commented 11 years ago

This is not an issue related to cuckoomon. However, you can do this now by dumping the entire VM and using volatility (should be somewhere in the docs.)

If you have more questions, feel free to go to the community or mailing list ;-)

AmihaiN commented 11 years ago

thanks for the fast response :), I do think it could be a part of cuckoomon, I find it very helpful to checkout raw memory dumps of malwares when I analyze them. and I guess that if it will be integrated in cuckoomon it will be much better than using vm dumps,moonsols,etc... and then using volatility. I don't mind mind sending you parts of my code from work that does this thing (I'll just have to check with them first :) )

jbremer commented 11 years ago

Oke. My main concern is that this will probably trigger a lot of false positives, and the fact that you have to run an additional thread just to scan the memory. Tell me what kind of strings you're looking for and why and when you would do this from cuckoomon.

Feel free to send me some code, although I'm guessing it's rather trivial ;)

AmihaiN commented 11 years ago

mmm, not all of it is trivial ;) but people over there like this project so I guess they won't mind sharing some of our code :]

but the trivial part is the one I was actually talking about, the strings recognition inside the raw memory dump. I can't see how it can raise false positives. The idea is to add the strings to the final report so the researcher could find strings he couldn't see before when performing static analysis (like running strings over the exe),strings that you could only see after a unpacker was used.

And for the thread concern part, true.. it's might be a problem. but I find it usually work to just put a breakpoint/hook on ExitProcess,closeThread ... and when called then take the memory dump.
this thing saved my life (I might be exaggerating ;) ) more than once. And sometimes the memory dump in this stage could be really useful for reversing.