This is the Cuckoo Sandbox Monitor, one of the core elements of Cuckoo Sandbox. CuckooMon provides Cuckoo Sandbox the ability to intercept the execution flow of a potential malicious sample.
Through Cuckoo Sandbox it is able to monitor all kinds of samples, such as executables, office files (Microsoft Word, Microsoft Excel), PDF files, and much more; virtually anything that can be ran on windows (in usermode.)
Compilation of CuckooMon is easiest on a Linux distribution. In particular, when running on a recent Ubuntu machine, the gcc-mingw-w64-i686 package is required.
Running make will compile cuckoomon.dll. To replace ("install") Cuckoo's
DLL by a custom cuckoomon.dll one can run the ./install.sh script. E.g.,
running ./install.sh
will make cuckoomon.dll and copy it to the correct
directory in the Cuckoo directory (which by default is assumed to be at
../cuckoo
.)
Because we switched from diStorm3's disassembler to Capstone disassembler we no longer support the i586-mingw32msvc-cc compiler, which was present in the mingw32 package. It may be possible to get it to work, but at this point I don't see a need for that. Furthermore, compilation under Windows using cygwin will not work right now. However, this may be 'fixed' with some tweaking.
- Jurriaan Bremer
- Mark Schloesser
- Claudio Guarnieri