The official pencil down date has passed yesterday. With this last blog post I want to give an overview about what I have achieved during the last 3 months, give you a simple introduction how to use PwnyPot with Cuckoo and reflect my experiences with GSoC and the Honeynet Project.
As the title of my project already makes clear, the original plan was to make use of the well-known malware analysis tool Cuckoo to manage automatic analysis with the high-interaction client-side honeypot PwnyPot.
Before I started my project, PwnyPot consisted of a DLL that got injected to processes, that have been chosen through a GUI on a guest system / analysis system. Through the same GUI the options for analysis and prevention techniques had been assigned.
All analysis information was logged on the guest system into simple log files and one XML-document. Instead of writing a complete new management software for automated execution and analysis of malware, I decided to modify PwnyPot slightly to work with Cuckoo. Cuckoo is developed continuously since a few years and easy to modify to your needs. The following main changes were necessary:
- File transmission from PwnyPot.dll to the Cuckoo result server to transmit analysis information
- Cuckoo Pipe inside the PwnyPot.dll to notify Cuckoo for new (sub) processes of the malware
- Cuckoo processing module to parse analysis information
- Cuckoo reporting module to display the results for example in HTML
- Modify Cuckoo to read PwnyPot specific configuration
- Enable to inject different DLLs via Cuckoo (instead of cuckoomon.dll)
The modular architecture of cuckoo permits to add all this functionality without touching much of the core files but by just adding new modules. I only changed the analyzer and the analyzer packages of the core to use Cuckoo as wanted. These files needed to be changed to allow injection of another DLL than cuckoomon.dll. As Mark (one of the co-developers of Cuckoo) told me later, this feature may also be interesting for others. Therefore I created this pull request.
The modifications on the code of PwnyPot were also quite easy, because the protocols (ResultServer, NamedPipe) that are used by Cuckoo to retrieve analysis information from the guest are pretty simple. The changes to PwnyPot, that were only necessary in order to work with Cuckoo, were written between preprocessor definitions. A new build configuration was created named “CuckooRelease” which builds PwnyPot.dll with Cuckoo support. The old configuration “Release” still builds the DLL with the original configuration and analysis output.
Against my expectations I managed to implement all these changes, including tests and documentation, around mid-term evaluations. My plan was to use the rest of the time with improving PwnyPot itself. At that time, my knowledge of concrete exploitation and exploit mitigation techniques was quite small. I decided to choose only a few features, from which I could expect to be implemented quite easy. After some research I decided to work on the following features
- Detect direct DEP disable: SetProcessDEPPolicy, NtSetInformationProcess
- Detect LdrHotPatchRoutine (cp. Technet Blog)
- Prevent WriteProcessMemory overwrite
- Structured Exception Handler Overwrite Protection (enable option for Win Vista+, own implementation for versions below)
How to use PwnyPot with Cuckoo
Both code repositories are hosted on github: Pwnypot – Cuckoo. Inside the Pwnypot git I used the branch “cuckoo_integration” and inside the Cuckoo git the branch “pwnypot_integration”. If you just want to use Cuckoo with PwnyPot, there is no need to checkout out the Pwnypot repo. The pwnypot_integration branch already holds PwnyPot.dll with Cuckoo support.
Note: For a more detailed documentation of usage, features and configuration parameters please read the HTML documentation in cuckoo/docs/book/src or build it inside this directory with `make html`. The documentation to setup Cuckoo, the host and the guest can be found on this website.
Configuration of PwnyPot is done in conf/pwnypot.conf. To analyze a file or URL you can use the web interface or the submit.py script inside the utils folder. Example usage with submit.py:
./submit.py –package ie –options dll=PwnyPot.dll –url http://example.com
The web interface can be started by changing directory to web/ and by executing
python manage.py runserver
For the web interface of Cuckoo 1.0 you need to have mongodb enabled in conf/reporting.conf. After analysis you should see your results, if you follow the link Recent in the head navigation of the web interface.
If you allow malware execution in the configuration for pwnypot, cuckoomon.dll is injected into the malware process. Thereby the behavior of the malware after exploitation is analyzed by Cuckoomon. You will find this information in the PwnyPot tab as “Malware Execution”, if such behavior analysis has been performed:
I do not regret, that I have participated in this years Google Summer of Code. It was really a huge amount of work, but I have also learned a lot. Special thanks to my mentors Georg Wicherski, Mark Schlösser and Shahriyar Jalayeri, who were always available for questions. I will try to continue to contribute to both projects in the future.