From 0d7d8fb43ea1897b19739f7ca6d04e63d1140913 Mon Sep 17 00:00:00 2001
From: Duarte Silva <development@serializing.me>
Date: Fri, 10 Jul 2015 20:21:55 +0100
Subject: [PATCH] Added HackingTeam anti-Cuckoo function as a check

---
 pafish/Makefile.linux |  5 +++-
 pafish/Makefile.win   |  5 +++-
 pafish/cuckoo.c       | 64 +++++++++++++++++++++++++++++++++++++++++++
 pafish/cuckoo.h       |  8 ++++++
 pafish/main.c         | 11 ++++++++
 5 files changed, 91 insertions(+), 2 deletions(-)
 create mode 100644 pafish/cuckoo.c
 create mode 100644 pafish/cuckoo.h

diff --git a/pafish/Makefile.linux b/pafish/Makefile.linux
index 9178461..8172a83 100644
--- a/pafish/Makefile.linux
+++ b/pafish/Makefile.linux
@@ -4,7 +4,7 @@ LINK      = i686-w64-mingw32-gcc
 WINDRES   = i686-w64-mingw32-windres
 OBJ       = Objects/MingW/main.o Objects/MingW/common.o Objects/MingW/utils.o Objects/MingW/debuggers.o Objects/MingW/sandboxie.o \
             Objects/MingW/vbox.o Objects/MingW/gensandbox.o Objects/MingW/wine.o Objects/MingW/vmware.o \
-            Objects/MingW/qemu.o Objects/MingW/hooks.o Objects/MingW/cpu.o Objects/MingW/pafish_private.res
+            Objects/MingW/qemu.o Objects/MingW/hooks.o Objects/MingW/cpu.o Objects/MingW/cuckoo.o Objects/MingW/pafish_private.res
 LINKOBJ   = $(OBJ)
 LIBS      = -lwsock32 -liphlpapi -lsetupapi -lmpr -lole32 -lwbemuuid -loleaut32 -s
 INCS      =
@@ -57,5 +57,8 @@ Objects/MingW/hooks.o: $(GLOBALDEPS) hooks.c
 Objects/MingW/cpu.o: $(GLOBALDEPS) cpu.c
 	$(CC) -c cpu.c -o Objects/MingW/cpu.o $(CFLAGS)
 
+Objects/MingW/cuckoo.o: $(GLOBALDEPS) cuckoo.c
+	$(CC) -c cuckoo.c -o Objects/MingW/cuckoo.o $(CFLAGS)
+
 Objects/MingW/pafish_private.res: Objects/MingW/pafish_private.rc
 	$(WINDRES) Objects/MingW/pafish_private.rc --input-format=rc -o Objects/MingW/pafish_private.res -O coff
diff --git a/pafish/Makefile.win b/pafish/Makefile.win
index d1aed09..965b9bb 100644
--- a/pafish/Makefile.win
+++ b/pafish/Makefile.win
@@ -4,7 +4,7 @@ LINK      = gcc.exe
 WINDRES   = windres.exe
 OBJ       = Objects/MingW/main.o Objects/MingW/common.o Objects/MingW/utils.o Objects/MingW/debuggers.o Objects/MingW/sandboxie.o \
             Objects/MingW/vbox.o Objects/MingW/gensandbox.o Objects/MingW/wine.o Objects/MingW/vmware.o \
-            Objects/MingW/qemu.o Objects/MingW/hooks.o Objects/MingW/cpu.o Objects/MingW/pafish_private.res
+            Objects/MingW/qemu.o Objects/MingW/hooks.o Objects/MingW/cpu.o Objects/MingW/cuckoo.o Objects/MingW/pafish_private.res
 LINKOBJ   = $(OBJ)
 LIBS      = -lwsock32 -liphlpapi -lsetupapi -lmpr -lole32 -lwbemuuid -loleaut32 -s
 INCS      =
@@ -57,5 +57,8 @@ Objects/MingW/hooks.o: $(GLOBALDEPS) hooks.c
 Objects/MingW/cpu.o: $(GLOBALDEPS) cpu.c
 	$(CC) -c cpu.c -o Objects/MingW/cpu.o $(CFLAGS)
 
+Objects/MingW/cuckoo.o: $(GLOBALDEPS) cuckoo.c
+	$(CC) -c cuckoo.c -o Objects/MingW/cuckoo.o $(CFLAGS)
+
 Objects/MingW/pafish_private.res: Objects/MingW/pafish_private.rc
 	$(WINDRES) Objects/MingW/pafish_private.rc --input-format=rc -o Objects/MingW/pafish_private.res -O coff
diff --git a/pafish/cuckoo.c b/pafish/cuckoo.c
new file mode 100644
index 0000000..d0ac6f6
--- /dev/null
+++ b/pafish/cuckoo.c
@@ -0,0 +1,64 @@
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "types.h"
+#include "cuckoo.h"
+
+/**
+ * Cuckoo Sandbox definitions.
+ */
+/**
+ * Extra space allocated with the hooks information structure.
+ */
+#define TLS_HOOK_INFO_RETADDR_SPACE 0x100
+
+/**
+ * Hook informnation stored by Cuckoo at FS:[TLS_HOOK_INFO].
+ */
+struct hook_info {
+	unsigned int depth_count;
+	unsigned int hook_count;
+	unsigned int retaddr_esp;
+	unsigned int last_error;
+	unsigned int ret_last_error;
+	unsigned int eax;
+	unsigned int ecx;
+	unsigned int edx;
+	unsigned int ebx;
+	unsigned int esp;
+	unsigned int ebp;
+	unsigned int esi;
+	unsigned int edi;
+};
+
+/**
+ * Read the address of the hooks information in the TLS.
+ */
+struct hook_info *read_hook_info() {
+	void *result = NULL;
+
+	__asm__ volatile ("mov %%fs:0x44,%%eax" : "=a" (result));
+
+	return result;
+}
+
+/**
+ * Cuckoo stores the return addresses in a extra space allocated in conjunction
+ * with the hook information function. The only way to check if the structure
+ * is valid is to calculate what is the minimum and maximum value for the
+ * return address value location.
+ */
+int cuckoo_check_tls() {
+	struct hook_info *info = read_hook_info();
+
+	if (info == NULL) {
+		return FALSE;
+	}
+
+	unsigned int minimum = ((unsigned int) info + sizeof(struct hook_info));
+	unsigned int maximum = minimum + TLS_HOOK_INFO_RETADDR_SPACE;
+
+	return (info != NULL) && (info->retaddr_esp >= minimum && info->retaddr_esp <= maximum) ?
+		TRUE : FALSE;
+}
diff --git a/pafish/cuckoo.h b/pafish/cuckoo.h
new file mode 100644
index 0000000..f21bd72
--- /dev/null
+++ b/pafish/cuckoo.h
@@ -0,0 +1,8 @@
+
+#ifndef CUCKOO_H
+#define CUCKOO_H
+
+int cuckoo_check_tls();
+
+#endif
+ 
diff --git a/pafish/main.c b/pafish/main.c
index 40fee64..3120e5d 100644
--- a/pafish/main.c
+++ b/pafish/main.c
@@ -17,6 +17,7 @@
 #include "vmware.h"
 #include "qemu.h"
 #include "cpu.h"
+#include "cuckoo.h"
 
 /*
 	Pafish (Paranoid fish)
@@ -452,6 +453,16 @@ int main(void)
 	}
 	else print_not_traced();
 
+	/* Cuckoo detection tricks */
+	printf("\n[-] Cuckoo detection\n");
+	printf("[*] Looking in the TLS for the hooks information structure ... ");
+	if (cuckoo_check_tls() == TRUE) {
+		write_log("Cuckoo hooks information structure traced in the TLS");
+		print_traced();
+		write_trace("hi_cuckoo");
+	}
+	else print_not_traced();
+
 	printf("\n\n");
 	printf("[-] Feel free to RE me, check log file for more information.");