Windows: Added '--refined' option to windows malfind plugin #1071
Conversation
Also updated malfind to include "\x55\x48" and "\x55\x89" as part of the refined_criteria list.
|
Thanks, this looks good I'm just wondering if |
|
Ok, so we had a bit of a think about this and in general I'm not keen on flags that alter the output of the plugin because that's technically making the plugin decide what's really a user interface decision (do I display this data or not). So in this instance, it might be better to add a permanent column that either lists attributes (like "Common opcodes" or "MZ header" or "PUSH ebp") or a score indicating a change of malware (probably a numeric value to allow for future expansion and tweaking, even if at the moment it only ever returns 0 and 100). We don't yet have filtering capabilities for the CLI, but this may also encourage people to build a better UI for processing the results of volatility. Returning a list of attributes might get messy on the CLI and be difficult to parse for another program, but might be easier to see from a human readable perspective. So either of those work, whichever you think works better? |
…s a command line option and instead added an additional column called "Notes" to provide info on common headers.
…if a process meets a "refined criteria", meaning it has a common header type (MZ, PE, or a function prologue).
…cess meets "refined" criteria, which includes common headers like MZ,PE or function prologues. Fixed black formatting issue.
|
After thinking about this, I updated to no longer have the "--refined" command line option and instead added a permanent "Notes" column. This column will display "None" unless a process has one of the common header types discussed above, in which case the "Notes" column will display "MZ header", "PE header", or "Function prologue" depending on what criteria are met. |
| process_name = utility.array_to_string(proc.ImageFileName) | ||
|
|
||
| for vad, data in self.list_injections( | ||
| self.context, kernel.layer_name, kernel.symbol_table_name, proc | ||
| ): | ||
| # Check for unique headers and update "Notes" column if criteria is met | ||
| if data[0:2] in refined_criteria: |
There was a problem hiding this comment.
This list needs keeping in sync with refined_criteria, it might be better to make refined_criteria a dictionary that listen an initial byte pattern with a value for notes? It would make this code a little more generic and it would be easier to add future classifiers if needed...
There was a problem hiding this comment.
It might be worth using startswith or something, rather than limiting all future things to exactly 2 bytes, but that's something we can do fairly easily if we decide to extend the dictionary in the future, so not a show stopper.
…r when criteria is not met
|
I took your advice and updated the "refined_criteria" list to be a dictionary, so in case it grows larger in the future, it will easier to maintain. Also, instead of "None", I updated to use the "NotApplicableValue" from the renderers package, which has the BaseAbsentValue you mentioned above. |
| process_name = utility.array_to_string(proc.ImageFileName) | ||
|
|
||
| for vad, data in self.list_injections( | ||
| self.context, kernel.layer_name, kernel.symbol_table_name, proc | ||
| ): | ||
| # Check for unique headers and update "Notes" column if criteria is met | ||
| if data[0:2] in refined_criteria: |
There was a problem hiding this comment.
It might be worth using startswith or something, rather than limiting all future things to exactly 2 bytes, but that's something we can do fairly easily if we decide to extend the dictionary in the future, so not a show stopper.
|
Hi, I am happy with keeping the data[0:2] for now. If significant changes are made to the dictionary, this can be easily modified, but I'm not sure when/if that would even happen. Thanks for your help on this! |
The windows malfind plugin lists process memory ranges that potentially contain injected code. In the original volatility framework, the windows malfind plugin offered a "W" command line option that refined the results to only high confidence matches. The criteria for a high confidence match was either memory regions with an MZ header or that started with a well known opcode combination, ie. PUSH EBP.
This PR adds support for a "--refined" option for volatility3 to match the functionality of the "W" option from the original framework. For this PR, the possible criteria for a high confidence match was updated to include the common opcodes for 32 and 64bit functions ("\x55\x48" and "\x55\x89"), in addition to the original criteria of the MZ header or the PUSH EBP opcode ("\x55\x8B") from volatility. I have tested against various memory samples with injected code to validate the functionality of this option.