I'm actually submitting a feature request for your own benefit as i will never get around to doing this myself.
- You should look at the processor erratas and similar and look for places where the native processor behaves differently (ive not looked at cuckoo internals, so im not positive how it virtualizes precisely; although system hooks implies a totally different model)
- hypercalls
- timing issues that are inherent in any sandbox
- There was a decent write up about the use of uninitialized memory usage and semi-predictability when surrounded by certain windows API calls; i would imagine that in some cases hooks would tamper with that.
Then!
Screw crashing the sandbox, once its detected, unpack a totally different malware sample; for instance if you have supersecretbadassmalware.exe and it is packed, then have your unpacking code branch on virtualization detection and unpack wellknownmalwaresample.exe. This will cause it to be flagged as benign by the analyst in some instances, and your supersecretbadassmalware.exe to go ignored because the analyst thought they were looking at something totally different.
manual analysis where possible FTW.
I'm actually submitting a feature request for your own benefit as i will never get around to doing this myself.
Then!
Screw crashing the sandbox, once its detected, unpack a totally different malware sample; for instance if you have supersecretbadassmalware.exe and it is packed, then have your unpacking code branch on virtualization detection and unpack wellknownmalwaresample.exe. This will cause it to be flagged as benign by the analyst in some instances, and your supersecretbadassmalware.exe to go ignored because the analyst thought they were looking at something totally different.
manual analysis where possible FTW.