Closed tstromberg closed 2 weeks ago
I'll work this in to https://github.com/chainguard-dev/bincapz/pull/436 since it will be much more straightforward with the new framework.
I have a working version of this in #436 --
analyze
:
$ go run . analyze samples/linux/clean/ls.x86_64
samples/linux/clean/ls.x86_64 [⚠️ MEDIUM]
------------------------------------------------------------------------------------------------------------------------
RISK KEY DESCRIPTION EVIDENCE
------------------------------------------------------------------------------------------------------------------------
LOW env/TERM Look up or override terminal settings TERM
LOW fs/link/read read value of a symbolic link readlink
LOW kernel/hostname/get get computer host name gethostname
LOW ref/site/url contains embedded HTTPS URLs https://gnu.org/licenses/gpl.html
https://translationproject.org/team/
https://wiki.xiph.org/MIME_Types_and_File_Extensions
https://www.gnu.org/software/coreutils/
MED process/name/set get or set the current process name __progname
------------------------------------------------------------------------------------------------------------------------
scan
:
$ go run . scan samples/linux/clean/ls.x86_64
samples/linux/clean/ls.x86_64 [⚠️ MEDIUM]
-------------------------------------------------------------------------
RISK KEY DESCRIPTION EVIDENCE
-------------------------------------------------------------------------
MED process/name/set get or set the current process name __progname
-------------------------------------------------------------------------
If we want to focus solely on high/critical findings for scan
, I can filter out the other findings.
Example when filtering out anything less than a 3
risk score:
analyze
:
$ go run . analyze samples/macOS/2023.3CX/libffmpeg.dirty.dylib
samples/macOS/2023.3CX/libffmpeg.dirty.dylib [🚨 CRITICAL]
--------------------------------------------------------------------------------------------------------------------------
RISK KEY DESCRIPTION EVIDENCE
--------------------------------------------------------------------------------------------------------------------------
LOW compression/gzip works with gzip files gzip
LOW crypto/aes Supports AES (Advanced Encryption Standard) AES
LOW encoding/base64 Supports base64 encoded strings base64
LOW env/HOME Looks up the HOME directory for the current user HOME
getenv
LOW env/TERM Look up or override terminal settings TERM
LOW fs/directory/create creates directories mkdir
LOW fs/lock/update apply or remove an advisory lock on a file flock
LOW kernel/dispatch/semaphore Uses Dispatch Semaphores dispatch_semaphore_signal
LOW kernel/hostname/get get computer host name gethostname
LOW net/http/accept/encoding set HTTP response encoding format (example: gzip) Accept-Encoding
LOW net/url Handles URL strings NSURL
URLContext
LOW process/multithreaded creates pthreads pthread_create
LOW random/insecure generate random numbers insecurely _rand
srand
LOW sync/semaphore/user uses semaphores to synchronize data between processes semaphore_create
or threads semaphore_signal
semaphore_wait
MED evasion/base64/decode decode base64 strings base64_decode
MED exec/pipe launches program and reads its output _pclose
_popen
MED fs/permission/modify modifies file permissions chmod
MED net/http/cookies access HTTP resources using cookies Cookie
HTTP
MED net/http/post submit content to websites HTTP
POST
http
MED net/url/request requests resources via URL NSMutableURLRequest
MED ref/path/hidden hidden path generated dynamically %s/.main_storage
MED ref/path/tmp path reference within /tmp /tmp/%sXXXXXX
MED ref/words/agent references an 'agent' user_agent
MED shell/arbitrary_command/dev_null runs commands, discards output "%s" >/dev/null
CRIT 3P/signature_base/3cxdesktopapp/ Detects 3CXDesktopApp MacOS Backdoor component, by $op1
backdoor X__Junior (Nextron Systems) $op2
%s/.main_storage
%s/UpdateAgent
CRIT 3P/signature_base/nk/3cx Detects malicious DYLIB files related to 3CX $xc1
compromise, by Florian Roth (Nextron Systems) $xc2
$xc3
CRIT 3P/signature_base/susp/xored Detects suspicious single byte XORed keyword $xo1
'Mozilla/5.0' - it uses yara's XOR modifier and
therefore cannot print the XOR key, by Florian Roth
CRIT 3P/volexity/iconic Detects the MACOS version of the ICONIC loader., by $str1
threatintel@volexity.com $str2
$str3
CRIT evasion/xor/user_agent XOR'ed user agent, often found in backdoors, by 7OTJ::$Mozilla_5_0
Florian Roth
--------------------------------------------------------------------------------------------------------------------------
scan
:
$ go run . scan samples/macOS/2023.3CX/libffmpeg.dirty.dylib
samples/macOS/2023.3CX/libffmpeg.dirty.dylib [🚨 CRITICAL]
------------------------------------------------------------------------------------------------------------------
RISK KEY DESCRIPTION EVIDENCE
------------------------------------------------------------------------------------------------------------------
CRIT 3P/signature_base/3cxdesktopapp/ Detects 3CXDesktopApp MacOS Backdoor component, by $op1
backdoor X__Junior (Nextron Systems) $op2
%s/.main_storage
%s/UpdateAgent
CRIT 3P/signature_base/nk/3cx Detects malicious DYLIB files related to 3CX $xc1
compromise, by Florian Roth (Nextron Systems) $xc2
$xc3
CRIT 3P/signature_base/susp/xored Detects suspicious single byte XORed keyword $xo1
'Mozilla/5.0' - it uses yara's XOR modifier and
therefore cannot print the XOR key, by Florian Roth
CRIT 3P/volexity/iconic Detects the MACOS version of the ICONIC loader., by $str1
threatintel@volexity.com $str2
$str3
CRIT evasion/xor/user_agent XOR'ed user agent, often found in backdoors, by 7OTJ::$Mozilla_5_0
Florian Roth
------------------------------------------------------------------------------------------------------------------
Quality of life & code improvement:
--diff
does(For scan, it shouldn't show items that fall below the priority of the highest match)