doomedraven
commented
5 years ago this repo is dead, you cant simply replay abstracts, bat you can adapt from one to another
Closed AsimSattar96 closed 4 years ago
doomedraven
commented
5 years ago this repo is dead, you cant simply replay abstracts, bat you can adapt from one to another
AsimSattar96
commented
5 years ago Oh I see. Can you guide me about the current practice which uses the on_call method?
Below is my scenario:
I wrote a C++ program which finds open windows using FindWindowA function and then matches a substring "agent.py" to check if cuckoo agent is running.
The above executable works fine and finds the appropriate window.
Then I wrote the signature as given below:
filter_apinames = [ "FindWindowA", ] def on_call(self, call, process): if call["api"] == "FindWindowA": print call["arguments"]["window_name"] if call["arguments"]["window_name"]=="C:\Users\guestwindows\Desktop\agent.py": self.mark_call() return True
On printing a string in the on_call function, I found out it is not being called. Although cuckoo detects the function "FindWindowA" in static analysis and moreover, on_call was previously being triggered and now for some reason it is not.
I also created a file extension detection signature just to see if it is working properly and that signature worked fine.
I am having a very hard time figuring this out so any help is highly appreciated. Thanks
doomedraven
commented
5 years ago at least care about formatting, as that is so dirty to read, but looks good theorically
my suggestion read the abstracts + already existing signatures they should help, in mod/cape there is no self.mark_call, you can't use v2 abstracts on mod/cape, so go for abstracts and port it or use something what you need what is equivalent
AsimSattar96
commented
5 years ago Apologies for bad formatting. New to posting issues on github.
What do you mean by mod/cape and v1/ v2 abstracts?
doomedraven
commented
5 years ago cuckoo-modified is this repo, https://github.com/kevoreilly/CAPE/ is continue work on this
mod/cape based on cuckoo v1.3 with tons of improvements, go to read readme for more details, v2 is upstream https://github.com/cuckoosandbox/cuckoo
Hello,
I have deployed the base cuckoo sandbox from [https://github.com/cuckoosandbox/cuckoo].
My goal is to create self-defined signatures that detect API calls along with their arguments. I tried event signatures (using on_call method) but for some reason, the on_call API is not triggered even though the functions are being called by an executable. So I had no luck with the event signatures.
As per my knowledge, the base cuckoo sandbox does not implement the check_api and check_argument helpers given at . I was wondering If I could use the definitions given here. Is there anyway I can simply replace the abstracts.py defined here with the base cuckoo abstract.py without major changes and use the helpers to achieve my goal?
Let me know. Thanks.