142 lines
4.2 KiB
Markdown
142 lines
4.2 KiB
Markdown
# Detection Methods
|
|
|
|
This document details the techniques used by Ghost to detect process injection.
|
|
|
|
## Memory-Based Detection
|
|
|
|
### RWX Memory Regions
|
|
|
|
**MITRE ATT&CK**: T1055
|
|
|
|
Executable memory with write permissions is a strong indicator of code injection. Legitimate processes rarely need RWX pages except during JIT compilation.
|
|
|
|
**Detection Logic**:
|
|
- Enumerate all memory regions in target process
|
|
- Flag regions with PAGE_EXECUTE_READWRITE protection
|
|
- Confidence increases with number of RWX regions
|
|
|
|
**False Positives**:
|
|
- .NET/Java JIT compiler regions
|
|
- V8/SpiderMonkey JavaScript engines
|
|
- Legitimate debugging scenarios
|
|
|
|
### Private Executable Memory
|
|
|
|
Private memory regions (not backed by files) with execute permissions often contain injected shellcode.
|
|
|
|
**Detection Logic**:
|
|
- Check for MEM_PRIVATE regions with EXECUTE protection
|
|
- Correlate with unsigned code patterns
|
|
- Higher confidence if multiple regions present
|
|
|
|
## Thread-Based Detection
|
|
|
|
### Abnormal Thread Creation
|
|
|
|
**MITRE ATT&CK**: T1055.001 (DLL Injection), T1055.002 (Portable Executable Injection)
|
|
|
|
Monitors thread count changes over time. Sudden increases may indicate CreateRemoteThread injection.
|
|
|
|
**Detection Logic**:
|
|
- Baseline thread count for each process
|
|
- Alert on new threads created between scans
|
|
- Cross-reference with memory analysis
|
|
|
|
### Remote Thread Detection
|
|
|
|
Threads created by external processes via CreateRemoteThread or NtCreateThreadEx.
|
|
|
|
**Detection Logic**:
|
|
- Enumerate threads using CreateToolhelp32Snapshot (Windows) or /proc/[pid]/task (Linux)
|
|
- Get thread start addresses via NtQueryInformationThread (Windows) or /proc syscall file (Linux)
|
|
- Get thread creation times via GetThreadTimes (Windows) or stat parsing (Linux)
|
|
- Track thread state (Running, Waiting, Suspended, Terminated)
|
|
- Flag threads starting in private memory regions
|
|
|
|
## Hook Detection
|
|
|
|
### Inline API Hooks
|
|
|
|
**MITRE ATT&CK**: T1055.003
|
|
|
|
Detects JMP patches at the start of critical API functions.
|
|
|
|
**Detection Logic**:
|
|
- Enumerate loaded modules in target process (EnumProcessModulesEx)
|
|
- Check entry points of critical APIs (ntdll, kernel32, user32)
|
|
- Detect common hook patterns:
|
|
- JMP rel32 (E9 xx xx xx xx)
|
|
- JMP [rip+disp32] (FF 25 xx xx xx xx)
|
|
- MOV RAX, imm64; JMP RAX (48 B8 ... FF E0)
|
|
- PUSH imm32; RET (68 xx xx xx xx C3)
|
|
|
|
**Critical APIs Monitored**:
|
|
- NtCreateThread, NtCreateThreadEx
|
|
- NtAllocateVirtualMemory, NtWriteVirtualMemory, NtProtectVirtualMemory
|
|
- VirtualAllocEx, WriteProcessMemory, CreateRemoteThread
|
|
- LoadLibraryA, LoadLibraryW
|
|
- SetWindowsHookExA, SetWindowsHookExW
|
|
|
|
## Heuristic Analysis
|
|
|
|
### Confidence Scoring
|
|
|
|
Ghost uses weighted confidence scoring:
|
|
|
|
| Indicator | Weight | Description |
|
|
|-----------|--------|-------------|
|
|
| RWX regions | 0.3 | Per region detected |
|
|
| Private exec | 0.4 | >2 regions |
|
|
| New threads | 0.2 | Per thread created |
|
|
| Unsigned code | 0.5 | In executable region |
|
|
|
|
**Thresholds**:
|
|
- Clean: < 0.3
|
|
- Suspicious: 0.3 - 0.7
|
|
- Malicious: >= 0.7
|
|
|
|
## Technique Coverage
|
|
|
|
### Windows
|
|
|
|
- [x] Classic DLL injection detection
|
|
- [x] Memory region analysis (VirtualQueryEx)
|
|
- [x] Memory reading (ReadProcessMemory)
|
|
- [x] Thread enumeration (CreateToolhelp32Snapshot)
|
|
- [x] Thread start addresses (NtQueryInformationThread)
|
|
- [x] Thread creation times (GetThreadTimes)
|
|
- [x] Inline hook detection (JMP pattern scanning)
|
|
- [x] Process hollowing heuristics
|
|
- [ ] APC injection detection
|
|
- [ ] SetWindowsHookEx chain enumeration
|
|
- [ ] Reflective DLL injection signature matching
|
|
|
|
### Linux
|
|
|
|
- [x] Process enumeration (/proc filesystem)
|
|
- [x] Memory region analysis (/proc/[pid]/maps)
|
|
- [x] Memory reading (/proc/[pid]/mem)
|
|
- [x] Thread enumeration (/proc/[pid]/task)
|
|
- [x] Thread state detection (stat parsing)
|
|
- [x] ptrace injection detection
|
|
- [x] LD_PRELOAD detection
|
|
- [ ] process_vm_writev monitoring
|
|
- [ ] Shared memory inspection
|
|
|
|
### macOS
|
|
|
|
- [x] Process enumeration (sysctl KERN_PROC_ALL)
|
|
- [x] Process path retrieval (proc_pidpath)
|
|
- [ ] Memory enumeration (vm_region)
|
|
- [ ] Memory reading (vm_read)
|
|
- [ ] Thread enumeration (task_threads)
|
|
- [ ] DYLD_INSERT_LIBRARIES detection
|
|
- [ ] task_for_pid monitoring
|
|
- [ ] Mach port analysis
|
|
|
|
## References
|
|
|
|
- MITRE ATT&CK T1055: Process Injection
|
|
- Windows Internals 7th Edition
|
|
- "Process Injection Techniques" - Elastic Security
|