Re: [Capture-HPC] Virtualisation and Emulation Detection

Fri, 04 Apr 2008 13:19:39 -0700 

> If you have a AI which reads captchas please tell me :). Personally I
> think its not possible to implement a such system, or how you deal with
> non windows forms components (there exists a lot of installer packer
> which do not use standard windows forms) so you can't read any form fields? 


Yeah thats true :) Reading captches however in some cases is fairly 
easy, i've seen some interesting solutions but they were extremely 
difficult and I don't think I have the brains or skills to do something 
like that. Do you have any system implemented which automates clicking 
on windows?


Joe wrote:

Hi guys

Thanks for your answers.

Capture at the moment doesn't hide itself from any malware, I don't
think its well known enough yet to need to :) I'm not a big fan of
hiding that we are virtualised as its becoming more common to run
applications in a virtualised environment (commercially) but for home
purposes its definatly a problem as the average user won't be running
in a virtualised environment. Beats me how to do it.


Do you have any experiences with this in Joebox? 

Its definitely a fact that some crypter have features to detect
virtualisation and emulation environments to prevent analysis. I have
some samples which crashes on vmware, virtualpc and qemu. So anubis and
cwsandbox detect only a strange return error :).

We use an event system, which are kernel drivers that use common
exposed API functions in the kernel to monitor, we don't use any hooking.

Ok thats a good idea, since hooking is very challenging and sometimes
really difficult.

Thats an interesting feature which I have got planned for the next
major version. If shouldn't be too difficult to create ... basically
some monitor which detects when windows are open, and uses some AI to
determine how to interact with it ... simple ... I wish!

If you have a AI which reads captchas please tell me :). Personally I
think its not possible to implement a such system, or how you deal with
non windows forms components (there exists a lot of installer packer
which do not use standard windows forms) so you can't read any form fields?

Any news on Joebox? I haven't looked at your website in a while sorry. 

I will release some news during the next week.

Kind Regards

Joe
Joe Security
www.joebox.org
_______________________________________________
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

_______________________________________________
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc























					Reply via email to