-
Notifications
You must be signed in to change notification settings - Fork 164
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add SysWhispers2 detection & add 0x2e syscall detection (#888)
* Add SysWhisper2 detection & add int 2e to syscall detection --------- Signed-off-by: Still Hsu <[email protected]> Co-authored-by: Moritz <[email protected]>
- Loading branch information
Showing
2 changed files
with
54 additions
and
1 deletion.
There are no files selected for viewing
45 changes: 45 additions & 0 deletions
45
linking/runtime-linking/populate-syswhispers2-syscall-list.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
rule: | ||
meta: | ||
name: populate SysWhispers2 syscall list | ||
namespace: linking/runtime-linking | ||
authors: | ||
- [email protected] | ||
scopes: | ||
static: function | ||
dynamic: unsupported | ||
att&ck: | ||
- Execution::Shared Modules [T1129] | ||
- Execution::Native API [T1106] | ||
- Defense Evasion::Obfuscated Files or Information::Indicator Removal from Tools [T1027.005] | ||
references: | ||
- https://github.com/jthuraisamy/SysWhispers2/blob/main/data/base.c#L32 | ||
examples: | ||
- 932dab8756ad4ae9a62bde0772d952e4:0x14001BD1E | ||
features: | ||
- and: | ||
- and: | ||
- description: check ntdll.dll | ||
- instruction: | ||
- description: "to lower case" | ||
- mnemonic: or | ||
- operand[1].number: 0x20202020 | ||
- or: | ||
- instruction: | ||
- mnemonic: cmp | ||
- operand[1].number: 0x6C64746E = "ldtn" | ||
- instruction: | ||
- mnemonic: cmp | ||
- operand[1].number: 0x6C642E6C = "ld.l" | ||
- and: | ||
- description: check system call starting with 'Zw' | ||
- instruction: | ||
- description: check 'Zw' | ||
- mnemonic: cmp | ||
- operand[1].number: 0x775a = "wZ" | ||
- and: # this is optional but this should reduce false positives if any at all | ||
- description: syscall list sorting | ||
- instruction: | ||
- mnemonic: add | ||
- operand[1].number: 1 | ||
- mnemonic: lea | ||
- mnemonic: mov |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -6,12 +6,15 @@ rule: | |
- "@kulinacs" | ||
- "@mr-tz" | ||
- [email protected] | ||
- [email protected] | ||
description: may be used to evade hooks or hinder analysis | ||
scopes: | ||
static: basic block | ||
dynamic: unsupported # requires mnemonic features | ||
references: | ||
- https://github.com/j00ru/windows-syscalls | ||
- https://codemachine.com/articles/system_call_instructions.html | ||
- https://www.felixcloutier.com/x86/sysenter | ||
features: | ||
- or: | ||
- and: | ||
|
@@ -20,7 +23,12 @@ rule: | |
- os: android | ||
- api: syscall # https://man7.org/linux/man-pages/man2/syscall.2.html | ||
- and: | ||
- mnemonic: syscall | ||
- or: | ||
- mnemonic: sysenter | ||
- mnemonic: syscall | ||
- instruction: | ||
- mnemonic: int | ||
- operand[0].number: 0x2e | ||
- or: | ||
- mnemonic: ret | ||
- mnemonic: retn |