volatility3 icon indicating copy to clipboard operation
volatility3 copied to clipboard
verified publisher icon volatilityfoundation

Add detection of direct and indirect system calls

Open atcuno opened this issue 1 year ago • 2 comments

@ikelos these are the priority after pe_symbols. Inheritance is used correctly (versioned, no overriding generator or run, basically the same as threads/thrdscan/etc. and others), so don't freak out when you see it and just enjoy the beautiful, reusable code. I also used namedtuples as a test run and it turned out pretty cool. I left many comments, including the args/returns, and both files pass black, mypy and pylint.

This implements two more of the DEFCON plugins for detecting malware that bypasses EDRs and are required for the cutover release.

Detection of the HellsGate direct system call technique:

$ python3 vol.py --config halo.json windows.direct_system_calls
Volatility 3 Framework 2.10.0
Process	PID	Range	Address	Disasm

HellsGate.exe	920	\exclude_test\volexity\volexity\Saved Files\HalosGate\HellsGate.exe	0x7ff627831591	0x7ff627831591: mov r10, rcx; 0x7ff627831594: mov eax, dword ptr [rip + 0x3a66]; 0x7ff62783159a: syscall ; 0x7ff62783159c: ret ;

Detection of the HellsHall indirect system call technique:

$ python3 vol.py --config hell.json windows.indirect_system_calls
Volatility 3 Framework 2.10.0
Process	PID	Range	Address	Disasm
HellsHall.exe	2112	\exclude_test\volexity\volexity\Saved Files\HalosGate\HellsHall.exee	0x7ff6949f165e	0x7ff6949f165e: mov r10, rcx; 0x7ff6949f1661: mov eax, dword ptr [rip + 0x3999]; 0x7ff6949f1667: jmp qword ptr [rip + 0x3997];

atcuno avatar Sep 12 '24 23:09 atcuno

This is ready @ikelos but the test failed as the test system doesn't have capstone, and its part of the type hint. We need to:

  1. get capstone in requirements.txt
  2. Update the test system to have capstone installed

atcuno avatar Oct 18 '24 16:10 atcuno

Capstone is already in requirements.txt, but needs to be added to test/requirements-testing.txt as part of the PR please.

It also indicates that the error checking isn't working, because volatility should not throw an exception when a module can't be found. I think that's because you've got it in the typing information, so it's accessed without a has_capstone guard in front of it. I'd try putting that in quotes to delay resolving, but otherwise you'll need to weaken the type constraints or have the whole plugin bail out as soon as capstone can't be found. It must be able to import succesfully or fail gracefully or it'll take the whole framework with it when the plugins are initially imported. Yarascan should be an example of a plugin that bails gracefully if a necessary module can't be found for it to be of any use...

ikelos avatar Oct 23 '24 23:10 ikelos

@atcuno, can you please add capstone to the test/requirements-testing.txt as part of this PR so we can get this merged please?

ikelos avatar Nov 07 '24 08:11 ikelos