search

trou / cuckoo2mist

A fork of cuckoo2mist. MIST is The Malware Instruction Set (MIST) is a representation for monitored behavior of malicious software.
GNU General Public License v2.0
8 stars 9 forks source link

MIST level #4

Open Navein opened 6 years ago

Navein commented 6 years ago

Hi, should all the API function be at level 2? For example, for these 2 API calls;

<HttpOpenRequestA mist="01">
            <Path type="type_string"/>
            <Flags type="type_integer"/>
            <InternetHandle type="type_hex"/>
        </HttpOpenRequestA>

<CreateRemoteThread mist="01">
            <StartRoutine type="type_hex"/>
            <Parameter type="type_hex"/>
            <ProcessHandle type="type_hex"/>
            <CreationFlags type="type_integer"/>
            <ThreadId type="type_integer"/>
        </CreateRemoteThread>

<NtWriteVirtualMemory mist="01">
            <Buffer type="type_hex"/>
            <BaseAddress type="type_hex"/>
            <ProcessHandle type="type_hex"/>
        </NtWriteVirtualMemory>

Should InternetHandle, ThreadId, and ProcessHandle be at level 2 since the values are varied from sample to sample?

trou commented 6 years ago

Since I haven't used the tool in years, I wouldn't be able to make any meaningful comment.

I do not maintain it anymore, but I'd accept pull requests.