SPBAT v1.0 PoC

just write whatever you want
Post Reply
iconic
Site Admin
Posts: 1064
Joined: Wed Jun 08, 2005 5:08 am

SPBAT v1.0 PoC

Post by iconic »

I wrote a new PoC (Proof Of Concept) called SPBAT (Suspicious Process Behavior Analysis Tool) after playing with various malware samples on my test machines which I use to bench kX-Ray and PEvert against. The sole purpose of this tool is to look for a few common properties associated with a malicious process, properties which are quite commonly used by any process which needs certain power levels in order to be effective. It's an excellent tool which will list suspicious processes when the objects below are scanned. I explain it in my help file so I will quote the readme.txt file...
=====================================================
Suspicious Process Behavior Analysis Tool v1.0
Supports 32-bit NT OS (2k, XP/MCE, 2k3, Vista...)
=====================================================
(c)2009 Brock Williams
Torseq Technologies
http://bugczech.fu8.com
bindshell@gmail.com
=====================================================


This is a simple yet effective PoC (Proof Of Concept) designed as a usermode (Ring3) process inspection tool used to profile "power" levels of all currently running processes. Any malware that is potentially a threat to a system will most definitely end up using one or more of the scanned techniques listed below. SPBAT will detect all mentioned concepts and allow them to be reversed via a built-in right click menu with options. Do not think that SPBAT is not powerul because it does not use a traditional kernel driver, internally it does not use standard methods of process and module enumeration (PSAPI and Toolhelp32 libraries aren't used) and any process calls that it makes are emulated via my Symbiote module which can only be potentially tampered with from kernel mode when this program is not "specifically" targeted. Emulated Symbiote functions do not make any Win32 API calls internally, instead only the interrupt services and inline assembly logic is used thus keeping function returns reliable and integrity uncompromised in usermode even from the most low-level usermode hooking libraries that hook system APIs.

Note: No code injection or hooking is used in this software.

================\
Object Detection (
================/

*** Hide Process Object (Process name is not listed in process viewers as it hides from the Windows API)

(Option to terminate process included)


*** \Device\PhysicalMemory Object (Basically the equivalent of \dev\kmem in Unix which allows usermode programs to map kernel memory from Ring3)

(Option to invalidate Physical Memory section handle used in every mapping call included)


*** Loading kernel Image into a Process i.e: LoadLibrary("ntoskrnl.exe");

(Option to forcefully unload module from the remote process included, even if it's statically bound or "pinned" via GetModuleHandleEx(GET_MODULE_HANDLE_EX_FLAG_PIN...) unloading will be successful)


*** SeDebugPrivilege (Allows programs to open handles to System processes)

(Option to disable this privilege within the remote process included)
Image

Download it here http://bugczech.fu8.com/bin/spbat_bin.zip


--Iconic
iconic
Site Admin
Posts: 1064
Joined: Wed Jun 08, 2005 5:08 am

Post by iconic »

SPBAT v2.0 is now available
-Added hidden module detection which functions similarly to kX-Ray's "Hidden Modules" option
-Fixed scan button glitch if listview was already populated with items. All items are now cleared while scanning
-Moderate internal optimizations
Download it here
http://bugczech.fu8.com/bin/spbat-v2_bin.zip

--Iconic
ira
Posts: 49
Joined: Mon Dec 14, 2009 6:29 am

Post by ira »

Cool!
Can't wait for the (old) source :redBalloon: :greenBalloon: :blueBalloon:
Post Reply