Skip to content
/ DrSemu Public

DrSemu - Sandboxed Malware Detection and Classification Tool Based on Dynamic Behavior

License

GPL-3.0 license
276 stars 62 forks Branches Tags Activity
Star

secrary/DrSemu

BranchesTags

Repository files navigation

Dr.Semu

Dr.Semu runs executables in an isolated environment, monitors the behavior of a process, and based on Dr.Semu rules created by you or the community, detects if the process is malicious or not.

drsemu_lua

[The tool is in the early development stage]

whoami: @_qaz_qaz

With Dr.Semu you can create rules to detect malware based on dynamic behavior of a process.

Isolation through redirection

Everything happens from the user-mode. Windows Projected File System (ProjFS) is used to provide a virtual file system. For Registry redirection, it clones all Registry hives to a new location and redirects all Registry accesses.

See the source code for more about other redirections (process/objects isolation, etc).

Monitoring

Dr.Semu uses DynamoRIO (Dynamic Instrumentation Tool Platform) to intercept a thread when it's about to cross the user-kernel line. It has the same effect as hooking SSDT but from the user-mode and without hooking anything.

At this phase, Dr.Semu produces a JSON file, which contains information from the interception.

Detection

After terminating the process, based on Dr.Semu rules we receive if the executable is detected as malware or not.

Dr.Semu Rules/Detections

Dr.Semu rules

They are written in Python or LUA (located under dr_rules) and use dynamic information from the interception and static information about the sample. It's trivial to add support of other languages.

drsemu_rule_python

Example (Python): https://gist.github.com/secrary/ac89321b8a7bde998a6e3139be49eb72

Example (Lua): https://gist.github.com/secrary/e16daf698d466136229dc417d7dbcfa3

Usage

  • Use PowerShell to enable ProjFS in an elevated PowerShell window:

Enable-WindowsOptionalFeature -Online -FeatureName Client-ProjFS -NoRestart

DrSemu.exe --target file_path

DrSemu.exe --target files_directory

DEMO

DrSemu DEMO

BUILD

  • Use PowerShell to enable ProjFS in an elevated PowerShell window:

Enable-WindowsOptionalFeature -Online -FeatureName Client-ProjFS -NoRestart

powershell

  • Install Python 3 x64

  • Download DynamoRIO and extract into bin folder and rename to dynamorio

  • Build pe-parser-library.lib library:

    • Generate VS project from DrSemu\shared_libs\pe_parse using cmake-gui
    • Build 32-bit library under build (\shared_libs\pe_parse\build\pe-parser-library\Release\) and 64-bit one under build64
    • Change run-time library option to Multi-threaded (/MT)

  • Set LauncherCLI As StartUp Project

TODO

  • Solve isolation related issues
  • Improve synchronization
  • Update the description, add more details
  • Create a GUI for the tool

Limitations

  • Minimum supported Windows version: Windows 10, version 1809 (due to Windows Projected File System)
  • Maximum supported Windows version: Windows 10, version 1809 (DynamoRIO supports Windows 10 versions until 1809)

About

DrSemu - Sandboxed Malware Detection and Classification Tool Based on Dynamic Behavior

Topics

windows reverse-engineering software-analysis malware-analysis binary-analysis malware-research malware-detection

Resources

Readme

License

GPL-3.0 license
Activity

Stars

276 stars

Watchers

22 watching

Forks

62 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages