Checking Pipe

Created the Monday 11 March 2019. Updated 6 months, 3 weeks ago.

Cuckoo is a malware analysis system that uses a named pipe, called \.\pipe\cuckoo, for communication between the host system (where the malware is being analyzed) and the guest system (where the malware is running).

A malware that is running on the guest system can detect the presence of a virtual environment by attempting to access the \.\pipe\cuckoo named pipe. If the named pipe exists, it indicates that the malware is running on a virtual machine being monitored by Cuckoo. This information can be used by the malware to adjust its behavior in order to evade detection or to avoid performing certain actions.

Technique Identifier

U1329

Technique Tags

Sandbox Cuckoo Host system Guest system Communication Named pipe Virtual environment

Code Snippets

Description

In this code, we use the open function to attempt to open the \.\pipe\cuckoo named pipe for reading. If the named pipe exists and can be opened, the open function will return a file descriptor greater than or equal to zero. In this case, we conclude that we are running on a virtual machine, and we print a message indicating this. If the named pipe does not exist, the open function will return a negative value, and we conclude that we are running on a physical machine. In both cases, we print a message indicating the type of machine we are running on.

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>

int main()
{
    // Attempt to open the Cuckoo named pipe
    int fd = open("\\\\.\\pipe\\cuckoo", O_RDONLY);
    if (fd >= 0) {
        // The named pipe exists, so we are running on a virtual machine
        printf("We are running on a virtual machine.\n");
        close(fd);
    } else {
        // The named pipe does not exist, so we are running on a physical machine
        printf("We are running on a physical machine.\n");
    }

    return 0;
}

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

Sandbox Evasion Cheat Sheet