search

cuckoosandbox / cuckoo

Cuckoo Sandbox is an automated dynamic malware analysis system
http://www.cuckoosandbox.org
Other
5.56k stars 1.7k forks source link

Injection Sig Question: Determing child processes #1101

Open kevross33 opened 8 years ago

kevross33 commented 8 years ago

Hi,

Not an issue but looking for advice. I am trying to write a signature based along the idea of detecting when a process is writing to antoher non-child process as part of code injection as another injection detection layer (still need to do explorer and NTDLL ones from cuckoo-modified once I have good examples).

So I want to keep this simple and the logic should be:

1) Detect when the memory of another process is being written to and store that. 2) Determine then if the process it is writing to is a child process. if not we are good to alert.

Where I am a bit stuck below is how to get the child process in an effective way as the sture in the log tends to be processtree > process > children, process children and it goes on in a tree down different levels. So I am looking for any ideas on how to go about getting all the pid/childpid relatinships so they can be checked; at least on completion or ideally during the API call itself so it can be checked if that is possible to build up the rest below.

from lib.cuckoo.common.abstracts import Signature

class InjectionMemoryWrite(Signature): name = "injection_memorywrite" description = "Writes to the process memory of a non-child process indicative of code injection" severity = 3 categories = ["injection"] authors = ["Kevin Ross"] minimum = "2.0"

filter_apinames = "WriteProcessMemory", "NtWriteVirtualMemory", "NtWow64WriteVirtualMemory64",

def init(self):
    self.writes = {}

def on_process(self, process):
    self.writes[process["pid"]] = set()

def on_call(self, call, process):

    process_handle = call["arguments"].get("process_handle")
    if process_handle and process_handle.startswith("0xffffffff"):
        return

    buf = call["arguments"]["buf"]
    writepid = call["arguments"]["process_identifier"]
    pid = process["pid"]
    if pid != writepid and len(buf) > 0:
        self.writes[process["pid"]].add(writepid)
        self.mark_call()

def on_complete(self):
    return self.has_marks()
kevross33 commented 8 years ago

injection_memorywrite.txt

jbremer commented 8 years ago

The self.writes mapping in your example Signature looks fine to me, do you still have any questions about this?