{"id":16714032,"url":"https://github.com/therealdreg/anticuckoo","last_synced_at":"2025-09-04T13:49:07.117Z","repository":{"id":33752773,"uuid":"37407995","full_name":"therealdreg/anticuckoo","owner":"therealdreg","description":"A tool to detect and crash Cuckoo Sandbox ","archived":false,"fork":false,"pushed_at":"2024-07-22T22:45:13.000Z","size":4245,"stargazers_count":295,"open_issues_count":2,"forks_count":61,"subscribers_count":36,"default_branch":"master","last_synced_at":"2025-06-02T11:09:16.137Z","etag":null,"topics":["anti-sandbox","cuckoo-crash","cuckoo-detection","cuckoo-hooks","cuckoo-sandbox","hooking","windows","x86"],"latest_commit_sha":null,"homepage":"https://rootkit.es/","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/therealdreg.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":["therealdreg"],"patreon":"dreg","custom":["https://www.paypal.me/therealdreg","https://www.paypal.me/therealdreg"]}},"created_at":"2015-06-14T10:17:12.000Z","updated_at":"2025-05-30T14:33:29.000Z","dependencies_parsed_at":"2024-07-23T02:14:33.915Z","dependency_job_id":"d280f7ed-041e-4425-ac45-cf2ae579dc24","html_url":"https://github.com/therealdreg/anticuckoo","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/therealdreg/anticuckoo","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/therealdreg%2Fanticuckoo","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/therealdreg%2Fanticuckoo/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/therealdreg%2Fanticuckoo/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/therealdreg%2Fanticuckoo/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/therealdreg","download_url":"https://codeload.github.com/therealdreg/anticuckoo/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/therealdreg%2Fanticuckoo/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":273619600,"owners_count":25138238,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-04T02:00:08.968Z","response_time":61,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["anti-sandbox","cuckoo-crash","cuckoo-detection","cuckoo-hooks","cuckoo-sandbox","hooking","windows","x86"],"created_at":"2024-10-12T20:48:55.569Z","updated_at":"2025-09-04T13:49:02.068Z","avatar_url":"https://github.com/therealdreg.png","language":"C","funding_links":["https://github.com/sponsors/therealdreg","https://patreon.com/dreg","https://www.paypal.me/therealdreg"],"categories":[],"sub_categories":[],"readme":"# anticuckoo\nA tool to detect and crash Cuckoo Sandbox. Tested in [Cuckoo Sandbox Official](http://www.cuckoosandbox.org/) and [Accuvant's Cuckoo version](https://github.com/brad-accuvant/cuckoo-modified). \n\nPlease, consider make a donation: https://github.com/sponsors/therealdreg\n\nAnticuckoo can also detect other sandbox like FireEye (-c2):\n\n![ScreenShot](https://github.com/David-Reguera-Garcia-Dreg/anticuckoo/blob/images/fireyee.png)\n\n[Reddit / netsec discussion about anticuckoo.](https://www.reddit.com/r/netsec/comments/3atvmb/anticuckoo_a_tool_to_detect_and_crash_cuckoo/)\n\n## Features \n\n* [Detection](#cuckoo-detection):\n  * Cuckoo hooks detection (all kind of cuckoo hooks).\n  * Suspicius data in own memory (without APIs, page per page scanning).\n* [Crash (Execute with arguments)](#cuckoo-crash) (out of a sandbox these args dont crash the program):\n  * -c1: Modify the RET N instruction of a hooked API with a higher value. Next call to API pushing more args into stack. If the hooked API is called from the Cuckoo's HookHandler the program crash because it only pushes the real API args then the modified RET N instruction corrupt the HookHandler's stack.\n  * -c2: Cuckoomon run threads inside the process, when the tool detects new threads crash!.\n  * -c3: Crashing when detects hook handler activity in the old stack area.\n\nThe overkill methods can be useful. For example using the overkill methods you have two features in one: detection/crash and \"a kind of Sleep\" (Cuckoomon bypass long Sleeps calls).\n\nCrash POCs is only a demostration. A real malware can be use this code to detect cuckoo without crashing it, ex only check the exception, esp etc and after make useless code.\n\n[TODO list](#todo)\n\n### Cuckoo Detection\n\nSubmit Release/anticuckoo.exe to analysis in Cuckoo Sandbox. Check the screenshots (console output). Also you can check Accesed Files in Sumary:\n\n![ScreenShot](https://github.com/David-Reguera-Garcia-Dreg/anticuckoo/blob/images/anticuckoo.png)\n\nAccesed Files in Sumary (django web):\n\n![ScreenShot](https://github.com/David-Reguera-Garcia-Dreg/anticuckoo/blob/images/Sumary.png)\n\n### Cuckoo Crash\n\nSpecify in submit options the crash argument, ex **-c1** (via django web):\n\n![ScreenShot](https://github.com/David-Reguera-Garcia-Dreg/anticuckoo/blob/images/cuckooarguments.png)\n\nAnd check **Screenshots/connect via RDP/whatson connection** to verify the crash. Ex **-c1** via RDP:\n\n![Screenshot](https://github.com/David-Reguera-Garcia-Dreg/anticuckoo/blob/images/cuckoocrash.png)\n\n## TODO\n* Python process \u0026 agent.py detection - 70% DONE\n* Improve hook detection checking correct bytes in well known places (Ex Native APIs always have the same signatures etc.).\n* Cuckoo's TLS entry detection.\n\nNew ideas \u0026 PRs are wellcome.\n\n## Referenced by\n\n* Evasive Malware Understanding Deceptive and Self-Defending Threats by Kyle Cucci https://nostarch.com/evasive-malware\n* Stealthy, Hypervisor-based Malware Analysis - Tamas K Lengyel: https://www.slideshare.net/tklengyel/stealthy-hypervisorbased-malware-analysis\n* Brad Spengler (grsecurity) nice words: https://github.com/brad-sp/community-modified/commit/29587d691242a9ba890877f623fdf2447fe4336f\n* Reddit / netsec discussion about anticuckoo: https://www.reddit.com/r/netsec/comments/3atvmb/anticuckoo_a_tool_to_detect_and_crash_cuckoo/\n* Multiple Instance Learning for Malware Classification - Jan Stiborek, Tomáš Pevný, Martin Rehák: https://arxiv.org/pdf/1705.02268.pdf\n* To Catch a Ratter: Monitoring the Behavior of Amateur DarkComet RAT Operators in the Wild - Brown Farinholt, Mohammad Rezaeirad, Paul Pearce, Hitesh Dharmdasani, Haikuo Yin, Stevens Le Blondk, Damon McCoy, Kirill Levchenko: http://damonmccoy.com/papers/rat-sp17.pdf\n* Hack\u0026Beers Cadiz Análisis de Malware Cuckoo Sandbox - Mario Alberto Parra Alonso: https://www.slideshare.net/MarioAlbertoParraAlo/hackbeers-cadiz-anlisis-de-malware-cuckoo-sandbox\n* Defense in Depth: Detonation Technologies: http://blog.inquest.net/blog/2018/03/12/defense-in-depth-detonation-technologies/\n* Dynamic Reconfiguration of Intrusion Detection Systems - Jan Stiborek: https://dspace.cvut.cz/bitstream/handle/10467/73562/Disertace_Stiborek_2017.pdf\n* New Dynamic Bypass Technique Working in Certain Environments Only: https://asec.ahnlab.com/en/16540/\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftherealdreg%2Fanticuckoo","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftherealdreg%2Fanticuckoo","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftherealdreg%2Fanticuckoo/lists"}