Open chigosec opened 6 years ago
Hey @chigosec ,
Indeed, this is a good feature to add, I had it on my to-do list.
I will try to detect inline hooks in a global manner.
Thx for your reply. Great project!!!
@gsuberland what do you think of:
Then we can just read X number of bytes and do a memcmp.
@LordNoteworthy I think we're already covering this in #139.
Checking if the DLL is signed and verified isn't much use because they can just hook the verification APIs. It may be useful as a separate check, although to be honest I'd just call GetModuleFileName
on handles to a bunch of DLL modules and fail if the resultant path is not inside %sysdir%
(query this via GetSystemDirectory
). Checking the signed status seems irrelevant at that point.
The problem with memcmp'ing code in mem vs disk is that there are relocation fixups applied so the data won't match. You also run into the problem where the function EP is actually a jump to the implementation (E9 XX XX XX XX
) so you'd have to heuristically detect that and resolve the jump address. I'm working on this for enhanced generic hook detection and the main module integrity check (#139) but it is non-trivial and involves parsing most of the structures for PE32 and PE64 files. But, once it's done, we'll have a generic PE parser API that we can use in any check.
I've opened #144 to cover the GetModuleFileName
approach.
Hey @gsuberland I totally agree about the two points you made, let's go with your approach then.
Hey.
Sysmon and SIEM(security information and event management) has become mainstream and trend, such as graylog, logthym etc. These systems have their own log collection agents, we can detect it. I am sorry that I have not seen the real environment and cannot provide some useful information.
anti cuckoo like this https://github.com/David-Reguera-Garcia-Dreg/anticuckoo