search

mandiant / capa

The FLARE team's open-source tool to identify capabilities in executable files.
https://mandiant.github.io/capa/
Apache License 2.0
4.88k stars 561 forks source link

Extract export forward information #1624

Closed RonnieSalomonsen closed 1 year ago

RonnieSalomonsen commented 1 year ago

Summary

Feature that enables extraction of DLL export forwarding information (DLL Proxying)

Maybe it is possible to distinguish between if it is a relative path or absolute path in the export forward name when creating a CAPA rule.

Example rules: export-forward-absolute-path.yml export-forward-relative-path.yml export-forward-system32.yml

Example of malicious use: legit.exe -> that search for version.dll version.dll -> Crafted version.dll with export forwards to original version.dll vresion.dll -> Original version.dll

Example md5: 76fa734236daa023444dec26863401dc

Motivation

To be able to make CAPA rule that will detect if DLL is leveraging export forwarding aka DLL proxying.

williballenthin commented 1 year ago

i'd propose that we model forwarded exports as something like:

    - characteristic(forwarded-export)
    - or:
      - export: DllName.ExportName
      - export: DllName.#123

this avoids introducing a new feature specifically for this edge case.

williballenthin commented 1 year ago

example:

python scripts/show-features.py --backend pefile tests/data/ea2876e9175410b6f6719f80ee44b9553960758c7d0f7bed73c0fe9a78d8e669.dll_
global: global: os(windows)
global: global: arch(amd64)
file: 0x18003BD32: export(vresion.GetFileVersionInfoA)
file: 0x18003BD32: characteristic(forwarded export)
file: 0x18003BD69: export(vresion.GetFileVersionInfoByHandle)
file: 0x18003BD69: characteristic(forwarded export)
file: 0x18003BDA2: export(vresion.GetFileVersionInfoExA)
file: 0x18003BDA2: characteristic(forwarded export)
file: 0x18003BDD6: export(vresion.GetFileVersionInfoExW)
file: 0x18003BDD6: characteristic(forwarded export)
file: 0x18003BE0C: export(vresion.GetFileVersionInfoSizeA)
file: 0x18003BE0C: characteristic(forwarded export)
file: 0x18003BE46: export(vresion.GetFileVersionInfoSizeExA)
file: 0x18003BE46: characteristic(forwarded export)
file: 0x18003BE82: export(vresion.GetFileVersionInfoSizeExW)
file: 0x18003BE82: characteristic(forwarded export)
file: 0x18003BEBC: export(vresion.GetFileVersionInfoSizeW)
file: 0x18003BEBC: characteristic(forwarded export)
file: 0x18003BEF0: export(vresion.GetFileVersionInfoW)
file: 0x18003BEF0: characteristic(forwarded export)
file: 0x18003BF19: export(vresion.VerFindFileA)
file: 0x18003BF19: characteristic(forwarded export)
file: 0x18003BF3B: export(vresion.VerFindFileW)
file: 0x18003BF3B: characteristic(forwarded export)
file: 0x18003BF60: export(vresion.VerInstallFileA)
file: 0x18003BF60: characteristic(forwarded export)
file: 0x18003BF88: export(vresion.VerInstallFileW)
file: 0x18003BF88: characteristic(forwarded export)
file: 0x18003BFB1: export(vresion.VerLanguageNameA)
file: 0x18003BFB1: characteristic(forwarded export)
file: 0x18003BFDB: export(vresion.VerLanguageNameW)
file: 0x18003BFDB: characteristic(forwarded export)
file: 0x18003C003: export(vresion.VerQueryValueA)
file: 0x18003C003: characteristic(forwarded export)
file: 0x18003C029: export(vresion.VerQueryValueW)
file: 0x18003C029: characteristic(forwarded export)
file: 0x18002A000: import(kernel32.CloseHandle)
file: 0x18002A000: import(CloseHandle)
file: 0x18002A008: import(kernel32.SetEndOfFile)
file: 0x18002A008: import(SetEndOfFile)
williballenthin commented 1 year ago

and for forwarded exports with a specific path, like in ce5a232cd28d21e2dfa9a7410d60384c906c6f666a7ce1318133c160ebf4c5b0:

global: global: os(windows)
global: global: arch(i386)
file: 0x1002BED2: export(c:/windows/system32/version.GetFileVersionInfoA)
file: 0x1002BED2: characteristic(forwarded export)
file: 0x1002BF1D: export(c:/windows/system32/version.GetFileVersionInfoByHandle)
file: 0x1002BF1D: characteristic(forwarded export)
file: 0x1002BF6A: export(c:/windows/system32/version.GetFileVersionInfoExA)
file: 0x1002BF6A: characteristic(forwarded export)
file: 0x1002BFB2: export(c:/windows/system32/version.GetFileVersionInfoExW)
file: 0x1002BFB2: characteristic(forwarded export)
file: 0x1002BFFC: export(c:/windows/system32/version.GetFileVersionInfoSizeA)
file: 0x1002BFFC: characteristic(forwarded export)
file: 0x1002C04A: export(c:/windows/system32/version.GetFileVersionInfoSizeExA)
file: 0x1002C04A: characteristic(forwarded export)
file: 0x1002C09A: export(c:/windows/system32/version.GetFileVersionInfoSizeExW)
file: 0x1002C09A: characteristic(forwarded export)
file: 0x1002C0E8: export(c:/windows/system32/version.GetFileVersionInfoSizeW)
file: 0x1002C0E8: characteristic(forwarded export)
file: 0x1002C130: export(c:/windows/system32/version.GetFileVersionInfoW)
file: 0x1002C130: characteristic(forwarded export)
file: 0x1002C16D: export(c:/windows/system32/version.VerFindFileA)
file: 0x1002C16D: characteristic(forwarded export)
file: 0x1002C1A3: export(c:/windows/system32/version.VerFindFileW)
file: 0x1002C1A3: characteristic(forwarded export)
file: 0x1002C1DC: export(c:/windows/system32/version.VerInstallFileA)
file: 0x1002C1DC: characteristic(forwarded export)
file: 0x1002C218: export(c:/windows/system32/version.VerInstallFileW)
file: 0x1002C218: characteristic(forwarded export)
file: 0x1002C255: export(c:/windows/system32/version.VerLanguageNameA)
file: 0x1002C255: characteristic(forwarded export)
file: 0x1002C293: export(c:/windows/system32/version.VerLanguageNameW)
file: 0x1002C293: characteristic(forwarded export)
file: 0x1002C2CF: export(c:/windows/system32/version.VerQueryValueA)
file: 0x1002C2CF: characteristic(forwarded export)
file: 0x1002C309: export(c:/windows/system32/version.VerQueryValueW)
file: 0x1002C309: characteristic(forwarded export)
file: 0x10023014: import(kernel32.SetFileAttributesW)
file: 0x10023014: import(SetFileAttributesW)
file: 0x10023014: import(kernel32.SetFileAttributes)