From 1f3422ccdc94a175b6bbba3edca030622cfbd273 Mon Sep 17 00:00:00 2001 From: Still Hsu Date: Tue, 12 Mar 2024 15:31:40 +0800 Subject: [PATCH 1/9] Add SysWhisper2 detection & add int 2e to syscall detection Signed-off-by: Still Hsu --- nursery/execute-syscall.yml | 8 +++- nursery/populate-syswhisper2-syscall-list.yml | 44 +++++++++++++++++++ 2 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 nursery/populate-syswhisper2-syscall-list.yml diff --git a/nursery/execute-syscall.yml b/nursery/execute-syscall.yml index ec9e46ae..e475e2c8 100644 --- a/nursery/execute-syscall.yml +++ b/nursery/execute-syscall.yml @@ -6,12 +6,14 @@ rule: - "@kulinacs" - "@mr-tz" - mehunhoff@google.com + - still@teamt5.org description: may be used to evade hooks or hinder analysis scopes: static: basic block dynamic: unsupported # requires mnemonic features references: - https://github.com/j00ru/windows-syscalls + - https://codemachine.com/articles/system_call_instructions.html features: - or: - and: @@ -20,7 +22,11 @@ rule: - os: android - api: syscall # https://man7.org/linux/man-pages/man2/syscall.2.html - and: - - mnemonic: syscall + - or: + - mnemonic: syscall + - instruction: + - mnemonic: int + - operand[0].number: 0x2e - or: - mnemonic: ret - mnemonic: retn diff --git a/nursery/populate-syswhisper2-syscall-list.yml b/nursery/populate-syswhisper2-syscall-list.yml new file mode 100644 index 00000000..40819f1c --- /dev/null +++ b/nursery/populate-syswhisper2-syscall-list.yml @@ -0,0 +1,44 @@ +rule: + meta: + name: populate syswhisper2 syscall list + namespace: linking/runtime-linking + authors: + - still@teamt5.org + scopes: + static: function + dynamic: unsupported + att&ck: + - Execution::Shared Modules [T1129] + - Execution::Native API [T1106] + - Defense Evasion::Obfuscated Files or Information::Indicator Removal from Tools [T1027.005] + references: + - https://github.com/jthuraisamy/SysWhispers2/blob/main/data/base.c#L32 + examples: + - 932dab8756ad4ae9a62bde0772d952e4:0x14001BD1E + features: + - and: + - and: + - description: check ntdll.dll + - instruction: + - mnemonic: or + - operand[1].number: 0x20202020 + - or: + - instruction: + - mnemonic: cmp + - operand[1].number: 0x6C64746E + - instruction: + - mnemonic: cmp + - operand[1].number: 0x6C642E6C + - and: + - description: check system call starting with 'Zw' + - instruction: + - description: check 'Zw' + - mnemonic: cmp + - operand[1].number: 0x775a + - and: # this is optional but this should reduce false positives if any at all + - description: syscall list sorting + - instruction: + - mnemonic: add + - operand[1].number: 1 + - mnemonic: lea + - mnemonic: mov From c1b8541949bbcbdbf1f4556f634b9153f93dfa71 Mon Sep 17 00:00:00 2001 From: Still / Azaka Date: Tue, 12 Mar 2024 15:39:04 +0800 Subject: [PATCH 2/9] Add missing 's' --- ...-syscall-list.yml => populate-syswhispers2-syscall-list.yml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename nursery/{populate-syswhisper2-syscall-list.yml => populate-syswhispers2-syscall-list.yml} (96%) diff --git a/nursery/populate-syswhisper2-syscall-list.yml b/nursery/populate-syswhispers2-syscall-list.yml similarity index 96% rename from nursery/populate-syswhisper2-syscall-list.yml rename to nursery/populate-syswhispers2-syscall-list.yml index 40819f1c..90c5eb30 100644 --- a/nursery/populate-syswhisper2-syscall-list.yml +++ b/nursery/populate-syswhispers2-syscall-list.yml @@ -1,6 +1,6 @@ rule: meta: - name: populate syswhisper2 syscall list + name: populate syswhispers2 syscall list namespace: linking/runtime-linking authors: - still@teamt5.org From 53650473f6f09b7f4967a8fed7d7013bf22e7d65 Mon Sep 17 00:00:00 2001 From: Still / Azaka Date: Sun, 24 Mar 2024 16:36:07 +0800 Subject: [PATCH 3/9] Update nursery/populate-syswhispers2-syscall-list.yml Co-authored-by: Moritz --- nursery/populate-syswhispers2-syscall-list.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nursery/populate-syswhispers2-syscall-list.yml b/nursery/populate-syswhispers2-syscall-list.yml index 90c5eb30..9cab0207 100644 --- a/nursery/populate-syswhispers2-syscall-list.yml +++ b/nursery/populate-syswhispers2-syscall-list.yml @@ -25,7 +25,7 @@ rule: - or: - instruction: - mnemonic: cmp - - operand[1].number: 0x6C64746E + - operand[1].number: 0x6C64746E = "ldtn" - instruction: - mnemonic: cmp - operand[1].number: 0x6C642E6C From 32200948f049bbc5621ede82c128201b052afb7e Mon Sep 17 00:00:00 2001 From: Still / Azaka Date: Sun, 24 Mar 2024 16:36:13 +0800 Subject: [PATCH 4/9] Update nursery/populate-syswhispers2-syscall-list.yml Co-authored-by: Moritz --- nursery/populate-syswhispers2-syscall-list.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nursery/populate-syswhispers2-syscall-list.yml b/nursery/populate-syswhispers2-syscall-list.yml index 9cab0207..7eb062ae 100644 --- a/nursery/populate-syswhispers2-syscall-list.yml +++ b/nursery/populate-syswhispers2-syscall-list.yml @@ -28,7 +28,7 @@ rule: - operand[1].number: 0x6C64746E = "ldtn" - instruction: - mnemonic: cmp - - operand[1].number: 0x6C642E6C + - operand[1].number: 0x6C642E6C = "ld.l" - and: - description: check system call starting with 'Zw' - instruction: From 7bfb9a20843e20781aa8efb17bc64f7a6c05af44 Mon Sep 17 00:00:00 2001 From: Still / Azaka Date: Sun, 24 Mar 2024 16:36:19 +0800 Subject: [PATCH 5/9] Update nursery/populate-syswhispers2-syscall-list.yml Co-authored-by: Moritz --- nursery/populate-syswhispers2-syscall-list.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nursery/populate-syswhispers2-syscall-list.yml b/nursery/populate-syswhispers2-syscall-list.yml index 7eb062ae..eb4d9443 100644 --- a/nursery/populate-syswhispers2-syscall-list.yml +++ b/nursery/populate-syswhispers2-syscall-list.yml @@ -1,6 +1,6 @@ rule: meta: - name: populate syswhispers2 syscall list + name: populate SysWhispers2 syscall list namespace: linking/runtime-linking authors: - still@teamt5.org From 825cb057e24ed72f97fe36af0d0c671a91d514b4 Mon Sep 17 00:00:00 2001 From: Still / Azaka Date: Sun, 24 Mar 2024 16:36:41 +0800 Subject: [PATCH 6/9] Update nursery/populate-syswhispers2-syscall-list.yml Co-authored-by: Moritz --- nursery/populate-syswhispers2-syscall-list.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nursery/populate-syswhispers2-syscall-list.yml b/nursery/populate-syswhispers2-syscall-list.yml index eb4d9443..7d9a25e9 100644 --- a/nursery/populate-syswhispers2-syscall-list.yml +++ b/nursery/populate-syswhispers2-syscall-list.yml @@ -34,7 +34,7 @@ rule: - instruction: - description: check 'Zw' - mnemonic: cmp - - operand[1].number: 0x775a + - operand[1].number: 0x775a = "wZ" - and: # this is optional but this should reduce false positives if any at all - description: syscall list sorting - instruction: From df5399781c21c79d8fc467bc10ff47880c03f4f7 Mon Sep 17 00:00:00 2001 From: Still / Azaka Date: Sun, 24 Mar 2024 16:36:46 +0800 Subject: [PATCH 7/9] Update nursery/populate-syswhispers2-syscall-list.yml Co-authored-by: Moritz --- nursery/populate-syswhispers2-syscall-list.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/nursery/populate-syswhispers2-syscall-list.yml b/nursery/populate-syswhispers2-syscall-list.yml index 7d9a25e9..96a12a28 100644 --- a/nursery/populate-syswhispers2-syscall-list.yml +++ b/nursery/populate-syswhispers2-syscall-list.yml @@ -20,6 +20,7 @@ rule: - and: - description: check ntdll.dll - instruction: + - description: "to lower case" - mnemonic: or - operand[1].number: 0x20202020 - or: From e7ea0bff44dc73f65775eb8f43da172ecdfa8ef4 Mon Sep 17 00:00:00 2001 From: Still Hsu Date: Fri, 20 Sep 2024 22:54:30 +0800 Subject: [PATCH 8/9] Add sysenter to syscall detection Signed-off-by: Still Hsu --- nursery/execute-syscall.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nursery/execute-syscall.yml b/nursery/execute-syscall.yml index e475e2c8..0f61a250 100644 --- a/nursery/execute-syscall.yml +++ b/nursery/execute-syscall.yml @@ -14,6 +14,7 @@ rule: references: - https://github.com/j00ru/windows-syscalls - https://codemachine.com/articles/system_call_instructions.html + - https://www.felixcloutier.com/x86/sysenter features: - or: - and: @@ -23,6 +24,7 @@ rule: - api: syscall # https://man7.org/linux/man-pages/man2/syscall.2.html - and: - or: + - mnemonic: sysenter - mnemonic: syscall - instruction: - mnemonic: int From acfd551b4af727ba6ae26c2cb15520efe3066285 Mon Sep 17 00:00:00 2001 From: Still Hsu Date: Tue, 24 Sep 2024 02:43:00 +0800 Subject: [PATCH 9/9] Move rule from nursery Signed-off-by: Still Hsu --- .../runtime-linking}/populate-syswhispers2-syscall-list.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {nursery => linking/runtime-linking}/populate-syswhispers2-syscall-list.yml (100%) diff --git a/nursery/populate-syswhispers2-syscall-list.yml b/linking/runtime-linking/populate-syswhispers2-syscall-list.yml similarity index 100% rename from nursery/populate-syswhispers2-syscall-list.yml rename to linking/runtime-linking/populate-syswhispers2-syscall-list.yml