Jump to content
Nytro

Dr.Semu

Recommended Posts

Dr.Semu

Dr.Semu runs executables in an isolated environment, monitors the behavior of a process, and based on Dr.Semu rules created by you or community, detects if the process is malicious or not.

drsemu

[The tool is in the early development stage]

whoami: @_qaz_qaz

Dr.Semu let you to create rules for different malware families and detect new samples based on their behavior.

Isolation through redirection

Everything happens from the user-mode. Windows Projected File System (ProjFS) is used to provide a virtual file system. For Registry redirection, it clones all Registry hives to a new location and redirects all Registry accesses (after caching Registry hives, all subsequent executions are very fast, ~0.3 sec.)

See the source code for more about other redirections (process/objects isolation, etc).

Monitoring

Dr.Semu uses DynamoRIO (Dynamic Instrumentation Tool Platform) to intercept a thread when it's about to cross the user-kernel line. It has the same effect as hooking SSDT but from the user-mode and without hooking anything.

At this phase, Dr.Semu produces a JSON file, which contains information from the interception.

Detection

After terminating the process, based on Dr.Semu rules we receive if the executable is detected as malware or not.

Dr.Semu rules

They are written in LUA and use dynamic information from the interception and static information about the sample. It's trivial to add support of other languages.

Example: https://gist.github.com/secrary/e16daf698d466136229dc417d7dbcfa3

Usage

  • Use PowerShell to enable ProjFS in an elevated PowerShell window:

Enable-WindowsOptionalFeature -Online -FeatureName Client-ProjFS -NoRestart

  • Download and extract a zip file from the releases page

  • Download DynamoRIO and extract into DrSemu folder and rename to dynamorio

DrSemu.exe --target file_path

DrSemu.exe --target files_directory

DEMO

DrSemu DEMO

BUILD

  • Use PowerShell to enable ProjFS in an elevated PowerShell window:

Enable-WindowsOptionalFeature -Online -FeatureName Client-ProjFS -NoRestart

powershell

  • Download DynamoRIO and extract into bin folder and rename to dynamorio

  • Build pe-parser-library.lib library:

    • Generate VS project from DrSemu\shared_libs\pe_parse using cmake-gui
    • Build 32-bit library under build (\shared_libs\pe_parse\build\pe-parser-library\Release\) and 64-bit one under build64
    • Change run-time library option to Multi-threaded (/MT)
  • Set LauncherCLI As StartUp Project

TODO

  • Solve isolation related issues
  • Update the description, add more details
  • Create a GUI for the tool

Limitations

  • Minimum supported Windows version: Windows 10, version 1809 (due to Windows Projected File System)
  • Maximum supported Windows version: Windows 10, version 1809 (DynamoRIO supports Windows 10 versions until 1809)

 

Sursa: https://github.com/secrary/DrSemu

  • Upvote 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...