forked from CheckPointSW/InviZzzible
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCHANGELOG.txt
167 lines (140 loc) · 8.25 KB
/
CHANGELOG.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
November 14th, 2019:
[+] Generic: AudioDeviceAbsence has been added - checks if an audio device is attached to the PC
July 9th, 2019:
[+] Config: added scoring attribute to evasion techniques based on their prevalence and severity
January 31st, 2019:
[+] VEDetection: added user names to be checked as means of detection
[+] VEDetection: added computer names to be checked as means of detection
[+] VEDetection: added host names to be checked as means of detection
[+] VEDetection: added specific files to be checked for their presence as means of detection
December 19th, 2018:
[+] KVM: CPU Hypervisor and Vendor IDs check has been implemented
[+] Generic: BigRamAlloc has been added - tries to allocate big amount of RAM
[+] Generic: UserInputActivity has been added - evasion which utilizes `GetLastInputInfo` API function
[+] Generic: DiskEnum Registry Key chech has been added - checks `System\CurrentControlSet\Services\Disk\Enum` reg key for value `0`=`*virtual`
[+] Generic: Sandbox-like filename check has been added - checks if current file has any of the following patterns in its path: `C:\SELF.EXE`, `.*self\.*`, `.*sample.*`, `.*sandbox.*`, `.*virus.*`, `.*malware.*`
[+] Generic: Processes of AV and research tools check has been added - checks if any of the following processes are running: `avgui.exe`, `avastsvc.exe`, `avastui.exe`, `procmon.exe`, `procmon64.exe`, `procexp.exe`, `procexp64.exe`, `ollydbg.exe`, `windbg.exe`, `avp.exe`, `bdagent.exe`, `bdwtxag.exe`, `dwengine.exe`
[+] Generic: Max Processes number check has been added (disabled)
[+] Generic: Process with a long name check has been added
[+] Hyper-V: CPU HypervisorID check has been added
[+] Parallels: CPU HypervisorID check has been added
[+] QEMU: QEMU DiskEnum Registry Key has been added
[+] Sandboxie: Injected sbiedll module check has been added
[+] VMware: VMWare DiskEnum Registry Key check has been added
[+] Xen: CPU VendorID check has been added
[+] Xen: CPU HypervisorID check has been added
[+] Xen: DiskEnum Registry Key check has been added
[-] Some build warnings have been fixed
April 10th, 2018:
[+] Cuckoo: ResultserverConnection detection technique implemented
April 9th, 2018:
[+] Vbox: added virtual devices to be checked as means of detection
[+] Vbox: added MAC address to be checked as means of detection
[+] VMware: added file names to be checked as means of detection
[+] VMware: added registry paths and values to be checked as means of detection
[+] VMware: added running processes to be checked as means of detection
[+] BOCHS: implementation of detection techniques using VEDetection interface
[+] Hyper-V: implementation of detection techniques using VEDetection interface
[+] JoeBox: implementation of detection techniques using VEDetection interface
[+] Parallels: implementation of detection techniques using VEDetection interface
[+] QEMU: implementation of detection techniques using VEDetection interface
[+] Sandboxie: implementation of detection techniques using VEDetection interface
[+] VirtualPC: implementation of detection techniques using VEDetection interface
[+] Wine: implementation of detection techniques using VEDetection interface
[+] Xen: implementation of detection techniques using VEDetection interface
[+] Miscellaneous sandboxes: implementation of detection techniques using VEDetection interface
[+] Added config for BOCHS evasions: checking registry
[+] Added config for Hyper-V evasions: checking registry, global objects in OS
[+] Added config for JoeBox evasions: checking registry, running processes
[+] Added config for Parallels evasions: checking filesystem, registry, firmware tables, running processes, global objects in OS
[+] Added config for QEMU evasions: checking registry, disk name
[+] Added config for Sandboxie evasions: checking registry, global objects in OS
[+] Added config for VirtualPC evasions: checking registry, firmware tables, disk name, running processes, global devices in OS
[+] Added config for Wine evasions: checking registry
[+] Added config for Xen evasions: checking registry, running processes
[+] Added config for miscellaneous VM and sandboxes evasions
[*] Generic: fixed bug in raw mouse activity check
[*] gitignore: updated
August 4th, 2017:
[+] Generic: raw mouse activity check implemented
August 3rd, 2017:
[*] Generic: DNS response check servers changed
[+] Generic: PerformanceCounter detection technique implemented
[+] Cuckoo: SocketTimeout detection technique implemented
[*] VEDetection: generic interface for drive model vendor added
January 19th, 2017:
[+] Cuckoo: TickCount integrity check implemented
[+] Cuckoo: DelayInterval detection technique implemented
January 9th, 2017:
[+] Cuckoo: SuspendedThread evasion technique implemented
[+] VEDetection: generic interface for drive model implemented
January 6th, 2017:
[+] Cuckoo: Dead Analyzer evasion technique implemented
[+] Cuckoo: differentiation between real and sandbox machines implemented while performing evasions (function hooks are used). If hooks are fixed. then another method should be used.
October 25th, 2016:
[+] VEDetection: DNS module is used now for user notification about detection technique result
September 29th, 2016:
[+] Config: detection/evasion techniques description added
September 28th, 2016:
[*] Cuckoo: detection by configuration file technique reimplemented
[*] Cuckoo: delays accumulation detection technique reimplemented
September 20th, 2016:
[*] Main: default mode (without parameters) executes Cuckoo Sandbox environment checks
[*] Main: report is generated in case of configuration files absence during execution
September 19th, 2016:
[+] VEDetection: File module is used now for user notification about detection technique result
September 1st, 2016:
[+] Config: value_name now support arrays
[+] Config: recursive field added
[+] VEDetection: generic interface for the windows, shared folders, disks checks implemented
August 31st, 2016:
[+] Cuckoo: time tampering sandbox detection method implemented
[+] Report: dummy module that is responsible for HTML report generation implemented
[*] VEDetection: Report module is used now for the report generation
[+] Generic: implementation of detection techniques using VEDetection interface
[+] Generic: DNS response check implemented
[+] VEDetection: generic interface for cpuid vendor check implemented
August 30th, 2016:
[+] VBOX: implementation of detection techniques using VEDetection interface
[+] VEDetection: generic interface for different firmware types, directory objects checks implemented
[+] VMWare: custom checks implemented (port, NDIS_WanIP)
[+] Config: enabled field added
[+] Logger: colored console implemented
[+] Main: banner added
August 29th, 2016:
[+] VEDetection: generic interface for the registries, files, devices, processes, macs, adapters checks implemented
[+] VMWare: implementation of detection techniques using VEDetection interface
[+] Config: new fields added
[+] Config: support for arrays added
August 26th, 2016:
[+] Config: initial configuration implemented
[+] JSON: tiny json implemented
[+] VEDetection: generic interface for reports grabbing and sandbox/virtual environments implemented
[+] Logger: simple logger implemented
[*] Cuckoo: implementation according to VEDetection interface
[+] Main: generic working modes parsing implemented
August 24th, 2016:
[+] Cuckoo: Task Scheduler escape implemented (Windows Vista and upper)
August 22nd, 2016:
[+] Cuckoo: raised exceptions detection implemented
[+] Cuckoo: WMI escape implemented
August 19th, 2016:
[+] Cuckoo: detection by agent.py implemented
[+] Cuckoo: detection based on specific event presence implemented
August 15th, 2016:
[+] Cuckoo: whitelisted process detection implemented
July 28th, 2016:
[+] Cuckoo: reused pid detection implemented
[*] Unicode strings are mostly used now
July 27th, 2016:
[+] Cuckoo: configuration artifacts detection implemented
[*] Helpers: UNICODE drives enumeration
July 25th, 2016
[+] Cuckoo: unbalanced stack detection implemented
[+] Cuckoo: INFINITE delay skip detection implemented
[+] Cuckoo: delays accumulation detection implemented
[+] Cuckoo: functions hooking detection implemented
[+] Cuckoo: agent.py artifacts detection implemented
[+] JSON: skeleton added
[+] 3rd party: boost headers added
[+] gitignore: added