Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Change the logic of detection #446

Merged
merged 8 commits into from
Sep 28, 2024

Conversation

para0x0dise
Copy link
Contributor

@para0x0dise para0x0dise commented Sep 2, 2024

The signature is only triggered by the NtReadFile API, which requires the file to exist; however, if the browser is not installed on the guest VM, the signature won't be triggered. Most info stealers first check for the file's existence using the PathFileExists API, which internally calls the NtQueryAttributesFile API.

Also, I have added a counter to make the signature fired up if it hits a defined threshold, not in general to avoid false-positives.

@doomedraven
Copy link
Collaborator

looks good to me, but lets wait for @kevoreilly review too

@kevoreilly
Copy link
Collaborator

I may be being a n00b here but are these 'double datas' intended?

            # Google Chrome
            re.compile(".*\\\\Application\\ Data Data\\\\Google\\\\Chrome\\\\.*", re.I),
            re.compile(".*\\\\Local\\\\Google\\\\Chrome\\\\User\\ Data\\\\Default\\\\.*", re.I),
            re.compile(".*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User\\ Data\\\\Default\\\\.*", re.I),

            # Chromium-based Browsers
            re.compile(".*\\\\Application\\ Data Data\\\\Chromium\\\\.*", re.I),
            re.compile(".*\\\\AppData\\\\Local\\\\Chromium\\\\.*", re.I),
            re.compile(".*\\\\Application\\ Data Data\\\\ChromePlus\\\\.*", re.I),
            re.compile(".*\\\\AppData\\\\Local\\\\MapleStudio\\\\ChromePlus\\\\.*", re.I),
            re.compile(".*\\\\Application\\ Data Data\\\\Nichrome\\\\.*", re.I),
            re.compile(".*\\\\Application\\ Data Data\\\\Bromium\\\\.*", re.I),
            re.compile(".*\\\\Application\\ Data Data\\\\RockMelt\\\\.*", re.I),
            re.compile(".*\\\\Application\\ Data Data\\\\Flock\\\\.*", re.I),
            re.compile(".*\\\\AppData\\\\Local\\\\Flock\\\\.*", re.I),
            re.compile(".*\\\\Application\\ Data Data\\\\Comodo\\\\Dragon\\\\.*", re.I),
            re.compile(".*\\\\AppData\\\\Local\\\\Comodo\\\\Dragon\\\\.*", re.I),
            re.compile(".*\\\\BraveSoftware\\\\Brave-Browser\\\\User\\ Data\\\\Default\\\\.*", re.I),

            # Opera
            re.compile(".*\\\\Application\\ Data Data\\\\Opera\\\\.*", re.I),

@doomedraven
Copy link
Collaborator

Yes, if no r prefix is used

@doomedraven
Copy link
Collaborator

doomedraven commented Sep 28, 2024

why Data is duplicated? i mean Application\\ Data Data

@para0x0dise
Copy link
Contributor Author

why Data is duplicated? i mean Application\\ Data Data

Hello, Sorry for the delay, You are right, it's my mistake.

@doomedraven
Copy link
Collaborator

ok cool thanks, im doing some fixes to general sigs before im leaving to PTO as i just got too many deprecation errors on my server :D

@doomedraven
Copy link
Collaborator

ah and i have reitroduced some logic back, so we can properly cover it

if call["api"] == "NtReadFile":
            filename = self.get_argument(call, "HandleName")
        elif call["api"] == "NtQueryAttributesFile":
            filename = self.get_argument(call, "FileName")
        else:
            filename = self.get_argument(call, "ExistingFileName")

@doomedraven
Copy link
Collaborator

check it now plz, if it looks fine for you then im merging it

@para0x0dise
Copy link
Contributor Author

check it now plz, if it looks fine for you then im merging it

I have modified some regex, I don't remember why I use \\User \\Data instead of \\User Data :), and I have added new paths to include Appdata

@doomedraven
Copy link
Collaborator

thanks, looks fine to me, sorry for delay

@doomedraven doomedraven merged commit b000e80 into CAPESandbox:master Sep 28, 2024
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants