Sanctum is a proof-of-concept EDR like tool, designed to detect modern malware techniques, above and beyond the capabilities of antivirus. Built in Rust.
Intercept syscalls and look at what parameters are being passed, is there anything suspicious going on? Some key syscalls of interest:
Creating remote threads
Allocating memory in foreign processes
Notes
This may more be required from the injected DLL - but to research if this can also be done in the kernel. If so, this feature / issue should handle overwriting syscalls with jumps to the Sanctum DLL for the inspection. This telemetry should then be sent back to the engine for processing, in tandem with any kernel messages.
Additional features:
[ ] If the driver can intercept syscalls once they reach the kernel, then it would be good to check that the injected DLL was also privvy to the call, if it wasnt, it could indicate hells/heavens gate etc.
Intercept syscalls and look at what parameters are being passed, is there anything suspicious going on? Some key syscalls of interest:
Notes
This may more be required from the injected DLL - but to research if this can also be done in the kernel. If so, this feature / issue should handle overwriting syscalls with jumps to the Sanctum DLL for the inspection. This telemetry should then be sent back to the engine for processing, in tandem with any kernel messages.
Additional features: