Improved the import analysis plugin based on suggestions from @henke37

(fixes #5). Fixed compilation issues on Windows.
JusticeRage · May 10, 2016 · 1c03eae · 1c03eae
1 parent cc24390
commit 1c03eae
Show file tree

Hide file tree

Showing 5 changed files with 25 additions and 5 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -78,7 +78,7 @@ if (WIN32)
 
 			# Windows only plugins:
 			add_library(plugin_authenticode SHARED plugins/plugin_authenticode.cpp)
-			target_link_libraries(plugin_authenticode manape hash-library manacommons ${Boost_LIBRARIES})
+			target_link_libraries(plugin_authenticode manape hash-library manacommons yara ${Boost_LIBRARIES})
 else()
 			string (REGEX MATCH "BSD" IS_BSD ${CMAKE_SYSTEM_NAME}) # Detect if we are compiling on a BSD system.
 

diff --git a/bin/yara_rules/suspicious_strings.yara b/bin/yara_rules/suspicious_strings.yara
@@ -458,7 +458,7 @@ rule Antivirus
         $a454 = "srng.exe" nocase wide ascii
         $a455 = "ss3edit.exe" nocase wide ascii
         $a457 = "ssgrate.exe" nocase wide ascii
-        $a458 = "st2.exe" nocase wide ascii
+        $a458 = "st2.exe" nocase wide ascii fullword
         $a461 = "supftrl.exe" nocase wide ascii
         $a470 = "symproxysvc.exe" nocase wide ascii
         $a471 = "symtray.exe" nocase wide ascii

diff --git a/include/manape/resources.h b/include/manape/resources.h
@@ -130,7 +130,7 @@ class Resource
      * @param   const boost::filesystem::path& destination The place where the resource should
      *                                                     be written (i.e. "/tmp/image.bmp").
      */
-    bool extract(const boost::filesystem::path& destination);
+	DECLSPEC bool extract(const boost::filesystem::path& destination);
 
     /**
      * @brief   Extraction function dedicated to icons.
@@ -141,7 +141,7 @@ class Resource
      * @param   const boost::filesystem::path& destination The place where the resource should
      *                                                     be written (i.e. "/tmp/icon.ico").
      */
-    bool icon_extract(const boost::filesystem::path& destination,
+    DECLSPEC bool icon_extract(const boost::filesystem::path& destination,
                       const std::vector<boost::shared_ptr<Resource> >& resources);
 
 private:

diff --git a/include/manape/utils.h b/include/manape/utils.h
@@ -24,6 +24,7 @@
 #include <iostream>
 #include <string.h>
 #include <math.h>
+#include <vector>
 
 #include <boost/cstdint.hpp>
 #include <boost/shared_array.hpp>

diff --git a/plugins/plugin_imports.cpp b/plugins/plugin_imports.cpp
@@ -40,15 +40,28 @@ std::string wininet_api = "Internet(.*)|WSA(.*)|URLDownloadToFile(A|W)";
 
 std::string process_creation_api = "CreateProcess(.*)|system|WinExec|ShellExecute(A|W)";
 
+std::string process_manipulation_api = "EnumProcess*|OpenProcess|TerminateProcess|ReadProcessMemory|Process32(First|Next)(W)?";
+
+std::string service_manipulation_api = "OpenSCManager(A|W)|(Open|Control|Create|Delete)Service(A|W)?|QueryService*|"
+									   "ChangeServiceConfig(A|W)|EnumServicesStatus(Ex)?(A|W)";
+
 std::string privilege_api = "AdjustTokenPrivileges|IsNTAdmin|LsaEnumerateLogonSessions|SamQueryInformationUse|"
 							"SamIGetPrivateData|SfcTerminateWatcherThread|(Zw)?OpenProcessToken(Ex)?|(Zw)?DuplicateToken(Ex)?";
 
-std::string dynamic_import = "LoadLibrary(A|W)|GetProcAddress|LdrLoadDll|MmGetSystemRoutineAddress";
+std::string dacl_api = "SetKernelObjectSecurity|SetFileSecurity(A|W)|SetNamedSecurityInfo(A|W)|SetSecurityInfo";
+
+std::string dynamic_import = "(Co)?LoadLibrary(Ex)?(A|W)|GetProcAddress|LdrLoadDll|MmGetSystemRoutineAddress";
 
 std::string packer_api = "VirtualAlloc|VirtualProtect";
 
 std::string temporary_files = "GetTempPath(A|W)|(Create|Write)File(A|W)";
 
+std::string driver_enumeration = "EnumDeviceDrivers|GetDeviceDriver*";
+
+std::string eventlog_deletion = "EvtClearLog|ClearEventLog(A|W)";
+
+std::string screenshot_api = "CreateCompatibleDC|GetDC(Ex)?|FindWindow|PrintWindow|BitBlt";
+
 /**
  *	@brief	Checks the presence of some functions in the PE and updates the
  *			result accordingly.
@@ -115,6 +128,12 @@ class ImportsPlugin : public IPlugin
 		check_functions(pe, raw_socket_api, SUSPICIOUS, "Leverages the raw socket API to access the Internet", AT_LEAST_ONE, res);
 		check_functions(pe, wininet_api, NO_OPINION, "Has Internet access capabilities", AT_LEAST_ONE, res);
 		check_functions(pe, privilege_api, MALICIOUS, "Functions related to the privilege level", AT_LEAST_ONE, res);
+		check_functions(pe, service_manipulation_api, SUSPICIOUS, "Interacts with services", AT_LEAST_ONE, res);
+		check_functions(pe, driver_enumeration, SUSPICIOUS, "Enumerates drivers present on the system", AT_LEAST_ONE, res);
+		check_functions(pe, process_manipulation_api, SUSPICIOUS, "Manipulates other processes", AT_LEAST_ONE, res);
+		check_functions(pe, eventlog_deletion, MALICIOUS, "Deletes entries from the event log", AT_LEAST_ONE, res);
+		check_functions(pe, dacl_api, SUSPICIOUS, "Changes object ACLs", AT_LEAST_ONE, res);
+		check_functions(pe, screenshot_api, SUSPICIOUS, "Can take screenshots", AT_LEAST_TWO, res);
 
 		switch (res->get_level())
 		{