sandbox

package
v0.5.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 20, 2023 License: Apache-2.0 Imports: 35 Imported by: 0

README

Sandbox

Agent client-server communication

  • gRPC client/server app to bootstrap a binary sample for the malware sandbox analysis.
sequenceDiagram
rect rgb(255, 150, 150)
Client->>Server: /Deploy saferwall sandbox.zip
Server-->>Client: Deployed: {version: 1.0.0}
end
Client->>Server: /Analyze {binary, config}
Note over Client,Server: When timeout is reached ...
Server-->>Client: Analysis finished, here are your results {apitrace.jsonl}

Workflow

  • Find a free VM
  • Make an RPC /deploy packages.
  • Make an RPC /analyze sample.
  • Wait for the given timeout until results come back.
  • Process the results:
    • Convert the APIs trace log and the sandbox log from jsonl to json.
    • Go over screenshots, generate thumbs and upload them.
    • Go over artifacts+dumps, yara scan them and upload the results.

References

Documentation

Index

Constants

View Source 
const (
	APIParamAnnotationIn  = "in"
	APIParamAnnotationOut = "out"
)

SAL Win32 API annotation for function parameters.

View Source 
const (
	InvalidPortNumber = 0
	DefaultFtpPort    = 21
	DefaultGopherPort = 70
	DefaultHTTPPort   = 80
	DefaultHTTPSPort  = 443
	DefaultSocksPort  = 1080
)

Default port numbers for WinINet.

Variables

This section is empty.

Functions

func Decode added in v0.4.0 

func Decode(r io.Reader, ptrToSlice interface{}) error

Decode reads the next JSON Lines-encoded value that reads from r and stores it in the slice pointed to by ptrToSlice.

func Encode added in v0.4.0 

func Encode(w io.Writer, ptrToSlice interface{}) error

Encode writes the JSON Lines encoding of ptrToSlice to the w stream

Types

type AgentCfg 

type AgentCfg struct {
	// Destination directory inside the guest where the agent is deployed.
	AgentDestDir string `mapstructure:"dest_dir"`
	// The sandbox binary components.
	PackageName string `mapstructure:"package_name"`
}

AgentCfg represents the guest agent config.

type Artifact added in v0.4.0 

type Artifact struct {
	// File  name of the artifact.
	// * Memory buffers are in this format: ProcessName__PID__TID__VA__BuffSize.memfree
	// *** svchost.exe__0x2E00__0xA60__0x1A46D880000__0x77824.memfree
	// * Files dropped are in this format: ProcessName_PID_TID_FilePath__FileSize.filecreate
	// *** explorer.exe__0x2E00__0xA60__C##ProgramData##Delete.vbs__0x9855.filecreate
	Name string `json:"name"`
	// The binary content of the artifact.
	Content []byte `json:"-"`
	// The artifact kind: memfree, filecreate, ..
	Kind string `json:"kind"`
	// The SHA256 hash of the artifact.
	SHA256 string `json:"sha256"`
	// Detection contains the family name of the malware if it is malicious,
	// or clean otherwise.
	Detection string `json:"detection"`
	// The file type, i.e docx, dll, etc.
	FileType string `json:"file_type"`
}

Artifact represents an extracted artifact during the dynamic analysis like a memory dumps or written files

type Capability added in v0.5.0 

type Capability struct {
	// Process identifier responsible for generating the capability..
	ProcessID string `json:"pid"`
	// Description describes in a few words the capability.
	Description string `json:"description"`
	// The severity of the capability: informative, suspicious, malicious, etc.
	Severity string `json:"severity"`
	// Category of the capability: Persistence, anti-analysis, etc.
	Category string `json:"category"`
	// The module that generated the capability: yara, behavior, etc.
	Module string `json:"module"`
}

Capability represents any capability found in executable files. An example of a capability is: Exfiltration over C2 server.

type Config 

type Config struct {
	LogLevel     string             `mapstructure:"log_level"`
	SharedVolume string             `mapstructure:"shared_volume"`
	EnglishWords string             `mapstructure:"english_words"`
	YaraRules    string             `mapstructure:"yara_rules"`
	Agent        AgentCfg           `mapstructure:"agent"`
	VirtMgr      VirtManagerCfg     `mapstructure:"virt_manager"`
	Producer     config.ProducerCfg `mapstructure:"producer"`
	Consumer     config.ConsumerCfg `mapstructure:"consumer"`
}

Config represents our application config.

type DetonationResult added in v0.4.0 

type DetonationResult struct {
	// The API trace results. This consists of a list of all API calls made by
	// the sample.
	APITrace []byte
	// Same as APITrace, but this is not capped to any threshold.
	// The full trace is uploaded to the object storage,
	FullAPITrace []byte
	// The buffer of large byte* for some Win32 APIs.
	APIBuffers []Win32APIBuffer
	// The logs produced by the agent running inside the VM.
	AgentLog []byte
	// The logs produced by the sandbox.
	SandboxLog []byte
	// The config used to scan dynamically the sample.
	ScanCfg config.DynFileScanCfg
	// List of of desktop screenshots captured.
	Screenshots []Screenshot
	// List of artifacts collected during detonation.
	Artifacts []Artifact
	// Environment represents the environment used to scan the file.
	Environment
	// Summary of system events.
	Events []Event
	// The process execution tree.
	ProcessTree ProcessTree
}

DetonationResult represents the results for a detonation.

type Environment added in v0.4.0 

type Environment struct {
	// The sandbox version.
	SandboxVersion string `json:"sandbox_version"`
	// The agent version.
	AgentVersion string `json:"agent_version"`
}

Environment represents the environment used to scan the file. This include OS versions, installed software, analyzer version.

type Event added in v0.5.0 

type Event struct {
	// Process identifier responsible for generating the event.
	ProcessID string `json:"pid"`
	// Type of the system event.
	Type EventType `json:"type"`
	// Path of the system event. For instance, when the event is of type:
	// `registry`, the path represents the registry key being used. For a
	// `network` event type, the path is the IP or domain used.
	Path string `json:"path"`
	// Th operation requested over the above `Path` field. This field means
	// different things according to the type of the system event.
	// - For file system events: can be either: create, read, write, delete, rename, ..
	// - For registry events: can be either: create, rename, set, delete.
	// - For network events: this represents the protocol of the communication, can
	// be either HTTP, HTTPS, FTP, FTP
	Operation string `json:"op"`
}

Event represents a system event: a registry, network or file event.

type EventType added in v0.5.0 

type EventType string

EventType is the type of the system event. A type can be either: `registry`, `network` or `file`.

type Process added in v0.5.0 

type Process struct {
	// Process image's path.
	ImagePath string `json:"path"`
	// Process identifier.
	PID string `json:"pid"`
	// The parent process ID.
	ParentPID string `json:"parent_pid"`
	// The relationship between this process and its parent.
	ParentLink string `json:"parent_link"`
	// The name of the process.
	ProcessName string `json:"proc_name"`
	// The file type: doc, exe, etc.
	FileType string `json:"file_type"`
	// Detection contains the family name of the malware if it is malicious,
	// or clean otherwise.
	Detection string `json:"detection"`
}

Process represents a process object within the detonation context. This structure help us build the process tree.

type ProcessTree added in v0.5.0 

type ProcessTree []Process

ProcessTree represents an array of processes, each process contains a process ID that can helps us track the parent/children relationship.

type Screenshot added in v0.4.0 

type Screenshot struct {
	// The name of the filename for the screenshot. Format: <id>.jpeg.
	// IDs are growing incrementally from index 1 to N according to the time
	// they were taken.
	Name string `json:"name"`
	// The binary content of the image.
	Content []byte `json:"-"`
}

Screenshot represents a capture of the desktop while the sample is running in the VM.

type Service 

type Service struct {
	// contains filtered or unexported fields
}

Service represents the sandbox scan service. It adheres to the nsq.Handler interface. This allows us to define our own custom handlers for our messages. Think of these handlers much like you would an http handler.

func New 

func New(cfg Config, logger log.Logger) (*Service, error)

New create a new sandbox service.

func (*Service) HandleMessage 

func (s *Service) HandleMessage(m *gonsq.Message) error

HandleMessage is the only requirement needed to fulfill the nsq.Handler.

func (*Service) Start 

func (s *Service) Start() error

Start kicks in the service to start consuming events.

type VM 

type VM struct {
	// ID identify uniquely the VM.
	ID int32
	// Name of the VM.
	Name string
	// IP address of the VM.
	IP string
	// Operating system used by the guest.
	OS string
	// Server version.
	AgentVersion string
	// Snapshots list names.
	Snapshots []string
	// InUse represents the availability of the VM.
	InUse bool
	// Indicates if the VM is healthy.
	IsHealthy bool
	// Pointer to the domain object.
	Dom *libvirt.Domain
}

VM represents a virtual machine config.

type VirtManagerCfg 

type VirtManagerCfg struct {
	Network      string `mapstructure:"network"`
	Address      string `mapstructure:"address"`
	Port         string `mapstructure:"port"`
	User         string `mapstructure:"user"`
	SSHKeyPath   string `mapstructure:"ssh_key_path"`
	SnapshotName string `mapstructure:"snapshot_name"`
}

VirtManagerCfg represents the virtualization manager config. For now, only libvirt server.

type Win32API added in v0.5.0 

type Win32API struct {
	// Timestamp of the trace.
	Timestamp int64 `json:"ts"`
	// Name of the API.
	Name string `json:"api"`
	// List of its parameters.
	Parameters []Win32APIParam `json:"params"`
	// Process Identifier responsible for generating the API.
	ProcessID string `json:"pid"`
	// Thread Identifier responsible for generating the API.
	ThreadID string `json:"tid"`
	// The name of the process that corresponds to the process ID.
	ProcessName string `json:"proc"`
	// Return value of the API.
	ReturnValue string `json:"ret"`
}

Win32API represents a Win32 API event.

type Win32APIBuffer added in v0.5.0 

type Win32APIBuffer struct {
	// Name of the buffer.
	Name string
	// Content of the buffer.
	Content []byte
}

Win32APIBuffer represents a Win32 API large buffer of parameter of type BYTE*.

type Win32APIParam added in v0.5.0 

type Win32APIParam struct {
	// SAL annotation.
	Annotation string `json:"anno"`
	// Name of the parameter.
	Name string `json:"name"`
	// Value of the parameter. This can be either a string or a slice of bytes.
	// This field is mutually exclusive with the In and Out values.
	Value interface{} `json:"value,omitempty"`
	// Win32 API sometimes uses IN and OUT annotations, so instead of having
	// one `value`, we separate the `in` and `out`. Occasionally, a function can
	// both reads from and writes to buffer, so ValueIn and ValueOut are filled.
	// The function reads from the buffer.
	ValueIn interface{} `json:"value_in,omitempty"`
	// The function writes to the buffer.
	ValueOut interface{} `json:"value_out,omitempty"`

	// An ID is attributed to track BYTE* parameters that spans over 4KB of data.
	// If the buffer is either IN or OUT, the ID will be on `BuffID`, otherwise:
	// BuffIDIn and BufferIdOut
	BuffID    string `json:"buff_id,omitempty"`
	BuffIDIn  string `json:"buff_id_in,omitempty"`
	BuffIDOut string `json:"buff_out,omitempty"`
}

Win32APIParam describes parameter information for a given Win32 API.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.