Skip to content
DrSemu - Malware Detection and Classification Tool Based on Dynamic Behavior [POC Project]
C++ Lua Other
Branch: master
Clone or download
Lasha Khasaia
Latest commit 1565504 Oct 10, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
DrSemu hide dr_semu_x (vm) directory Oct 10, 2019
LauncherCLI small fixes. more todos Oct 9, 2019
fake_explorer parse arch Aug 26, 2019
run_detections add python Aug 28, 2019
shared_libs move to pe_parse and add python support Aug 28, 2019
test_sample add python sample Aug 28, 2019
virtual_FS_REG small_changes Oct 8, 2019
.gitattributes Add .gitignore and .gitattributes. Aug 14, 2019
.gitignore rm pe_parse Aug 26, 2019
.gitmodules move to pe_parse and add python support Aug 28, 2019
DrSemu.sln test Aug 27, 2019
LICENSE Create LICENSE Aug 15, 2019
README.md Update README.md Aug 28, 2019

README.md

Dr.Semu

Dr.Semu runs executables in an isolated environment, monitors the behavior of a process, and based on Dr.Semu rules created by you or the community, detects if the process is malicious or not.

drsemu_lua

[The tool is in the early development stage]

whoami: @_qaz_qaz

With Dr.Semu you can create rules to detect malware based on dynamic behavior of a process.

Isolation through redirection

Everything happens from the user-mode. Windows Projected File System (ProjFS) is used to provide a virtual file system. For Registry redirection, it clones all Registry hives to a new location and redirects all Registry accesses.

See the source code for more about other redirections (process/objects isolation, etc).

Monitoring

Dr.Semu uses DynamoRIO (Dynamic Instrumentation Tool Platform) to intercept a thread when it's about to cross the user-kernel line. It has the same effect as hooking SSDT but from the user-mode and without hooking anything.

At this phase, Dr.Semu produces a JSON file, which contains information from the interception.

Detection

After terminating the process, based on Dr.Semu rules we receive if the executable is detected as malware or not.

Dr.Semu Rules/Detections

Dr.Semu rules

They are written in Python or LUA (located under dr_rules) and use dynamic information from the interception and static information about the sample. It's trivial to add support of other languages.

drsemu_rule_python

Example (Python): https://gist.github.com/secrary/ac89321b8a7bde998a6e3139be49eb72

Example (Lua): https://gist.github.com/secrary/e16daf698d466136229dc417d7dbcfa3

Usage

  • Use PowerShell to enable ProjFS in an elevated PowerShell window:

Enable-WindowsOptionalFeature -Online -FeatureName Client-ProjFS -NoRestart

DrSemu.exe --target file_path

DrSemu.exe --target files_directory

DEMO

DrSemu DEMO

BUILD

  • Use PowerShell to enable ProjFS in an elevated PowerShell window:

Enable-WindowsOptionalFeature -Online -FeatureName Client-ProjFS -NoRestart

powershell

  • Install Python 3 x64

  • Download DynamoRIO and extract into bin folder and rename to dynamorio

  • Build pe-parser-library.lib library:

    • Generate VS project from DrSemu\shared_libs\pe_parse using cmake-gui
    • Build 32-bit library under build (\shared_libs\pe_parse\build\pe-parser-library\Release\) and 64-bit one under build64
    • Change run-time library option to Multi-threaded (/MT)
  • Set LauncherCLI As StartUp Project

TODO

  • Solve isolation related issues
  • Improve synchronization
  • Update the description, add more details
  • Create a GUI for the tool

Limitations

  • Minimum supported Windows version: Windows 10, version 1809 (due to Windows Projected File System)
  • Maximum supported Windows version: Windows 10, version 1809 (DynamoRIO supports Windows 10 versions until 1809)
You can’t perform that action at this time.