Add SysWhispers2 detection & add 0x2e syscall detection (#888)

Still34 · mr-tz · web-flow · commit 1fd0d8e1410d · 2024-09-24T13:24:52.000+02:00
* Add SysWhisper2 detection &amp; add int 2e to syscall detection

---------

Signed-off-by: Still Hsu &lt;dev@stillu.cc&gt;
Co-authored-by: Moritz &lt;mr-tz@users.noreply.github.com&gt;
diff --git a/linking/runtime-linking/populate-syswhispers2-syscall-list.yml b/linking/runtime-linking/populate-syswhispers2-syscall-list.yml
@@ -0,0 +1,45 @@
+rule:
+  meta:
+    name: populate SysWhispers2 syscall list
+    namespace: linking/runtime-linking
+    authors:
+      - still@teamt5.org
+    scopes:
+      static: function
+      dynamic: unsupported
+    att&ck:
+      - Execution::Shared Modules [T1129]
+      - Execution::Native API [T1106]
+      - Defense Evasion::Obfuscated Files or Information::Indicator Removal from Tools [T1027.005]
+    references:
+      - https://github.com/jthuraisamy/SysWhispers2/blob/main/data/base.c#L32
+    examples:
+      - 932dab8756ad4ae9a62bde0772d952e4:0x14001BD1E
+  features:
+    - and:
+      - and:
+        - description: check ntdll.dll
+        - instruction:
+          - description: "to lower case"
+          - mnemonic: or
+          - operand[1].number: 0x20202020
+        - or:
+          - instruction:
+            - mnemonic: cmp
+            - operand[1].number: 0x6C64746E = "ldtn"
+          - instruction:
+            - mnemonic: cmp
+            - operand[1].number: 0x6C642E6C = "ld.l"
+      - and:
+        - description: check system call starting with 'Zw'
+        - instruction:
+          - description: check 'Zw'
+          - mnemonic: cmp
+          - operand[1].number: 0x775a = "wZ"
+      - and: # this is optional but this should reduce false positives if any at all
+        - description: syscall list sorting
+        - instruction:
+          - mnemonic: add
+          - operand[1].number: 1
+        - mnemonic: lea
+        - mnemonic: mov
diff --git a/nursery/execute-syscall.yml b/nursery/execute-syscall.yml
@@ -6,12 +6,15 @@ rule:
       - "@kulinacs"
       - "@mr-tz"
       - mehunhoff@google.com
+      - still@teamt5.org
     description: may be used to evade hooks or hinder analysis
     scopes:
       static: basic block
       dynamic: unsupported  # requires mnemonic features
     references:
       - https://github.com/j00ru/windows-syscalls
+      - https://codemachine.com/articles/system_call_instructions.html
+      - https://www.felixcloutier.com/x86/sysenter
   features:
     - or:
       - and:
@@ -20,7 +23,12 @@ rule:
           - os: android
         - api: syscall # https://man7.org/linux/man-pages/man2/syscall.2.html
       - and:
-        - mnemonic: syscall
+        - or:
+          - mnemonic: sysenter
+          - mnemonic: syscall
+          - instruction:
+            - mnemonic: int
+            - operand[0].number: 0x2e
         - or:
           - mnemonic: ret
           - mnemonic: retn
