search

LordNoteworthy / al-khaser

Public malware techniques used in the wild: Virtual Machine, Emulation, Debuggers, Sandbox detection.
GNU General Public License v2.0
5.78k stars 1.16k forks source link

Anti cuckoo and SIEM detect #142

Open chigosec opened 6 years ago

chigosec commented 6 years ago

anti cuckoo like this https://github.com/David-Reguera-Garcia-Dreg/anticuckoo

LordNoteworthy commented 6 years ago

Hey @chigosec ,

Indeed, this is a good feature to add, I had it on my to-do list.

I will try to detect inline hooks in a global manner.

chigosec commented 6 years ago

Thx for your reply. Great project!!!

LordNoteworthy commented 6 years ago

@gsuberland what do you think of:

  1. reading the DLL (like kernel32.dll) from disk.
  2. check if signed and verified (in case, the sandbox provide a tampered dll).
  3. parse the exports and look for interesting API function:

Then we can just read X number of bytes and do a memcmp.

gsuberland commented 6 years ago

@LordNoteworthy I think we're already covering this in #139.

Checking if the DLL is signed and verified isn't much use because they can just hook the verification APIs. It may be useful as a separate check, although to be honest I'd just call GetModuleFileName on handles to a bunch of DLL modules and fail if the resultant path is not inside %sysdir% (query this via GetSystemDirectory). Checking the signed status seems irrelevant at that point.

The problem with memcmp'ing code in mem vs disk is that there are relocation fixups applied so the data won't match. You also run into the problem where the function EP is actually a jump to the implementation (E9 XX XX XX XX) so you'd have to heuristically detect that and resolve the jump address. I'm working on this for enhanced generic hook detection and the main module integrity check (#139) but it is non-trivial and involves parsing most of the structures for PE32 and PE64 files. But, once it's done, we'll have a generic PE parser API that we can use in any check.

gsuberland commented 6 years ago

I've opened #144 to cover the GetModuleFileName approach.

LordNoteworthy commented 6 years ago

Hey @gsuberland I totally agree about the two points you made, let's go with your approach then.

chigosec commented 6 years ago

Hey.
Sysmon and SIEM(security information and event management) has become mainstream and trend, such as graylog, logthym etc. These systems have their own log collection agents, we can detect it. I am sorry that I have not seen the real environment and cannot provide some useful information.