Quantcast
Channel: KitPloit - PenTest Tools!
Viewing all articles
Browse latest Browse all 5816

DrSemu - Malware Detection And Classification Tool Based On Dynamic Behavior

$
0
0

Dr.Semu runs executables in an isolated environment, monitors the behavior of a process, and based on Dr.Semu rules created by you or the community, detects if the process is malicious or not.

whoami: @_qaz_qaz
With Dr.Semu you can create rules to detect malware based on dynamic behavior of a process.

Isolation through redirection
Everything happens from the user-mode. Windows Projected File System (ProjFS) is used to provide a virtual file system. For Registry redirection, it clones all Registry hives to a new location and redirects all Registry accesses.
See the source code for more about other redirections (process/objects isolation, etc).

Monitoring
Dr.Semu uses DynamoRIO (Dynamic Instrumentation Tool Platform) to intercept a thread when it's about to cross the user-kernel line. It has the same effect as hookingSSDT but from the user-mode and without hooking anything.
At this phase, Dr.Semu produces a JSON file, which contains information from the interception.

Detection
After terminating the process, based on Dr.Semu rules we receive if the executable is detected as malware or not.
Dr.Semu Rules/Detections

Dr.Semu rules
They are written in Python or LUA (located under dr_rules) and use dynamic information from the interception and static information about the sample. It's trivial to add support of other languages.


Example (Python): https://gist.github.com/secrary/ac89321b8a7bde998a6e3139be49eb72
Example (Lua): https://gist.github.com/secrary/e16daf698d466136229dc417d7dbcfa3

Usage
  • Use PowerShell to enable ProjFS in an elevated PowerShell window:
Enable-WindowsOptionalFeature -Online -FeatureName Client-ProjFS -NoRestart
DrSemu.exe --target file_path
DrSemu.exe --target files_directory

DEMO


BUILD
  • Use PowerShell to enable ProjFS in an elevated PowerShell window:
Enable-WindowsOptionalFeature -Online -FeatureName Client-ProjFS -NoRestart


  • Install Python 3 x64
  • Download DynamoRIO and extract into bin folder and rename to dynamorio
  • Build pe-parser-library.lib library:
    • Generate VS project from DrSemu\shared_libs\pe_parse using cmake-gui
    • Build 32-bit library under build (\shared_libs\pe_parse\build\pe-parser-library\Release\) and 64-bit one under build64
    • Change run-time library option to Multi-threaded (/MT)
  • Set LauncherCLI As StartUp Project

TODO
  • Solve isolation related issues
  • Improve synchronization
  • Update the description, add more details
  • Create a GUI for the tool

Limitations
  • Minimum supported Windows version: Windows 10, version 1809 (due to Windows Projected File System)
  • Maximum supported Windows version: Windows 10, version 1809 (DynamoRIO supports Windows 10 versions until 1809)



Viewing all articles
Browse latest Browse all 5816

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>