Purity toolsHades A HIDS is designed run on Windows

Overview

方案:

  x64内核探针粗糙分为两类技术方案:第一种基于Intel-x/d虚拟化技术,绕过PG保护做花式Hook,功能强大-系统无痕,第二种基于微型过滤框架和注册回调,兼容性好/快速开发/接口完善。

  该项目采用过滤驱动+注册回调,这种方案中规中矩。后续可能会集成VT接口,但是支持有限,优先支持EPT HOOK和寄存器/内存数据探测,详细的技术实现请跳转具体项目查阅ReadMe。

  示例适用Win7/Win10 x64下内核态数据采集,其他系统版本需要自行修改。

框架:

image

v1.0

WFP(开发中):
网络层 描述
Established层 ProcessInfo
传输层 TCP - UDP
网络层 IP
数据链路层 OS >= Windows10

Json配置流量规则(未生效):

(流量规则)
Json:
 {
 Bypass:
	1 - 单要素:目标 port 或者 ip 
	2 - 双要素:目标 ip:port  
	3 - 重定向标志位 - 暂时不开启(流量隔离)
 }
内核回调上抛事件:
事件 描述
进程 进程创建 - 销毁 - 进程数据 - 签名
线程 线程创建 - 销毁 - 线程数据
注册表 删除 - 修改 - 枚举 - 重命名等(缺少具体的包解析)
模块 DLL - 驱动
会话 用户登录/退出/Session切换
WMI 待定(应用层etw实现)
文件 文件读写访问 OS <= Windows7 (Windows10 对象回调(文件对象)会有几率触发PG)

Json配置内核上抛事件管理(未生效):

{
    1. 添加进程白名单,允许从内核态过滤控某进程数据
    2. xxxxx
}
内核接口采集事件:
事件 描述
进程 - 线程 - 模块 - 内存 系统已运行的进程 - 线程 - 模块 - 进程内存 - 应用层钩子检测(待定)
IDT 系统IDT - (原始偏移 - 内存已加载偏移) HOOK检测
MouseKeyBoard 鼠标键盘 Hook检测
DpcTimer 遍历系统 DpcTimer
Hive hive注册表 - 开发中
Ntfs ntfs文件解析 - 开发中
Network Nsi提取IP:PORT
Fsd FastFat/ntfs HOOK检测
SSDT 系统SSDT - (原始偏移 - 内存已加载偏移) HOOK检测
GDT 系统GDT - (原始偏移 - 内存已加载偏移) HOOK检测
驱动 系统已加载的驱动
回调检测 枚举系统注册的回调
GRPC:

Windows对于很多第三方生态逐步容纳,Grpc github cmake编译仍会出现很多问题,最好的办法:

vcpkg install grpc

  配置vs2019 工具 --> 选项 --> NuGet管理即可,详细可以参考网上教程,注意vcpkg 安装的是release grpc,所以debug模式调试会有问题。

C++ Grpc请参考官方文档:https://grpc.io/docs/languages/cpp/basics/

See Code: grpc.h grpc.cpp

规划:

  项目处于入门级,需要花时间打磨和重构。内核上抛和WFP技术详细请跳转子项目页面,ReadMe查看对应的功能实现。关于Minifilter驱动,仅文件监控不会引入该模块,应用层ETW日志弥补,后期如果有文件隔离相关规划将会纳入。

  它并不是以产品形态诞生,希望日后它变得更加灵活更健壮,以插件提供lib/dll,集成至任意终端产品,包括办公软件 - 游戏音频,提供更多软件第三方安全能力建设和数据检测。

参考:

  • Github开源Rootkit工具,但不局限于工具。
  • 看雪论坛帖子
  • OpenEdr & Netfilter SDK & Sandboxie框架模型
std::cout << "项目将零散代码组织到一起,业余投入精力并不多。部分cpp可能以前学习中编写,遗憾的是时间太久,忘记了具体引用的项目,部分代码中有参考github_url,有兴趣可以去学习一番。" << std::endl
Patch for Sierra's PowerChess to run on newer Windows Versions >9x

What is it? I recently stumbled upon the following thread: https://sourceforge.net/p/dxwnd/discussion/general/thread/98dd46dfc6/?page=0 Some people we

null 1 Nov 23, 2021
ClickLock which supports old games where the Windows ClickLock fails to work. This is a charity project, designed for people with disabilities.

Mouse ClickLock For Games This small utility works in a similar way as ClickLock available on Windows, but also supports old games where the normal Cl

null 3 Nov 1, 2021
Combining Sealighter with unpatched exploits to run the Threat-Intelligence ETW Provider

Sealighter-TI Combining Sealighter with unpatched exploits and PPLDump to run the Microsoft-Windows-Threat-Intelligence ETW Provider without a signed

pat_h/to/file 18 Oct 28, 2021
An attempt to run fcitx5 on Android

fcitx5-android-poc An attempt to run fcitx5 on Android. Project status It can build, run, and print to stdout. Build Dependencies Android SDK Platform

null 33 Nov 30, 2021
Run-time program generator embedded in C++

Run-time program generator embedded in C++

Z Guan 18 Nov 14, 2021
anthemtotheego 241 Dec 1, 2021
Run Linux programs on DOS

A WSL alternative for users who prefer an MS-DOS environment. DOS Subsystem for Linux integrates a real Linux environment into MS-DOS systems, allowing users to make use of both DOS and Linux applications from the DOS command prompt.

Hailey Somerville 1.2k Dec 4, 2021
Project #1: Run-length Encoding (Computer Architecture, Fall 2021)

4190.308 Computer Architecture (Fall 2021) Project #1: Run-length Encoding Due: 11:59PM, September 26 (Sunday) Introduction In this project, you need

SNU Systems Software & Architecture Laboratory 3 Sep 19, 2021
Realtime Micro Kernel -- Event-driven Run-to-Completion RTOS with Active Objects, Timed Events, Memory Pools, and Message Queues

Realtime Micro Kernel Features Active Objects Message queues Variable sized, custom messages Periodic and single timed events Memory pools Supported P

null 1 Nov 26, 2021
Phan Sang 1 Nov 16, 2021
A python library to run metal compute kernels on MacOS

metalcompute for Python A python library to run metal compute kernels on MacOS Usage Example execution from M1-based Mac running MacOS 12.0: > ./build

Andrew Baldwin 1 Nov 19, 2021
A utility to run ELF files in memory.

execelf - A utility to execute ELF files in memory. execelf is small utility for running ELF files in memory, without touching the disk! Installation

null 5 Nov 25, 2021
PikaScript is an ultra-lightweight Python engine with zero dependencies and zero-configuration, that can run with 4KB of RAM (such as STM32G030C8 and STM32F103C8), and is very easy to deploy and expand.

PikaScript 中文页| Star please~ 1. Abstract PikaScript is an ultra-lightweight Python engine with zero dependencies and zero-configuration, that can run

Lyon 190 Dec 7, 2021
Run statically-compiled WebAssembly apps on any embedded platform

embedded-wasm-apps Run native, statically-compiled apps on any platform, using WebAssembly. Examples include AssemblyScript, Rust, C/C++, TinyGo, Zig,

Wasm3 Labs 71 Dec 4, 2021
A Geometry Dash mod that lets you select the screen to run the game on

Screen Selector A mod that lets you select the screen to run Geometry Dash on Fully compatible with Mega Hack v6 (except the "Fullscreen" and "Borderl

ConfiG 7 Nov 5, 2021
A run-time C++ library for working with units of measurement and conversions between them and with string representations of units and measurements

Units What's new Some of the CMake target names have changed in the latest release, please update builds appropriately Documentation A library that pr

Lawrence Livermore National Laboratory 82 Dec 6, 2021
Windows 2000 styled installer for Panther based distributions of Microsoft Windows (WIM files).

An advanced installer for Microsoft Windows that mimics the looks of the Windows XP and older installers. Takes any modern (Vista and newer) Windows ISO or WIM file and creates a old styled Windows Setup experience on the go.

null 2 Nov 20, 2021
A USB-PD sniffer/injector/sink based on Google's Twinkie, re-designed to be manufactured by mere mortals.

Twonkie - a USB-PD sniffer based on Google's Twinkie Twonkie is a USB-PD sniffer/injector/sink based on a Google project called Twinkie, re-engineered

Joachim Fenkes 88 Nov 29, 2021
A USB-PD sniffer/injector/sink based on Google's Twinkie, re-designed to be manufactured by mere mortals.

Twonkie - a USB-PD sniffer based on Google's Twinkie Twonkie is a USB-PD sniffer/injector/sink based on a Google project called Twinkie, re-engineered

Joachim Fenkes 87 Nov 19, 2021