Version 5.8.8

marshyhub · Oct 4, 2023 · 699eff4 · 699eff4
1 parent 04af7dd
commit 699eff4
Show file tree

Hide file tree

Showing 16 changed files with 117 additions and 16 deletions.
diff --git a/README.md b/README.md
@@ -202,3 +202,4 @@ Latest:
 * C# API: improvements.
 * Java API: support for java.lang.foreign (JDK21+) for efficient memory accesses.
 * Linux PCIe FPGA performance improvements.
+* FindEvil: AV detections from Windows Defender residing on the analyzed system.
diff --git a/m_vmemd/version.h b/m_vmemd/version.h
@@ -3,8 +3,8 @@
 
 #define VERSION_MAJOR               5
 #define VERSION_MINOR               8
-#define VERSION_REVISION            7
-#define VERSION_BUILD               126
+#define VERSION_REVISION            8
+#define VERSION_BUILD               127
 
 #define VER_FILE_DESCRIPTION_STR    "MemProcFS : Plugin vmemd"
 #define VER_FILE_VERSION            VERSION_MAJOR, VERSION_MINOR, VERSION_REVISION, VERSION_BUILD

diff --git a/memprocfs/version.h b/memprocfs/version.h
@@ -3,8 +3,8 @@
 
 #define VERSION_MAJOR               5
 #define VERSION_MINOR               8
-#define VERSION_REVISION            7
-#define VERSION_BUILD               126
+#define VERSION_REVISION            8
+#define VERSION_BUILD               127
 
 #define VER_FILE_DESCRIPTION_STR    "MemProcFS"
 #define VER_FILE_VERSION            VERSION_MAJOR, VERSION_MINOR, VERSION_REVISION, VERSION_BUILD

diff --git a/vmm/Makefile b/vmm/Makefile
@@ -37,7 +37,7 @@ OBJ = oscompatibility.o charutil.o util.o pe.o vmmdll.o vmmdll_core.o        \
 	  modules/m_fc_ntfs.o modules/m_fc_proc.o modules/m_fc_registry.o        \
 	  modules/m_fc_sys.o modules/m_fc_thread.o modules/m_fc_timeline.o       \
 	  modules/m_fc_web.o modules/m_fc_yara.o                                 \
-	  modules/m_evil_kern1.o modules/m_evil_kernproc1.o                      \
+	  modules/m_evil_av1.o modules/m_evil_kern1.o modules/m_evil_kernproc1.o \
 	  modules/m_evil_proc1.o modules/m_evil_proc2.o modules/m_evil_proc3.o   \
 	  modules/m_evil_thread1.o                                               \
 	  modules/m_misc_bitlocker.o modules/m_misc_procinfo.o                   \

diff --git a/vmm/modules/m_evil_av1.c b/vmm/modules/m_evil_av1.c
@@ -0,0 +1,92 @@
+// m_evil_av1.c : various anti-virus detections.
+//
+// Detections:
+//  - Windows Defender: Malware Detected
+// 
+// (c) Ulf Frisk, 2023
+// Author: Ulf Frisk, [email protected]
+//
+
+#include "modules.h"
+#include "../vmmwinobj.h"
+
+#define MEVILAV1_MAX_FINDINGS_PER_FILE      64
+#define MEVILAV1_MAX_FILE_SIZE              0x10000000       // 256MB
+
+VOID MEvilAV1_DoWork_WinDefend_MPLog(_In_ VMM_HANDLE H, _In_ VMMDLL_MODULE_ID MID, _In_ POB_VMMWINOBJ_FILE pFile)
+{
+    SIZE_T oFile = 0, cbFile = 0, cbLine;
+    PBYTE pbFile = NULL;
+    LPSTR uszText = NULL, uszLine, szTokenizerContext;
+    DWORD cProtect = 0;
+    // read file:
+    cbFile = min(MEVILAV1_MAX_FILE_SIZE, pFile->cb);
+    if(!cbFile || !(pbFile = LocalAlloc(0, cbFile + 1))) { goto fail; }
+    if(0 == VmmWinObjFile_Read(H, pFile, 0, pbFile, (DWORD)cbFile, VMMDLL_FLAG_ZEROPAD_ON_FAIL)) { goto fail; }
+    pbFile[cbFile] = 0;
+    // data is likely to be zero-padded on a per-page basis and will be in UTF-16LE, convert to UTF-8:
+    while(oFile < cbFile) {
+        if(!pbFile[oFile]) {
+            oFile = (oFile + 0x1000) & ~0xfff;
+            continue;
+        }
+        if(CharUtil_WtoU((LPWSTR)(pbFile + oFile), (DWORD)-1, NULL, 0, &uszText, NULL, CHARUTIL_FLAG_ALLOC)) {
+            // iterate per-line in text:
+            szTokenizerContext = NULL;
+            uszLine = strtok_s(uszText, "\r\n", &szTokenizerContext);
+            while(uszLine) {
+                cbLine = strlen(uszLine);
+                if(cbLine > 25) {
+                    if(CharUtil_StrStartsWith(uszLine + 25, "DETECTIONEVENT", FALSE) || CharUtil_StrStartsWith(uszLine + 25, "DETECTION_ADD", FALSE)) {
+                        cProtect++;
+                        if(cProtect < MEVILAV1_MAX_FINDINGS_PER_FILE) {
+                            FcEvilAdd(H, EVIL_AV_DETECT, NULL, 0, "AV:[Windows Defender] EVENT:[%s]", uszLine);
+                            VmmLog(H, MID, LOGLEVEL_5_DEBUG, "DETECTION: AV:[Windows Defender] EVENT:[%s]", uszLine);
+                        }
+                    }
+                }
+                uszLine = strtok_s(NULL, "\r\n", &szTokenizerContext);
+            }
+            LocalFree(uszText);
+            uszText = NULL;
+        }
+        while((oFile < cbFile) && pbFile[oFile]) {
+            oFile += 0x1000;
+        }
+    }
+fail:
+    LocalFree(pbFile);
+}
+
+VOID MEvilAV1_DoWork(_In_ VMM_HANDLE H, _In_ VMMDLL_MODULE_ID MID, _In_opt_ PVOID ctxfc)
+{
+    // Iterate all files to find anti-virus log files:
+    POB_MAP pmObFiles = NULL;
+    POB_SET psObDuplicates = NULL;
+    POB_VMMWINOBJ_FILE pObFile = NULL;
+    psObDuplicates = ObSet_New(H);
+    if(VmmWinObjFile_GetAll(H, &pmObFiles)) {
+        while((pObFile = ObMap_GetNext(pmObFiles, pObFile))) {
+            // Windows Defender MPLog:
+            if(CharUtil_StrStartsWith(pObFile->uszName, "MPLog-", FALSE) && CharUtil_StrStartsWith(pObFile->uszPath, "\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-", FALSE)) {
+                if(ObSet_Push(psObDuplicates, CharUtil_Hash64U(pObFile->uszPath, FALSE))) {
+                    VmmLog(H, MID, LOGLEVEL_5_DEBUG, "ANALYZE_FILE: AV:[Windows Defender] FILE:[%s]", pObFile->uszPath);
+                    MEvilAV1_DoWork_WinDefend_MPLog(H, MID, pObFile);
+                }
+            }
+        }
+    }
+    Ob_DECREF(psObDuplicates);
+    Ob_DECREF(pmObFiles);
+}
+
+VOID M_Evil_AV1(_In_ VMM_HANDLE H, _Inout_ PVMMDLL_PLUGIN_REGINFO pRI)
+{
+    if((pRI->magic != VMMDLL_PLUGIN_REGINFO_MAGIC) || (pRI->wVersion != VMMDLL_PLUGIN_REGINFO_VERSION)) { return; }
+    // register findevil plugin:
+    strcpy_s(pRI->reg_info.uszPathName, 128, "\\findevil\\EvAV1");
+    pRI->reg_info.fRootModule = TRUE;
+    pRI->reg_info.fRootModuleHidden = TRUE;
+    pRI->reg_fnfc.pfnFindEvil = MEvilAV1_DoWork;
+    pRI->pfnPluginManager_Register(H, pRI);
+}
diff --git a/vmm/modules/m_evil_kernproc1.c b/vmm/modules/m_evil_kernproc1.c
@@ -26,6 +26,7 @@ VOID MEvilKernProc1_PeHdrSpoof(_In_ VMM_HANDLE H, _In_ PVMM_PROCESS pProcess)
     IMAGE_SECTION_HEADER Section;
     PVMM_MAP_MODULEENTRY peModule;
     PVMMOB_MAP_MODULE pObModuleMap = NULL;
+    if(CharUtil_StrEquals(pProcess->szName, "csrss.exe", TRUE)) { goto fail; }
     if(!VmmMap_GetModule(H, pProcess, 0, &pObModuleMap)) { goto fail; }
     for(i = 0; i < pObModuleMap->cMap; i++) {
         peModule = pObModuleMap->pMap + i;
@@ -57,7 +58,7 @@ VOID MEvilKernProc1_DoWork(_In_ VMM_HANDLE H, _In_ VMMDLL_MODULE_ID MID, _In_opt
     Ob_DECREF(pObProcess);
 }
 
-VOID M_EvilMEvilKernProc1(_In_ VMM_HANDLE H, _Inout_ PVMMDLL_PLUGIN_REGINFO pRI)
+VOID M_Evil_KernProc1(_In_ VMM_HANDLE H, _Inout_ PVMMDLL_PLUGIN_REGINFO pRI)
 {
     if((pRI->magic != VMMDLL_PLUGIN_REGINFO_MAGIC) || (pRI->wVersion != VMMDLL_PLUGIN_REGINFO_VERSION)) { return; }
     if(pRI->sysinfo.f32 || (pRI->sysinfo.dwVersionBuild < 9600)) { return; }    // only support 64-bit Win8.1+ for now

diff --git a/vmm/modules/modules.h b/vmm/modules/modules.h
@@ -22,6 +22,7 @@
 
 
 // EVIL TYPES: (max length = 15 chars):
+static const VMMEVIL_TYPE EVIL_AV_DETECT    = { .Name = "AV_DETECT",    .Severity = 0xf000 };
 static const VMMEVIL_TYPE EVIL_PE_INJECT    = { .Name = "PE_INJECT",    .Severity = 0xe000 };
 static const VMMEVIL_TYPE EVIL_PROC_NOLINK  = { .Name = "PROC_NOLINK",  .Severity = 0xd000 };
 static const VMMEVIL_TYPE EVIL_PROC_PARENT  = { .Name = "PROC_PARENT",  .Severity = 0xc000 };

diff --git a/vmm/modules/modules_init.h b/vmm/modules/modules_init.h
@@ -71,11 +71,12 @@ VOID M_FcYara_Initialize(_In_ VMM_HANDLE H, _Inout_ PVMMDLL_PLUGIN_REGINFO pRI);
 * Initalization functions for FINDEVIL related modules.
 */
 VOID M_Evil_Kern1(_In_ VMM_HANDLE H, _Inout_ PVMMDLL_PLUGIN_REGINFO pPluginRegInfo);
-VOID M_EvilMEvilKernProc1(_In_ VMM_HANDLE H, _Inout_ PVMMDLL_PLUGIN_REGINFO pPluginRegInfo);
+VOID M_Evil_KernProc1(_In_ VMM_HANDLE H, _Inout_ PVMMDLL_PLUGIN_REGINFO pPluginRegInfo);
 VOID M_Evil_Proc1(_In_ VMM_HANDLE H, _Inout_ PVMMDLL_PLUGIN_REGINFO pPluginRegInfo);
 VOID M_Evil_Proc2(_In_ VMM_HANDLE H, _Inout_ PVMMDLL_PLUGIN_REGINFO pPluginRegInfo);
 VOID M_Evil_Proc3(_In_ VMM_HANDLE H, _Inout_ PVMMDLL_PLUGIN_REGINFO pPluginRegInfo);
 VOID M_Evil_Thread1(_In_ VMM_HANDLE H, _Inout_ PVMMDLL_PLUGIN_REGINFO pPluginRegInfo);
+VOID M_Evil_AV1(_In_ VMM_HANDLE H, _Inout_ PVMMDLL_PLUGIN_REGINFO pPluginRegInfo);
 
 /*
 * Initialization functions for PROCESS related modules.
@@ -146,11 +147,12 @@ VOID(*g_pfnModulesAllInternal[])(_In_ VMM_HANDLE H, _In_ PVMMDLL_PLUGIN_REGINFO
     M_FcYara_Initialize,
     // findevil modules
     M_Evil_Kern1,
-    M_EvilMEvilKernProc1,
+    M_Evil_KernProc1,
     M_Evil_Proc1,
     M_Evil_Proc2,
     M_Evil_Proc3,
     M_Evil_Thread1,
+    M_Evil_AV1,
 #ifdef _WIN32
     // windows-only modules:
     M_SysCert_Initialize,           // req: winapi

diff --git a/vmm/version.h b/vmm/version.h
@@ -3,8 +3,8 @@
 
 #define VERSION_MAJOR               5
 #define VERSION_MINOR               8
-#define VERSION_REVISION            7
-#define VERSION_BUILD               126
+#define VERSION_REVISION            8
+#define VERSION_BUILD               127
 
 #define VER_FILE_DESCRIPTION_STR    "MemProcFS : Core"
 #define VER_FILE_VERSION            VERSION_MAJOR, VERSION_MINOR, VERSION_REVISION, VERSION_BUILD

diff --git a/vmm/vmm.vcxproj b/vmm/vmm.vcxproj
@@ -380,6 +380,7 @@
     <ClCompile Include="mm\mm_x86.c" />
     <ClCompile Include="mm\mm_x86pae.c" />
     <ClCompile Include="modules\m_conf.c" />
+    <ClCompile Include="modules\m_evil_av1.c" />
     <ClCompile Include="modules\m_evil_kern1.c" />
     <ClCompile Include="modules\m_evil_kernproc1.c" />
     <ClCompile Include="modules\m_evil_proc1.c" />

diff --git a/vmm/vmm.vcxproj.filters b/vmm/vmm.vcxproj.filters
@@ -485,6 +485,9 @@
     <ClCompile Include="modules\m_fc_web.c">
       <Filter>Source Files\modules</Filter>
     </ClCompile>
+    <ClCompile Include="modules\m_evil_av1.c">
+      <Filter>Source Files\modules</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <None Include="vmmdll.def">

diff --git a/vmmpyc/version.h b/vmmpyc/version.h
@@ -3,8 +3,8 @@
 
 #define VERSION_MAJOR               5
 #define VERSION_MINOR               8
-#define VERSION_REVISION            7
-#define VERSION_BUILD               126
+#define VERSION_REVISION            8
+#define VERSION_BUILD               127
 
 #define VER_FILE_DESCRIPTION_STR    "MemProcFS : Python API"
 #define VER_FILE_VERSION            VERSION_MAJOR, VERSION_MINOR, VERSION_REVISION, VERSION_BUILD

diff --git a/vmmrust/leechcore_example/Cargo.toml b/vmmrust/leechcore_example/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "leechcore_example"
-version = "5.8.7"
+version = "5.8.8"
 edition = "2021"
 publish = false
 

diff --git a/vmmrust/m_example_plugin/Cargo.toml b/vmmrust/m_example_plugin/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "m_example_plugin"
-version = "5.8.7"
+version = "5.8.8"
 edition = "2021"
 publish = false
 

diff --git a/vmmrust/memprocfs/Cargo.toml b/vmmrust/memprocfs/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "memprocfs"
-version = "5.8.7"
+version = "5.8.8"
 edition = "2021"
 description = "MemProcFS - Physical Memory Analysis Framework"
 homepage = "https://github.com/ufrisk/MemProcFS"

diff --git a/vmmrust/memprocfs_example/Cargo.toml b/vmmrust/memprocfs_example/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "memprocfs_example"
-version = "5.8.7"
+version = "5.8.8"
 edition = "2021"
 publish = false