mirrors/pafish
1
0
Fork 0
mirror of https://github.com/a0rtega/pafish synced 2024-11-22 06:11:18 +03:00
Code Issues Packages Projects Releases Wiki Activity

Added HackingTeam anti-Cuckoo function as a check

Browse Source
This commit is contained in:
Duarte Silva 2015-07-10 20:21:55 +01:00
parent 229e1eb751
commit 0d7d8fb43e
5 changed files with 91 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
pafish/Makefile.linux
View File

@ -4,7 +4,7 @@ LINK = i686-w64-mingw32-gcc
WINDRES = i686-w64-mingw32-windres WINDRES = i686-w64-mingw32-windres
OBJ = Objects/MingW/main.o Objects/MingW/common.o Objects/MingW/utils.o Objects/MingW/debuggers.o Objects/MingW/sandboxie.o \ OBJ = Objects/MingW/main.o Objects/MingW/common.o Objects/MingW/utils.o Objects/MingW/debuggers.o Objects/MingW/sandboxie.o \
Objects/MingW/vbox.o Objects/MingW/gensandbox.o Objects/MingW/wine.o Objects/MingW/vmware.o \ Objects/MingW/vbox.o Objects/MingW/gensandbox.o Objects/MingW/wine.o Objects/MingW/vmware.o \
Objects/MingW/qemu.o Objects/MingW/hooks.o Objects/MingW/cpu.o Objects/MingW/pafish_private.res Objects/MingW/qemu.o Objects/MingW/hooks.o Objects/MingW/cpu.o Objects/MingW/cuckoo.o Objects/MingW/pafish_private.res
LINKOBJ = $(OBJ) LINKOBJ = $(OBJ)
LIBS = -lwsock32 -liphlpapi -lsetupapi -lmpr -lole32 -lwbemuuid -loleaut32 -s LIBS = -lwsock32 -liphlpapi -lsetupapi -lmpr -lole32 -lwbemuuid -loleaut32 -s
INCS = INCS =
@ -57,5 +57,8 @@ Objects/MingW/hooks.o: $(GLOBALDEPS) hooks.c
Objects/MingW/cpu.o: $(GLOBALDEPS) cpu.c Objects/MingW/cpu.o: $(GLOBALDEPS) cpu.c
$(CC) -c cpu.c -o Objects/MingW/cpu.o $(CFLAGS) $(CC) -c cpu.c -o Objects/MingW/cpu.o $(CFLAGS)
Objects/MingW/cuckoo.o: $(GLOBALDEPS) cuckoo.c
$(CC) -c cuckoo.c -o Objects/MingW/cuckoo.o $(CFLAGS)
Objects/MingW/pafish_private.res: Objects/MingW/pafish_private.rc Objects/MingW/pafish_private.res: Objects/MingW/pafish_private.rc
$(WINDRES) Objects/MingW/pafish_private.rc --input-format=rc -o Objects/MingW/pafish_private.res -O coff $(WINDRES) Objects/MingW/pafish_private.rc --input-format=rc -o Objects/MingW/pafish_private.res -O coff

5
pafish/Makefile.win
View File

@ -4,7 +4,7 @@ LINK = gcc.exe
WINDRES = windres.exe WINDRES = windres.exe
OBJ = Objects/MingW/main.o Objects/MingW/common.o Objects/MingW/utils.o Objects/MingW/debuggers.o Objects/MingW/sandboxie.o \ OBJ = Objects/MingW/main.o Objects/MingW/common.o Objects/MingW/utils.o Objects/MingW/debuggers.o Objects/MingW/sandboxie.o \
Objects/MingW/vbox.o Objects/MingW/gensandbox.o Objects/MingW/wine.o Objects/MingW/vmware.o \ Objects/MingW/vbox.o Objects/MingW/gensandbox.o Objects/MingW/wine.o Objects/MingW/vmware.o \
Objects/MingW/qemu.o Objects/MingW/hooks.o Objects/MingW/cpu.o Objects/MingW/pafish_private.res Objects/MingW/qemu.o Objects/MingW/hooks.o Objects/MingW/cpu.o Objects/MingW/cuckoo.o Objects/MingW/pafish_private.res
LINKOBJ = $(OBJ) LINKOBJ = $(OBJ)
LIBS = -lwsock32 -liphlpapi -lsetupapi -lmpr -lole32 -lwbemuuid -loleaut32 -s LIBS = -lwsock32 -liphlpapi -lsetupapi -lmpr -lole32 -lwbemuuid -loleaut32 -s
INCS = INCS =
@ -57,5 +57,8 @@ Objects/MingW/hooks.o: $(GLOBALDEPS) hooks.c
Objects/MingW/cpu.o: $(GLOBALDEPS) cpu.c Objects/MingW/cpu.o: $(GLOBALDEPS) cpu.c
$(CC) -c cpu.c -o Objects/MingW/cpu.o $(CFLAGS) $(CC) -c cpu.c -o Objects/MingW/cpu.o $(CFLAGS)
Objects/MingW/cuckoo.o: $(GLOBALDEPS) cuckoo.c
$(CC) -c cuckoo.c -o Objects/MingW/cuckoo.o $(CFLAGS)
Objects/MingW/pafish_private.res: Objects/MingW/pafish_private.rc Objects/MingW/pafish_private.res: Objects/MingW/pafish_private.rc
$(WINDRES) Objects/MingW/pafish_private.rc --input-format=rc -o Objects/MingW/pafish_private.res -O coff $(WINDRES) Objects/MingW/pafish_private.rc --input-format=rc -o Objects/MingW/pafish_private.res -O coff

64
pafish/cuckoo.c Normal file
View File

@ -0,0 +1,64 @@
#include <stdio.h>
#include <stdlib.h>
#include "types.h"
#include "cuckoo.h"
/**
* Cuckoo Sandbox definitions.
*/
/**
* Extra space allocated with the hooks information structure.
*/
#define TLS_HOOK_INFO_RETADDR_SPACE 0x100
/**
* Hook informnation stored by Cuckoo at FS:[TLS_HOOK_INFO].
*/
struct hook_info {
unsigned int depth_count;
unsigned int hook_count;
unsigned int retaddr_esp;
unsigned int last_error;
unsigned int ret_last_error;
unsigned int eax;
unsigned int ecx;
unsigned int edx;
unsigned int ebx;
unsigned int esp;
unsigned int ebp;
unsigned int esi;
unsigned int edi;
};
/**
* Read the address of the hooks information in the TLS.
*/
struct hook_info *read_hook_info() {
void *result = NULL;
__asm__ volatile ("mov %%fs:0x44,%%eax" : "=a" (result));
return result;
}
/**
* Cuckoo stores the return addresses in a extra space allocated in conjunction
* with the hook information function. The only way to check if the structure
* is valid is to calculate what is the minimum and maximum value for the
* return address value location.
*/
int cuckoo_check_tls() {
struct hook_info *info = read_hook_info();
if (info == NULL) {
return FALSE;
}
unsigned int minimum = ((unsigned int) info + sizeof(struct hook_info));
unsigned int maximum = minimum + TLS_HOOK_INFO_RETADDR_SPACE;
return (info != NULL) && (info->retaddr_esp >= minimum && info->retaddr_esp <= maximum) ?
TRUE : FALSE;
}

8
pafish/cuckoo.h Normal file
View File

@ -0,0 +1,8 @@
#ifndef CUCKOO_H
#define CUCKOO_H
int cuckoo_check_tls();
#endif

11
pafish/main.c
View File

@ -17,6 +17,7 @@
#include "vmware.h" #include "vmware.h"
#include "qemu.h" #include "qemu.h"
#include "cpu.h" #include "cpu.h"
#include "cuckoo.h"
/* /*
Pafish (Paranoid fish) Pafish (Paranoid fish)
@ -452,6 +453,16 @@ int main(void)
} }
else print_not_traced(); else print_not_traced();
/* Cuckoo detection tricks */
printf("\n[-] Cuckoo detection\n");
printf("[*] Looking in the TLS for the hooks information structure ... ");
if (cuckoo_check_tls() == TRUE) {
write_log("Cuckoo hooks information structure traced in the TLS");
print_traced();
write_trace("hi_cuckoo");
}
else print_not_traced();
printf("\n\n"); printf("\n\n");
printf("[-] Feel free to RE me, check log file for more information."); printf("[-] Feel free to RE me, check log file for more information.");