This repository has been archived by the owner on Apr 26, 2021. It is now read-only.
API Call Limiting in report.json #3137
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Thanks for contributing! But first: did you read our community guidelines?
https://cuckoo.sh/docs/introduction/community.html
What I have added/changed is:
Configuration option and ability to limit the number of calls a process makes included in the
report.json.The goal of my change is:
There are certain samples that use an unusually high amount of native API calls, which can be indicative of an anti-sandbox technique called API Hammering (ex.
9d4997249a633b7488270a550eafe4576362f7a9128eb20901669283f4746958). This causes thereport.jsonto get very large >1Gb for some samples, all because a sample usedFindResourceExW500,000 times. I think it's fair to say that there should be an option to limit the number of calls included in thereport.json, albeit it lossy, at least it allows for the configuration option to exist. Depending on the setup that consumes Cuckoo output,report.jsonis required to be loaded into memory in order to be parsed, and by setting a limit on the number of high-volume calls being made, this consumption is easier/possible for samples that use this technique and allows for most calls that we care about to be included in thereport.jsonas well.There were older issues and PRs created to address this: #1942, #365, #366.
I wrote a Cuckoo signature that hits on API Hammering as well: cuckoosandbox/community#484
What I have tested about my change is:
Manual testing using a variety of samples.