Checking Pipe

Created the Monday 11 March 2019. Updated 1 month ago.

Cuckoo is an open-source automated malware analysis system that performs dynamic analysis by running suspicious files in isolated virtual environments.

To facilitate communication between the host system (analysis environment) and the guest system (execution environment), Cuckoo uses a named pipe: \.\pipe\cuckoo

Detection Technique

Malware running inside the guest can check for the existence of this named pipe. If the pipe is present, it indicates that the sample is being executed within a Cuckoo-monitored virtual machine.

Based on this detection, the malware may alter its behavior to evade analysis, such as avoiding malicious actions or delaying execution.

Technique Identifier

U1329

Technique Tags

Sandbox Cuckoo Host system Guest system Communication Named pipe Virtual environment

Code Snippets

Description

In this code, we use the open function to attempt to open the \.\pipe\cuckoo named pipe for reading. If the named pipe exists and can be opened, the open function will return a file descriptor greater than or equal to zero. In this case, we conclude that we are running on a virtual machine, and we print a message indicating this. If the named pipe does not exist, the open function will return a negative value, and we conclude that we are running on a physical machine. In both cases, we print a message indicating the type of machine we are running on.

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>

int main()
{
    // Attempt to open the Cuckoo named pipe
    int fd = open("\\\\.\\pipe\\cuckoo", O_RDONLY);
    if (fd >= 0) {
        // The named pipe exists, so we are running on a virtual machine
        printf("We are running on a virtual machine.\n");
        close(fd);
    } else {
        // The named pipe does not exist, so we are running on a physical machine
        printf("We are running on a physical machine.\n");
    }

    return 0;
}

About Author Open Snippet

Author: Thomas Roccia (fr0gger) / Target Platform: Windows

#include <stdio.h>
#include <Windows.h>

int main() {
    const char *pipeName = "\\\\.\\pipe\\cuckoo";

    BOOL pipeExists = WaitNamedPipeA(pipeName, 10000);

    if (pipeExists) {
        printf("Cuckoo Sandbox detected via named pipe.\n");
        return 1;
    } else {
        printf("No Cuckoo pipe found. Proceeding..\n");
    }

    return 0;
}

About Author Open Snippet

Author: HoIIovv / Target Platform: Windows

Detection Rules

rule detect_cuckoo_named_pipe
{
    meta:
        description = "Detect executables that check for Cuckoo Sandbox via \\\\.\\pipe\\cuckoo using WaitNamedPipeA/W"
        author = "Nicola Bottura"
        date = "2025-07-23"
        reference  = "User‐provided C code snippet (techniques/DetectCuckooNamedPipe/detect_cuckoo.c)"

    strings:
        $pipe_ascii = "\\\\.\\pipe\\cuckoo"
        $pipe_wide = { 5C 00 5C 00 2E 00 5C 00 70 00 69 00 70 00 65 00 5C 00 63 00 75 00 63 00 6B 00 6F 00 6F 00 }
        $api_A = "WaitNamedPipeA"
        $api_W = "WaitNamedPipeW"

    condition:
        $pipe_ascii and $api_A or $pipe_wide and $api_W
}

Contributor

HoIIovv

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

Sandbox Evasion Cheat Sheet