Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Import analyzer plugin rule suggestions vol. 2 #9

Closed
henke37 opened this issue May 10, 2016 · 3 comments
Closed

Import analyzer plugin rule suggestions vol. 2 #9

henke37 opened this issue May 10, 2016 · 3 comments
Labels
enhancement

Comments

@henke37
Copy link

henke37 commented May 10, 2016

LoadDriver Yet another LoadLibrary replacement
LoadTypeLib Possible LoadLibrary replacement?
waveInOpen|DirectSoundCaptureCreate Records audio
EnableRouter|SetAdapterIpAddress|SetIpInterfaceEntry Messes with the network configuration
OleGetClipboard Reads the clipboard
CertAddCertificateContextToStore|CertOpenSystemStore Manipulates the system certificate store
InitiateShutdown|ExitWindows Turns the system off
Wmi* Uses WMI
SHTestTokenMembership|CheckTokenMembership|IsUserAnAdmin Checks for privileges
SHEnumKeyEx Another way to access the registery
@JusticeRage
Copy link
Owner

Thanks for these! I'll add them very soon as well.

@JusticeRage
Copy link
Owner

  • According to the MSDN, LoadDriver is only available in Windows Mobile. As such, I'm not sure it should be included.
  • I have also tried to use LoadTypeLib to load a library such as kernel32, but was unable to do so - I'm assuming it can only be used to load .tlb libraries.
  • To the best of my knowledge, the WMI isn't accessed with direct WMI* calls but through COM requests instead. Are there specific WMI functions that you know about? In any case, thinking about the WMI gave me the idea to add all the well known namespaces (i.e. ROOT\CIMV2) to the suspicious strings plugin, so thanks for that!

I'm pushing the commit adding the rest of the suggestions in a minute, let me know if you consider that this issue can be closed.

JusticeRage added a commit that referenced this issue May 11, 2016
@JusticeRage
Added further improvements to the import analysis plugin based on
7c9cab4 
suggestions from @henke37 (#9).
Import research functions are now case insensitive by default (an option
was added to control this behavior, test case added as well).
A list of WMI namespaces was added to the suspicious strings.
@henke37
Copy link
Author

henke37 commented May 11, 2016

Yeah, that's fine with me.

@henke37 henke37 closed this as completed May 11, 2016
JusticeRage added a commit that referenced this issue May 20, 2016
@JusticeRage
Started creating objects for imports in order to support delay-loaded…
b7a2ff5 
… DLLs

(#9).
Added new suspicious strings discovered in a recent TeslaCrypt sample
(references to system programs and CLSIDs used for VM detection).
Added a new PE function, `get_architecture()` to make the code more
readable.
Updated the PE specification in resources/ to the latest version.
Removed a warning related to the TLS directory: a reserved field is no
longer required to be NULL.
Updated `SECTION_CHARACTERISTICS` with new flags.
The imports plugin now looks for functions used to enumerate disk drives.
Sangrail pushed a commit to Sangrail/Manalyze that referenced this issue Aug 30, 2016
@JusticeRage
Added further improvements to the import analysis plugin based on
1deaf16 
suggestions from @henke37 (JusticeRage#9).
Import research functions are now case insensitive by default (an option
was added to control this behavior, test case added as well).
A list of WMI namespaces was added to the suspicious strings.
Sangrail pushed a commit to Sangrail/Manalyze that referenced this issue Aug 30, 2016
@JusticeRage
Started creating objects for imports in order to support delay-loaded…
3801870 
… DLLs

(JusticeRage#9).
Added new suspicious strings discovered in a recent TeslaCrypt sample
(references to system programs and CLSIDs used for VM detection).
Added a new PE function, `get_architecture()` to make the code more
readable.
Updated the PE specification in resources/ to the latest version.
Removed a warning related to the TLS directory: a reserved field is no
longer required to be NULL.
Updated `SECTION_CHARACTERISTICS` with new flags.
The imports plugin now looks for functions used to enumerate disk drives.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@henke37 @JusticeRage