hasherezade / pe-sieve

Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).
https://hshrzd.wordpress.com/pe-sieve/
BSD 2-Clause "Simplified" License
3.01k stars 421 forks source link

Identify the hook target #23

Closed hasherezade closed 5 years ago

hasherezade commented 5 years ago

Test cases

Case 1: c999ab160f652e1c6980c50507e1aacb9058d3aa359c92dd74bf3fc5ae5fd47b - KeygenMe v7 by MaxXor Case 2: 5e1967db286d886b87d1ec655559b9af694fc6e002fea3a6c7fd3c6b0b49ea6e - Floki Bot

How it is

The hooks are tagged in the following way:

ec7c;CreateWindowExW->402551;5
1e981;CharUpperW->4017be;5

We can see the offset where the hook is installed, and the name of the hooked function. Hook target is represented by its VA. However, finding what is the module where the hook leads to, requires manual analysis.

How it should be

The target module should be mentioned in the report, i.e.:

ec7c;CreateWindowExW->402551[400000+2551:KeygenMev7.exe];5
1e981;CharUpperW->4017be[400000+17be:KeygenMev7.exe];5

or, in case if the hook leads to unnamed implant, it should be marked as unnamed:

ec7c;CreateWindowExW->402551[400000+2551:(unnamed)];5
1e981;CharUpperW->4017be[400000+17be:(unnamed)];5
hasherezade commented 5 years ago

Addressed in the commits: 1) https://github.com/hasherezade/pe-sieve/commit/8d9e20957eef997e45a98be96e0174e8d85e8a1c 2) https://github.com/hasherezade/pe-sieve/commit/2a8345b9c2ed908a10c8ad343d239aad566791dc 3) https://github.com/hasherezade/pe-sieve/commit/85bee894e543540ed34e754bfc7972c45164c631 4) https://github.com/hasherezade/pe-sieve/commit/07b40ea9c04126e5a2fbb45ca635cf8b2815e088

hasherezade commented 5 years ago

Result:

All mentioned above is implemented. Additionally, the module is marked with 0 (if not detected as suspicious) or 1 (if detected as suspicious).