Open rabbitstack opened 1 year ago
LordNoteworthy
commented
1 year ago Hello @rabbitstack
Thanks a lot for your feedback. I myself used fibratus some time ago, I remember it was python, did you re-write in go ? :)
The certificate validation is indeed tricky, we can't rely on the Windows API because we need the library to work on other platforms as well. That's already dealt with, now I just need to find an alternative to certutil to grab fresh certificates.
rabbitstack
commented
1 year ago Hi @LordNoteworthy,
Correct, it was Python, but I rewrote/redesigned from scratch in Go, a couple of years ago. There is still possibility to run the Python code (filaments) via CPython bindings.
What other platforms could be subject to PE parsing and wouldn't allow Windows API interaction? It would be great if you could ditch certutil.
Sorry I have to hijack this issue, but I got another question. Are you planning to incorporate any features that could enable detecting PE tampering and possibly detecting different process injection techniques? Tools like PESieve can do this.
Thanks
LordNoteworthy
commented
1 year ago Correct, it was Python, but I rewrote/redesigned from scratch in Go, a couple of years ago. There is still possibility to run the Python code (filaments) via CPython bindings.
All right, I see, good job !
What other platforms could be subject to PE parsing and wouldn't allow Windows API interaction?
Mainly Linux and OSX. Some folks will be running this pkg on linux containers or something alike. I will keep this issue open ti find a workaround for certutil.
Are you planning to incorporate any features that could enable detecting PE tampering and possibly detecting different process injection techniques? Tools like PESieve can do this.
If it is something that we can do statically, I will be happy to do so. Tools like PESieve are more dynamic analysis tools, so I am doing this sort of detection in saferwall sandbox, though it is not yet completed.
rabbitstack
commented
1 year ago Mainly Linux and OSX. Some folks will be running this pkg on linux containers or something alike
It crystallized after you mentioned pe underpins the Saferwall service which would obviously make it runnable on non-Windows machines.
If it is something that we can do statically, I will be happy to do so. Tools like PESieve are more dynamic analysis tools, so I am doing this sort of detection in saferwall sandbox, though it is not yet completed.
PESieve essentially compares on-disk with in-memory PE structures and determines all sort of heuristics, so, I think dynamic analysis may be inevitable.
Thank you for your answers!
Hi,
I'm so happy I've found this package/library! Great work. I'm planning to sunset the PE introspection functionality I've initially built into Fibratus in favour of your package. I was glancing at the code and noticed you rely on
certutilto fetch the certificates you later use for validation. Sincecertutilis frequently abused by threats actors for nefarious purposes, I'm wondering if there is a way to download the certificates by interacting with some specific Windows API?