capa-rules
capa-rules copied to clipboard
mandiant
check .NET-Anti-Debug coverage
- md5:
new System.Security.Cryptography.MD5CryptoServiceProvider(),ComputeHash - reference self file:
System.Diagnostics.Process.GetCurrentProcess().MainModule.FileName,Assembly.GetEntryAssembly().Location - is administrator:
private static bool IsAdministrator()
{
var identity = WindowsIdentity.GetCurrent();
var principal = new WindowsPrincipal(identity);
return principal.IsInRole(WindowsBuiltInRole.Administrator);
}
- sandboxie detection:
SbieDll.dll - enumerate PIDs:
new PerformanceCounterCategory("Process");,GetInstanceNames,GetCounters,CounterName,"ID Process" - system proxy:
Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,ProxyEnable,ProxyServer - spawn process:
new System.Diagnostics.ProcessStartInfo,System.Diagnostics.Process - timing:
Environment.TickCount,Thread.Sleep - anti vm:
Select * from Win32_ComputerSystem,virtual,vmware,virtualbox - anti vm:
SELECT * FROM Win32_VideoController,vmware,vbox - cpuid:
Win32_Processor,UniqueID,ProcessorID,Name,Manufacturer - biosid:
Win32_BIOS,Manufacturer,SMBIOSBIOSVersion,IdentificationCode,SerialNumber,ReleaseDate,Version - diskid:
Win32_DiskDrive,Model,Manufacturer,Signature,TotalHeads - motherboard id:
Win32_BaseBoard,Model,Manufacturer,Name,SerialNumber - video id:
Win32_VideoController,DriverVersion,Name - macid:
Win32_NetworkAdapterConfiguration,MACAddress,IPEnabled
Hello everyone,
This issue appears to not have any progress since January, so I decided to contribute with my own rule.
- https://github.com/komen205/capa-rules/commit/6654612523cb3c0ae4b95ddcc9d2ab9197af3f29
The field that I targeted is : "anti vm: Select * from Win32_ComputerSystem, virtual, vmware, virtualbox"
I left the "examples" field empty as I'm not sure if any example is already on the capa-testfiles repo, if not, I can provide the EXE that I created and using to test the rules.
I can also provide all the other rules if you let me take the issue.
I hope it helps, thanks!
Great, would be great if you want to tackle more rules here and contribute a PR. If there's no examples, you can provide them or place the rules in the nursery directory. Please also note the potential overlap with related rules, e.g., reference anti-VM strings targeting VMWare.
Hello,
Thanks for assigning the task to me.
The following rules mentioned are already done and I don't think there's any need to modify them. sandboxie detection: https://github.com/mandiant/capa-rules/blob/1fee68e72e5da3cf05cbf349d8b4df13dcf47a85/anti-analysis/anti-av/check-for-sandbox-and-av-modules.yml#L23 md5: new System.Security.Cryptography.MD5CryptoServiceProvider(), ComputeHash is administrator: https://github.com/mandiant/capa-rules/blob/95dc5eb27f8037b114ac221ed3866d9f514dc424/host-interaction/session/get-session-integrity-level.yml#L19
I added the whole CPU information at host-interaction/hardware/cpu/get-cpu-information.yml, for reference: https://github.com/mandiant/capa-rules/commit/f2da1d499a381c0da34e6c822776fd985a7828e2
Regarding the rules the following rules, I will add them in their respective file, I don't think there's a need to create a new one and also I will target dotnet to prevent overlap's. anti vm: Select * from Win32_ComputerSystem, virtual, vmware, virtualbox anti vm: SELECT * FROM Win32_VideoController, vmware, vbox
For the rules targeting macid and Environment.TickCount, I have no idea where to put them so I will add them to nursery later on.
Thanks :)