search

volatilityfoundation / volatility3

Volatility 3.0 development
http://volatilityfoundation.org/
Other
2.72k stars 461 forks source link

Add detection of direct and indirect system calls #1262

Open atcuno opened 2 months ago

atcuno commented 2 months ago

@ikelos these are the priority after pe_symbols. Inheritance is used correctly (versioned, no overriding generator or run, basically the same as threads/thrdscan/etc. and others), so don't freak out when you see it and just enjoy the beautiful, reusable code. I also used namedtuples as a test run and it turned out pretty cool. I left many comments, including the args/returns, and both files pass black, mypy and pylint.

This implements two more of the DEFCON plugins for detecting malware that bypasses EDRs and are required for the cutover release.

Detection of the HellsGate direct system call technique:

$ python3 vol.py --config halo.json windows.direct_system_calls
Volatility 3 Framework 2.10.0
Process PID Range   Address Disasm

HellsGate.exe   920 \exclude_test\volexity\volexity\Saved Files\HalosGate\HellsGate.exe 0x7ff627831591  0x7ff627831591: mov r10, rcx; 0x7ff627831594: mov eax, dword ptr [rip + 0x3a66]; 0x7ff62783159a: syscall ; 0x7ff62783159c: ret ;

Detection of the HellsHall indirect system call technique:

$ python3 vol.py --config hell.json windows.indirect_system_calls
Volatility 3 Framework 2.10.0
Process PID Range   Address Disasm
HellsHall.exe   2112    \exclude_test\volexity\volexity\Saved Files\HalosGate\HellsHall.exee    0x7ff6949f165e  0x7ff6949f165e: mov r10, rcx; 0x7ff6949f1661: mov eax, dword ptr [rip + 0x3999]; 0x7ff6949f1667: jmp qword ptr [rip + 0x3997];
atcuno commented 1 month ago

This is ready @ikelos but the test failed as the test system doesn't have capstone, and its part of the type hint. We need to:

1) get capstone in requirements.txt 2) Update the test system to have capstone installed

ikelos commented 1 month ago

Capstone is already in requirements.txt, but needs to be added to test/requirements-testing.txt as part of the PR please.

It also indicates that the error checking isn't working, because volatility should not throw an exception when a module can't be found. I think that's because you've got it in the typing information, so it's accessed without a has_capstone guard in front of it. I'd try putting that in quotes to delay resolving, but otherwise you'll need to weaken the type constraints or have the whole plugin bail out as soon as capstone can't be found. It must be able to import succesfully or fail gracefully or it'll take the whole framework with it when the plugins are initially imported. Yarascan should be an example of a plugin that bails gracefully if a necessary module can't be found for it to be of any use...

ikelos commented 2 weeks ago

@atcuno, can you please add capstone to the test/requirements-testing.txt as part of this PR so we can get this merged please?