Integrate Zer0m0n project or develop kernel monitoring #490
Comments
|
Hi, Yes, thanks for the reminder, it has been on my todo list for quite a while, but I have to find the time for it to properly integrate it upstream ;) Jurriaan |
|
Good to hear 👍 |
|
There are several reasons why monitoring was kept in userland. Kernelmode monitoring doesn't give as much granularity and flexibility in what we can do. Besides being an incredible hassle to maintain for multiple platforms in the long run. For what it's worth, we won't replace usermode hooking with kernelmode. Perhaps make them complementary at most. |
|
"Kernelmode monitoring doesn't give as much granularity and flexibility in what we can do". I agree with the fact hooking SSDT isn't an easy task on multiple platforms, but the researcher can help a little bit on modern OSs with disabling patchguard. Not asking to replace the userland hooking but provide an option to choose a preferred way. |
botherder
changed the title
|
How is the development going on for this feature ? Any release dates yet ? |
Hello
There's a fact, malware can easily detect cuckoo hooks, even with the DLL hidden.
Why not go deeper and do the analysis from kernel mode?
This is what zer0m0n does, why not integrate its development into cuckoo official repo?
https://github.com/conix-security/zer0m0n
The text was updated successfully, but these errors were encountered: