search

objective-see / BlockBlock

BlockBlock provides continual protection by monitoring persistence locations.
GNU General Public License v3.0
618 stars 38 forks source link

Persistence installed before detection #23

Open Spl01ter opened 3 years ago

Spl01ter commented 3 years ago

When malware installs persistence (tested with https://github.com/neoneggplant/EggShell), the script is loaded into memory before detection and blocking. It is persistent as long as the user does not reboot.

luckman212 commented 3 years ago

@Spl01ter have you possibly checked to see if this is still the case with 2.0.3?

acheong08 commented 3 years ago

It is still the case

acheong08 commented 3 years ago

I am now testing with https://github.com/RPwnage/EggShell-Community-Fork

acheong08 commented 3 years ago
Screen Shot 2021-04-15 at 1 36 09 PM Screen Shot 2021-04-15 at 1 36 35 PM
objective-see commented 3 years ago

Will clarify, but this is by design. macOS delivers events (such as file events) via the Endpoint Security Framework.

BlockBlock subscribes to the ES_EVENT_TYPE_NOTIFY_WRITE event which (as you have noted), is delivered after the event ...it's a notification event. While there are ES_EVENT_TYPE_AUTH* events (that are delivered before the event occurs), there is no ES_EVENT_TYPE_AUTH_WRITE ...and BlockBlock needs a write event, so we can examine what was added.