We are proud to announce that today we are releasing Tycho 1.2. This release features Process Listing, Cuckoo Sandbox Integration and the Autostart Semantic Breakpoint.
With Tycho 1.2 you can now get a list of running processes and information about them directly from the Python API. This enables you to react to new processes or closed processes and it makes it easier to connect to processes automatically.
In our next release we will make this even better with the ability to connect to processes with their ID instead of their name. This will allow for completely automatic tracking of new processes via the Python API.
Cuckoo Sandbox Integration
A lot of people are interested in using Tycho’s advanced sensors in a completely automated Sandbox fashion. To a malware sample that is trying to hide itself, Tycho looks just like a bare-metal machine. This means the sandbox is completely invisible to a malware sample.
On top of the invisibility Tycho offers memory dumps and all its other sophisticated analysis features within Cuckoo Sandbox now.
We will release a special version of Cuckoo Sandbox that works with Tycho soon.
Autostart Semantic Breakpoint
We now have a Semantic Breakpoint that triggers whenever an application adds itself to the Windows Autostart. This is very helpful in reversing droppers. The Autostart Breakpoint can be set via the Python API or when manually looking at a sample with IDA Pro.
Take a look at our new tycho-recipes repository that contains examples on how to use Tycho effectively.
Our underlying Secure Virtualization Platform now features support for hardware-accelerated APIC virtualization, which considerably improves performance on hardware with that feature.
Future versions of Tycho will introduce further high-level Semantic Breakpoints, to allow for easy tracking of Execute-after-Write events or network activity.