process_list. 4. The inject application loads and initializes the Cuckoo Monitor DLL inside the Process #2 using the
process list. So what if the main suspended thread is never resumed? The answer is straightforward: Cuckoo DLL will not be initialized inside the process. Thus if we can execute code inside the created process without resuming the thread, the Cuckoo environment will be evaded.
CreateRemoteThreadroutine. As the Analyzer already contains the process PID we interact with in the
process_list, these operations are ignored.
process_listfor tracking the monitored processes. As PIDs are added to that list, they should be removed somewhere as well:
STILL_ACTIVE, then Analyzer removes the PID.
pid_checkvariable. If it is not set (it may be simply enforced by enabling the Cuckoo
enforce_timeoutoption), then we just spawn processes until we encounter one with a repeated PID. As that PID is already present in the
process_list, then no injection operations are performed, and Cuckoo is evaded. But let's consider more interesting case:
pid_checkis set. It means that terminated processes are removed from the
process_list. Let's take a look at the inject application's code that is responsible for dropping the configuration for the Cuckoo Monitor on the disk.
"C:\\cuckoo_%d.ini" % pidfile.
MoveFilesecond parameter description .
"C:\\cuckoo_%d.ini" % pidmust be absent from the disk. But if it is present, the
FALSEand the injection process is terminated. The configuration file is removed only after DLL initialization, so we can create processes with the
CREATE_SUSPENDEDstate in an infinite loop, until we encounter a repeated PID.
666), the inject application tries to drop the
"C:\\cuckoo_666.ini"file on the disk. However, such a file is already present, so the executable that is responsible for injections is terminated. This process can perform any actions, because it is not monitored by Cuckoo.
PipeHandlerthat is responsible for handling commands coming from the Cuckoo Monitor module. When the command is queued to the pipe, Analyzer fetches it and performs some actions. Furthermore, this architecture is responsible for managing injections. So what happens if Analyzer is dead? It turns out that we can perform any malicious activities in the system, because injections are not monitored and managed at all.
pythonapplications, we can look for the parent/child pairs in the process tree, where both parent and child are
pythonexecutables. After finding such a pair, the child process is terminated. Thus we have a quite high probability that it was Analyzer in the Cuckoo environment.
is_ignored_processcall. If the returned value is not equal to 0, the initialization procedure is not executed, and thus the process is not monitored.
is_ignored_processreturns a value of 1.