Purity toolsHades A HIDS is designed run on Windows

Overview

方案:

  x64内核探针粗糙分为两类技术方案:第一种基于Intel-x/d虚拟化技术,绕过PG保护做花式Hook,功能强大-系统无痕,第二种基于微型过滤框架和注册回调,兼容性好/快速开发/接口完善。

  该项目采用过滤驱动+注册回调,这种方案中规中矩。后续可能会集成VT接口,但是支持有限,优先支持EPT HOOK和寄存器/内存数据探测,详细的技术实现请跳转具体项目查阅ReadMe。

  示例适用Win7/Win10 x64下内核态数据采集,其他系统版本需要自行修改。

框架:

image

v1.0

WFP(开发中):
网络层 描述
Established层 ProcessInfo
传输层 TCP - UDP
网络层 IP
数据链路层 OS >= Windows10

Json配置流量规则(未生效):

(流量规则)
Json:
 {
 Bypass:
	1 - 单要素:目标 port 或者 ip 
	2 - 双要素:目标 ip:port  
	3 - 重定向标志位 - 暂时不开启(流量隔离)
 }
内核回调上抛事件:
事件 描述
进程 进程创建 - 销毁 - 进程数据 - 签名
线程 线程创建 - 销毁 - 线程数据
注册表 删除 - 修改 - 枚举 - 重命名等(缺少具体的包解析)
模块 DLL - 驱动
会话 用户登录/退出/Session切换
WMI 待定(应用层etw实现)
文件 文件读写访问 OS <= Windows7 (Windows10 对象回调(文件对象)会有几率触发PG)

Json配置内核上抛事件管理(未生效):

{
    1. 添加进程白名单,允许从内核态过滤控某进程数据
    2. xxxxx
}
内核接口采集事件:
事件 描述
进程 - 线程 - 模块 - 内存 系统已运行的进程 - 线程 - 模块 - 进程内存 - 应用层钩子检测(待定)
IDT 系统IDT - (原始偏移 - 内存已加载偏移) HOOK检测
MouseKeyBoard 鼠标键盘 Hook检测
DpcTimer 遍历系统 DpcTimer
Hive hive注册表 - 开发中
Ntfs ntfs文件解析 - 开发中
Network Nsi提取IP:PORT
Fsd FastFat/ntfs HOOK检测
SSDT 系统SSDT - (原始偏移 - 内存已加载偏移) HOOK检测
GDT 系统GDT - (原始偏移 - 内存已加载偏移) HOOK检测
驱动 系统已加载的驱动
回调检测 枚举系统注册的回调
GRPC:

Windows对于很多第三方生态逐步容纳,Grpc github cmake编译仍会出现很多问题,最好的办法:

vcpkg install grpc

  配置vs2019 工具 --> 选项 --> NuGet管理即可,详细可以参考网上教程,注意vcpkg 安装的是release grpc,所以debug模式调试会有问题。

C++ Grpc请参考官方文档:https://grpc.io/docs/languages/cpp/basics/

See Code: grpc.h grpc.cpp

规划:

  项目处于入门级,需要花时间打磨和重构。内核上抛和WFP技术详细请跳转子项目页面,ReadMe查看对应的功能实现。关于Minifilter驱动,仅文件监控不会引入该模块,应用层ETW日志弥补,后期如果有文件隔离相关规划将会纳入。

  它并不是以产品形态诞生,希望日后它变得更加灵活更健壮,以插件提供lib/dll,集成至任意终端产品,包括办公软件 - 游戏音频,提供更多软件第三方安全能力建设和数据检测。

参考:

  • Github开源Rootkit工具,但不局限于工具。
  • 看雪论坛帖子
  • OpenEdr & Netfilter SDK & Sandboxie框架模型
std::cout << "项目将零散代码组织到一起,业余投入精力并不多。部分cpp可能以前学习中编写,遗憾的是时间太久,忘记了具体引用的项目,部分代码中有参考github_url,有兴趣可以去学习一番。" << std::endl
Releases(v2.1)
  • v2.1(Aug 13, 2022)

    支持Win7~Win10 x32/x64系统

    一、安装事项

    本地有测试编译好的Hadeserver.exe,可配置client_config连接到GrpcServer,管理员启动HadesContrl.exe(x32/x64),连接成功后才可以开启监控和数据上报。

    内核态/行为拦截按钮第一次点击,会提示安装驱动。Driver目录下驱动没有微软签名,系统需要调试模式或者关闭系统签名认证。

    二、v2.1描述

    内核采集/行为拦截开关分离,允许只开启内核采集或行为拦截功能。

    三、未完善 UI按钮点击后可能会有1s~3s卡顿,界面没有做优化,不需重复点击。 自定义进程拦截_自定义注册表拦截_注入/VAD检测拦截还还未有规则配置.

    四、vs2019编译配置(Release): HadesContrl编译需要将SysMonUserlib工程设置MT。 HadesSvc编译因NuGet Grpc 是MD运行库,SysMonUserlib工程设置MD,如果自己编译的GrpcLib MT工程,全部MT即可。

    Source code(tar.gz)
    Source code(zip)
    HadesWin_x32_v2.1.zip(24.13 MB)
    HadesWin_x64_v2.1.zip(25.02 MB)
  • v2.0(Jun 14, 2022)

    支持Win7/Win10 x32/x64系统

    一、安装事项

    1. 开启GrpcServer,本地有测试使用编译好的Hadeserver.exe,或配置client_config连接到GrpcServer,连接成功后才可以开启监控和数据上报。
    2. 管理员启动HadesContrl.exe(x32/x64)。
    3. 内核态监控开启第一次会自动安装驱动,driver目录下因驱动没有微软签名,系统需要调试模式或者关闭系统签名认证。

    二、v2.0描述

    1. 基于Duilib开发UI,托盘、监控按钮、数据展示等功能。
    2. 添加进程拦截交互行为,完善GrpcServer上报解析数据,win7/win10系统兼容测试代码重构优化。

    三、未完善

    1. 恶意行为拦截按钮无效,内核态监控按钮启用就会生效进程拦截,代码中写死了powershell.exe|cmd.exe。
    2. 内核态按钮开启/关闭时候可能有卡顿,大概1s~2s,请勿重复点击。
    Source code(tar.gz)
    Source code(zip)
    HadesWin_x32_v2.0.zip(24.34 MB)
    HadesWin_x64_v2.0.zip(24.98 MB)
  • v1.0(Dec 22, 2021)

    支持Win7/Win10 x64系统

    一、安装事项 Driver Install(管理员权限)

    1. 因驱动没有微软签名,系统需要调试模式或者关闭系统签名认证。
    2. 运行InstDrv.exe,选择driver.sys进行安装和启动。
    3. 运行mcfilter.exe程序,打开Dbgview.exe查看监控输出。

    二、v1.0描述 v1.0属于单独发行版,仅包含Agent客户端探针。v1.0代码已支持和Server_Grpc非SSL联调,Roorkit接口User接口功能正常,若有需要可下载代码测试修改。

    三、存在问题 问题:Dbgview网络事件没有输出,请重新运行mcfilter.exe即可。

    Source code(tar.gz)
    Source code(zip)
    Hades_Windows7_10_x64.exe(12.67 MB)
Patch for Sierra's PowerChess to run on newer Windows Versions >9x

What is it? I recently stumbled upon the following thread: https://sourceforge.net/p/dxwnd/discussion/general/thread/98dd46dfc6/?page=0 Some people we

null 2 Mar 27, 2022
Implements a Windows service (in a DLL) that removes the rounded corners for windows in Windows 11

ep_dwm Implements a Windows service that removes the rounded corners for windows in Windows 11. Tested on Windows 11 build 22000.434. Pre-compiled bin

Valentin-Gabriel Radu 16 Jun 18, 2022
ClickLock which supports old games where the Windows ClickLock fails to work. This is a charity project, designed for people with disabilities.

Mouse ClickLock For Games This small utility works in a similar way as ClickLock available on Windows, but also supports old games where the normal Cl

null 5 Jul 31, 2022
Combining Sealighter with unpatched exploits to run the Threat-Intelligence ETW Provider

Sealighter-TI Combining Sealighter with unpatched exploits and PPLDump to run the Microsoft-Windows-Threat-Intelligence ETW Provider without a signed

pat_h/to/file 44 Aug 9, 2022
An attempt to run fcitx5 on Android

fcitx5-android-poc An attempt to run fcitx5 on Android. Project status It can build, run, and print to stdout. Build Dependencies Android SDK Platform

null 154 Aug 8, 2022
Run-time program generator embedded in C++

Run-time program generator embedded in C++

Z Guan 25 Aug 5, 2022
anthemtotheego 349 Aug 11, 2022
Run Linux programs on DOS

A WSL alternative for users who prefer an MS-DOS environment. DOS Subsystem for Linux integrates a real Linux environment into MS-DOS systems, allowing users to make use of both DOS and Linux applications from the DOS command prompt.

Hailey Somerville 1.2k Aug 6, 2022
Project #1: Run-length Encoding (Computer Architecture, Fall 2021)

4190.308 Computer Architecture (Fall 2021) Project #1: Run-length Encoding Due: 11:59PM, September 26 (Sunday) Introduction In this project, you need

SNU Systems Software & Architecture Laboratory 4 Apr 18, 2022
Realtime Micro Kernel -- Event-driven Run-to-Completion RTOS with Active Objects, Timed Events, Memory Pools, and Message Queues

Realtime Micro Kernel Features Active Objects Message queues Variable sized, custom messages Periodic and single timed events Memory pools Supported P

null 2 Feb 25, 2022
Phan Sang 8 Jul 30, 2022
A python library to run metal compute kernels on MacOS

metalcompute for Python A python library to run metal compute kernels on MacOS Usage Example execution from M1-based Mac running MacOS 12.0: > ./build

Andrew Baldwin 11 Jun 23, 2022
A utility to run ELF files in memory.

execelf - A utility to execute ELF files in memory. execelf is small utility for running ELF files in memory, without touching the disk! Installation

null 7 Jul 28, 2022
PikaScript is an ultra-lightweight Python engine with zero dependencies and zero-configuration, that can run with 4KB of RAM (such as STM32G030C8 and STM32F103C8), and is very easy to deploy and expand.

PikaScript 中文页| Star please~ 1. Abstract PikaScript is an ultra-lightweight Python engine with zero dependencies and zero-configuration, that can run

Lyon 814 Aug 9, 2022
Run statically-compiled WebAssembly apps on any embedded platform

embedded-wasm-apps Run native, statically-compiled apps on any platform, using WebAssembly. Examples include AssemblyScript, Rust, C/C++, TinyGo, Zig,

Wasm3 Labs 103 Aug 3, 2022
A Geometry Dash mod that lets you select the screen to run the game on

Screen Selector A mod that lets you select the screen to run Geometry Dash on Fully compatible with Mega Hack v6 (except the "Fullscreen" and "Borderl

ConfiG 8 Jun 3, 2022
A run-time C++ library for working with units of measurement and conversions between them and with string representations of units and measurements

Units What's new Some of the CMake target names have changed in the latest release, please update builds appropriately Documentation A library that pr

Lawrence Livermore National Laboratory 107 Aug 3, 2022
A composable container for Adaptive ROS 2 Node computations. Select between FPGA, CPU or GPU at run-time.

adaptive_component A composable stateless container for Adaptive ROS 2 Node computations. Select between FPGA, CPU or GPU at run-time. Nodes using har

ROS 2 Hardware Acceleration Working Group 6 Apr 25, 2022
Maker of special .exe, which contains additional files which are unpacked when .exe is run

exe-archivator Program that make exec-me.exe, which contains additional files which are unpacked when exec-me.exe is run. After compleating unpacking

Roman Karetnikov 4 Dec 17, 2021