GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → secrary → Drsemu

secrary / Drsemu

Licence: gpl-3.0
DrSemu - Sandboxed Malware Detection and Classification Tool Based on Dynamic Behavior

Labels

windowsreverse-engineeringmalware-analysismalware-researchbinary-analysismalware-detection

Projects that are alternatives of or similar to Drsemu

Freki
🐺 Malware analysis platform
Stars: ✭ 285 (+20.25%)
Mutual labels:  binary-analysis, malware-analysis, malware-research, reverse-engineering
Apkfile
Android app analysis and feature extraction library
Stars: ✭ 190 (-19.83%)
Mutual labels:  malware-analysis, malware-research, malware-detection, reverse-engineering
Nauz File Detector
Linker/Compiler/Tool detector for Windows, Linux and MacOS.
Stars: ✭ 146 (-38.4%)
Mutual labels:  malware-analysis, malware-research, malware-detection, reverse-engineering
Pev
The PE file analysis toolkit
Stars: ✭ 422 (+78.06%)
Mutual labels:  binary-analysis, malware-analysis, malware-research, reverse-engineering
Detect It Easy
Program for determining types of files for Windows, Linux and MacOS.
Stars: ✭ 2,982 (+1158.23%)
Mutual labels:  binary-analysis, malware-analysis, malware-research, reverse-engineering
Xapkdetector
APK/DEX detector for Windows, Linux and MacOS.
Stars: ✭ 208 (-12.24%)
Mutual labels:  malware-analysis, malware-research, malware-detection, reverse-engineering
Antidebugging
A collection of c++ programs that demonstrate common ways to detect the presence of an attached debugger.
Stars: ✭ 161 (-32.07%)
Mutual labels:  malware-analysis, malware-research, reverse-engineering
Awesome Yara
A curated list of awesome YARA rules, tools, and people.
Stars: ✭ 1,394 (+488.19%)
Mutual labels:  malware-analysis, malware-research, malware-detection
Radare2
UNIX-like reverse engineering framework and command-line toolset
Stars: ✭ 15,412 (+6402.95%)
Mutual labels:  binary-analysis, malware-analysis, reverse-engineering
Apkid
Android Application Identifier for Packers, Protectors, Obfuscators and Oddities - PEiD for Android
Stars: ✭ 999 (+321.52%)
Mutual labels:  malware-analysis, malware-research, malware-detection
Sojobo
A binary analysis framework
Stars: ✭ 116 (-51.05%)
Mutual labels:  malware-analysis, malware-research, reverse-engineering
Malwarelab vm Setup
Setup scripts for my Malware Analysis VMs
Stars: ✭ 126 (-46.84%)
Mutual labels:  malware-analysis, malware-research, reverse-engineering
Malware Feed
Bringing you the best of the worst files on the Internet.
Stars: ✭ 69 (-70.89%)
Mutual labels:  malware-analysis, malware-research, malware-detection
Malware Analysis Scripts
Collection of scripts for different malware analysis tasks
Stars: ✭ 61 (-74.26%)
Mutual labels:  malware-analysis, malware-research, reverse-engineering
Probedroid
A SDK for the creation of analysis tools without obtaining app source code in order to profile runtime performance, examine code coverage, and track high-risk behaviors of a given app on Android 5.0 and above.
Stars: ✭ 182 (-23.21%)
Mutual labels:  malware-analysis, malware-research, reverse-engineering
Drebin
Drebin - NDSS 2014 Re-implementation
Stars: ✭ 52 (-78.06%)
Mutual labels:  malware-analysis, malware-research, malware-detection
Replica
Ghidra Analysis Enhancer 🐉
Stars: ✭ 194 (-18.14%)
Mutual labels:  binary-analysis, malware-analysis, reverse-engineering
Lief
Authors
Stars: ✭ 2,730 (+1051.9%)
Mutual labels:  binary-analysis, malware-analysis, reverse-engineering
Apklab
Android Reverse-Engineering Workbench for VS Code
Stars: ✭ 470 (+98.31%)
Mutual labels:  malware-analysis, malware-detection, reverse-engineering
Macbook issues
《macOS软件安全与逆向分析》勘误
Stars: ✭ 11 (-95.36%)
Mutual labels:  binary-analysis, malware-analysis, reverse-engineering
View All Similar Projects ➔

Dr.Semu

Dr.Semu runs executables in an isolated environment, monitors the behavior of a process, and based on Dr.Semu rules created by you or the community, detects if the process is malicious or not.

drsemu_lua

[The tool is in the early development stage]

whoami: @_qaz_qaz

With Dr.Semu you can create rules to detect malware based on dynamic behavior of a process.

Isolation through redirection

Everything happens from the user-mode. Windows Projected File System (ProjFS) is used to provide a virtual file system. For Registry redirection, it clones all Registry hives to a new location and redirects all Registry accesses.

See the source code for more about other redirections (process/objects isolation, etc).

Monitoring

Dr.Semu uses DynamoRIO (Dynamic Instrumentation Tool Platform) to intercept a thread when it's about to cross the user-kernel line. It has the same effect as hooking SSDT but from the user-mode and without hooking anything.

At this phase, Dr.Semu produces a JSON file, which contains information from the interception.

Detection

After terminating the process, based on Dr.Semu rules we receive if the executable is detected as malware or not.

Dr.Semu Rules/Detections

Dr.Semu rules

They are written in Python or LUA (located under dr_rules) and use dynamic information from the interception and static information about the sample. It's trivial to add support of other languages.

drsemu_rule_python

Example (Python): https://gist.github.com/secrary/ac89321b8a7bde998a6e3139be49eb72

Example (Lua): https://gist.github.com/secrary/e16daf698d466136229dc417d7dbcfa3

Usage

  • Use PowerShell to enable ProjFS in an elevated PowerShell window:

Enable-WindowsOptionalFeature -Online -FeatureName Client-ProjFS -NoRestart

DrSemu.exe --target file_path

DrSemu.exe --target files_directory

DEMO

DrSemu DEMO

BUILD

  • Use PowerShell to enable ProjFS in an elevated PowerShell window:

Enable-WindowsOptionalFeature -Online -FeatureName Client-ProjFS -NoRestart

powershell

  • Install Python 3 x64

  • Download DynamoRIO and extract into bin folder and rename to dynamorio

  • Build pe-parser-library.lib library:

    • Generate VS project from DrSemu\shared_libs\pe_parse using cmake-gui
    • Build 32-bit library under build (\shared_libs\pe_parse\build\pe-parser-library\Release\) and 64-bit one under build64
    • Change run-time library option to Multi-threaded (/MT)

  • Set LauncherCLI As StartUp Project

TODO

  • Solve isolation related issues
  • Improve synchronization
  • Update the description, add more details
  • Create a GUI for the tool

Limitations

  • Minimum supported Windows version: Windows 10, version 1809 (due to Windows Projected File System)
  • Maximum supported Windows version: Windows 10, version 1809 (DynamoRIO supports Windows 10 versions until 1809)
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].