From 1fd0d8e1410d074e74ccf73e9cfee6b208f75ab1 Mon Sep 17 00:00:00 2001
From: Still / Azaka <dev@stillu.cc>
Date: Tue, 24 Sep 2024 11:24:52 +0000
Subject: [PATCH] Add SysWhispers2 detection & add 0x2e syscall detection
 (#888)

* Add SysWhisper2 detection & add int 2e to syscall detection

---------

Signed-off-by: Still Hsu <dev@stillu.cc>
Co-authored-by: Moritz <mr-tz@users.noreply.github.com>
---
 .../populate-syswhispers2-syscall-list.yml    | 45 +++++++++++++++++++
 nursery/execute-syscall.yml                   | 10 ++++-
 2 files changed, 54 insertions(+), 1 deletion(-)
 create mode 100644 linking/runtime-linking/populate-syswhispers2-syscall-list.yml

diff --git a/linking/runtime-linking/populate-syswhispers2-syscall-list.yml b/linking/runtime-linking/populate-syswhispers2-syscall-list.yml
new file mode 100644
index 00000000..96a12a28
--- /dev/null
+++ b/linking/runtime-linking/populate-syswhispers2-syscall-list.yml
@@ -0,0 +1,45 @@
+rule:
+  meta:
+    name: populate SysWhispers2 syscall list
+    namespace: linking/runtime-linking
+    authors:
+      - still@teamt5.org
+    scopes:
+      static: function
+      dynamic: unsupported
+    att&ck:
+      - Execution::Shared Modules [T1129]
+      - Execution::Native API [T1106]
+      - Defense Evasion::Obfuscated Files or Information::Indicator Removal from Tools [T1027.005]
+    references:
+      - https://github.com/jthuraisamy/SysWhispers2/blob/main/data/base.c#L32
+    examples:
+      - 932dab8756ad4ae9a62bde0772d952e4:0x14001BD1E
+  features:
+    - and:
+      - and:
+        - description: check ntdll.dll
+        - instruction:
+          - description: "to lower case"
+          - mnemonic: or
+          - operand[1].number: 0x20202020
+        - or:
+          - instruction:
+            - mnemonic: cmp
+            - operand[1].number: 0x6C64746E = "ldtn"
+          - instruction:
+            - mnemonic: cmp
+            - operand[1].number: 0x6C642E6C = "ld.l"
+      - and:
+        - description: check system call starting with 'Zw'
+        - instruction:
+          - description: check 'Zw'
+          - mnemonic: cmp
+          - operand[1].number: 0x775a = "wZ"
+      - and: # this is optional but this should reduce false positives if any at all
+        - description: syscall list sorting
+        - instruction:
+          - mnemonic: add
+          - operand[1].number: 1
+        - mnemonic: lea
+        - mnemonic: mov
diff --git a/nursery/execute-syscall.yml b/nursery/execute-syscall.yml
index ec9e46ae..0f61a250 100644
--- a/nursery/execute-syscall.yml
+++ b/nursery/execute-syscall.yml
@@ -6,12 +6,15 @@ rule:
       - "@kulinacs"
       - "@mr-tz"
       - mehunhoff@google.com
+      - still@teamt5.org
     description: may be used to evade hooks or hinder analysis
     scopes:
       static: basic block
       dynamic: unsupported  # requires mnemonic features
     references:
       - https://github.com/j00ru/windows-syscalls
+      - https://codemachine.com/articles/system_call_instructions.html
+      - https://www.felixcloutier.com/x86/sysenter
   features:
     - or:
       - and:
@@ -20,7 +23,12 @@ rule:
           - os: android
         - api: syscall # https://man7.org/linux/man-pages/man2/syscall.2.html
       - and:
-        - mnemonic: syscall
+        - or:
+          - mnemonic: sysenter
+          - mnemonic: syscall
+          - instruction:
+            - mnemonic: int
+            - operand[0].number: 0x2e
         - or:
           - mnemonic: ret
           - mnemonic: retn