1214 lines
31 KiB
Rust
1214 lines
31 KiB
Rust
#![allow(dead_code)]
|
|
|
|
use crate::{MemoryProtection, MemoryRegion, ProcessInfo, ThreadInfo};
|
|
use serde::{Deserialize, Serialize};
|
|
use std::collections::HashMap;
|
|
use std::time::{Duration, SystemTime};
|
|
|
|
/// Advanced Evasion Detection Module
|
|
/// Detects sophisticated anti-analysis and evasion techniques
|
|
#[derive(Debug)]
|
|
pub struct EvasionDetector {
|
|
timing_analyzer: TimingAnalyzer,
|
|
environment_checker: EnvironmentChecker,
|
|
behavior_analyzer: BehaviorAnalyzer,
|
|
obfuscation_detector: ObfuscationDetector,
|
|
}
|
|
|
|
#[derive(Debug, Clone, Serialize, Deserialize)]
|
|
pub struct EvasionResult {
|
|
pub evasion_techniques: Vec<EvasionTechnique>,
|
|
pub confidence: f32,
|
|
pub sophistication_score: f32,
|
|
pub anti_analysis_indicators: Vec<String>,
|
|
}
|
|
|
|
#[derive(Debug, Clone, Serialize, Deserialize)]
|
|
pub struct EvasionTechnique {
|
|
pub technique_name: String,
|
|
pub mitre_id: String,
|
|
pub description: String,
|
|
pub confidence: f32,
|
|
pub indicators: Vec<String>,
|
|
pub severity: EvasionSeverity,
|
|
}
|
|
|
|
#[derive(Debug, Clone, PartialEq, Serialize, Deserialize)]
|
|
pub enum EvasionSeverity {
|
|
Low, // Basic evasion attempts
|
|
Medium, // Moderate sophistication
|
|
High, // Advanced techniques
|
|
Critical, // Nation-state level evasion
|
|
}
|
|
|
|
/// Timing-based evasion detection
|
|
#[derive(Debug)]
|
|
pub struct TimingAnalyzer {
|
|
execution_timings: HashMap<u32, Vec<ExecutionTiming>>,
|
|
sleep_patterns: HashMap<u32, Vec<SleepPattern>>,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub struct ExecutionTiming {
|
|
pub start_time: SystemTime,
|
|
pub duration: Duration,
|
|
pub operation_type: OperationType,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub enum OperationType {
|
|
MemoryAllocation,
|
|
ProcessCreation,
|
|
FileAccess,
|
|
NetworkConnection,
|
|
RegistryAccess,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub struct SleepPattern {
|
|
pub timestamp: SystemTime,
|
|
pub duration: Duration,
|
|
pub context: SleepContext,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub enum SleepContext {
|
|
BeforeInjection,
|
|
AfterDetection,
|
|
BetweenOperations,
|
|
RandomDelay,
|
|
}
|
|
|
|
/// Environment-based evasion detection
|
|
#[derive(Debug)]
|
|
pub struct EnvironmentChecker {
|
|
vm_indicators: Vec<VmIndicator>,
|
|
debugger_checks: Vec<DebuggerCheck>,
|
|
sandbox_signatures: Vec<SandboxSignature>,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub struct VmIndicator {
|
|
pub indicator_type: VmIndicatorType,
|
|
pub detection_method: String,
|
|
pub confidence: f32,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub enum VmIndicatorType {
|
|
ProcessName, // VM-related processes
|
|
RegistryKey, // VM registry artifacts
|
|
FilePath, // VM file system artifacts
|
|
HardwareId, // VM hardware identifiers
|
|
Timing, // VM timing anomalies
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub struct DebuggerCheck {
|
|
pub check_type: DebuggerCheckType,
|
|
pub detection_api: String,
|
|
pub bypass_difficulty: BypassDifficulty,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub enum DebuggerCheckType {
|
|
IsDebuggerPresent,
|
|
CheckRemoteDebuggerPresent,
|
|
NtQueryInformationProcess,
|
|
OutputDebugString,
|
|
SetUnhandledExceptionFilter,
|
|
ThreadHideFromDebugger,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub enum BypassDifficulty {
|
|
Trivial, // Easy to bypass
|
|
Moderate, // Requires knowledge
|
|
Difficult, // Advanced techniques needed
|
|
Expert, // Very sophisticated bypass required
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub struct SandboxSignature {
|
|
pub signature_name: String,
|
|
pub detection_pattern: String,
|
|
pub evasion_method: String,
|
|
}
|
|
|
|
/// Behavioral analysis for evasion detection
|
|
#[derive(Debug)]
|
|
pub struct BehaviorAnalyzer {
|
|
api_hooking_detector: ApiHookingDetector,
|
|
execution_flow_analyzer: ExecutionFlowAnalyzer,
|
|
resource_usage_monitor: ResourceUsageMonitor,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub struct ApiHookingDetector {
|
|
hooked_functions: HashMap<String, HookInfo>,
|
|
inline_hooks: Vec<InlineHook>,
|
|
iat_modifications: Vec<IatModification>,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub struct HookInfo {
|
|
pub function_name: String,
|
|
pub original_address: usize,
|
|
pub hook_address: usize,
|
|
pub hook_type: HookType,
|
|
pub detected_at: SystemTime,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub enum HookType {
|
|
InlineHook,
|
|
IatHook,
|
|
EatHook,
|
|
SsdtHook,
|
|
VtableHook,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub struct InlineHook {
|
|
pub target_function: String,
|
|
pub hook_bytes: Vec<u8>,
|
|
pub original_bytes: Vec<u8>,
|
|
pub hook_length: usize,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub struct IatModification {
|
|
pub module_name: String,
|
|
pub function_name: String,
|
|
pub original_address: usize,
|
|
pub modified_address: usize,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub struct ExecutionFlowAnalyzer {
|
|
control_flow_integrity: ControlFlowIntegrity,
|
|
return_address_verification: ReturnAddressVerification,
|
|
stack_analysis: StackAnalysis,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub struct ControlFlowIntegrity {
|
|
pub indirect_calls: Vec<IndirectCall>,
|
|
pub rop_gadgets: Vec<RopGadget>,
|
|
pub jop_gadgets: Vec<JopGadget>,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub struct IndirectCall {
|
|
pub source_address: usize,
|
|
pub target_address: usize,
|
|
pub call_type: CallType,
|
|
pub validation_result: ValidationResult,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub enum CallType {
|
|
FunctionPointer,
|
|
VirtualCall,
|
|
ReturnAddress,
|
|
ExceptionHandler,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub enum ValidationResult {
|
|
Valid,
|
|
Suspicious,
|
|
Invalid,
|
|
Bypassed,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub struct RopGadget {
|
|
pub address: usize,
|
|
pub instructions: String,
|
|
pub gadget_type: GadgetType,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub struct JopGadget {
|
|
pub address: usize,
|
|
pub dispatch_instruction: String,
|
|
pub gadget_chain: Vec<usize>,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub enum GadgetType {
|
|
PopRet,
|
|
MovRet,
|
|
XchgRet,
|
|
ArithmeticRet,
|
|
Syscall,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub struct ReturnAddressVerification {
|
|
pub shadow_stack: Vec<usize>,
|
|
pub call_stack: Vec<StackFrame>,
|
|
pub anomalies: Vec<StackAnomaly>,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub struct StackFrame {
|
|
pub return_address: usize,
|
|
pub frame_pointer: usize,
|
|
pub function_name: Option<String>,
|
|
pub validation_status: ValidationResult,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub struct StackAnomaly {
|
|
pub anomaly_type: StackAnomalyType,
|
|
pub detected_address: usize,
|
|
pub expected_address: Option<usize>,
|
|
pub confidence: f32,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub enum StackAnomalyType {
|
|
ReturnAddressMismatch,
|
|
StackPivot,
|
|
BufferOverflow,
|
|
StackSpraying,
|
|
HeapSpraying,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub struct StackAnalysis {
|
|
pub stack_regions: Vec<StackRegion>,
|
|
pub guard_pages: Vec<GuardPage>,
|
|
pub canary_values: Vec<StackCanary>,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub struct StackRegion {
|
|
pub base_address: usize,
|
|
pub size: usize,
|
|
pub protection: MemoryProtection,
|
|
pub usage_pattern: StackUsagePattern,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub enum StackUsagePattern {
|
|
Normal,
|
|
Excessive,
|
|
Unusual,
|
|
Malicious,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub struct GuardPage {
|
|
pub address: usize,
|
|
pub status: GuardPageStatus,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub enum GuardPageStatus {
|
|
Intact,
|
|
Bypassed,
|
|
Removed,
|
|
Modified,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub struct StackCanary {
|
|
pub address: usize,
|
|
pub original_value: u64,
|
|
pub current_value: u64,
|
|
pub integrity_status: CanaryStatus,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub enum CanaryStatus {
|
|
Intact,
|
|
Corrupted,
|
|
Bypassed,
|
|
Missing,
|
|
}
|
|
|
|
/// Resource usage monitoring for evasion detection
|
|
#[derive(Debug, Clone)]
|
|
pub struct ResourceUsageMonitor {
|
|
pub cpu_usage: CpuUsagePattern,
|
|
pub memory_usage: MemoryUsagePattern,
|
|
pub network_usage: NetworkUsagePattern,
|
|
pub file_system_usage: FileSystemUsagePattern,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub struct CpuUsagePattern {
|
|
pub baseline_usage: f32,
|
|
pub current_usage: f32,
|
|
pub usage_spikes: Vec<UsageSpike>,
|
|
pub idle_periods: Vec<IdlePeriod>,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub struct UsageSpike {
|
|
pub timestamp: SystemTime,
|
|
pub peak_usage: f32,
|
|
pub duration: Duration,
|
|
pub context: SpikeContext,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub enum SpikeContext {
|
|
CryptographicOperation,
|
|
Deobfuscation,
|
|
AntiAnalysis,
|
|
PayloadExecution,
|
|
Unknown,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub struct IdlePeriod {
|
|
pub start_time: SystemTime,
|
|
pub duration: Duration,
|
|
pub reason: IdleReason,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub enum IdleReason {
|
|
DelayedExecution,
|
|
EnvironmentChecking,
|
|
WaitingForTrigger,
|
|
Evasion,
|
|
Normal,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub struct MemoryUsagePattern {
|
|
pub allocation_patterns: Vec<AllocationPattern>,
|
|
pub deallocation_patterns: Vec<DeallocationPattern>,
|
|
pub fragmentation_level: f32,
|
|
pub heap_spray_indicators: Vec<HeapSprayIndicator>,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub struct AllocationPattern {
|
|
pub size: usize,
|
|
pub frequency: u32,
|
|
pub protection: MemoryProtection,
|
|
pub purpose: AllocationPurpose,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub enum AllocationPurpose {
|
|
NormalOperation,
|
|
ShellcodeStorage,
|
|
DataObfuscation,
|
|
HeapSpraying,
|
|
StackSpraying,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub struct DeallocationPattern {
|
|
pub timing: DeallocationTiming,
|
|
pub completeness: DeallocationCompleteness,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub enum DeallocationTiming {
|
|
Immediate,
|
|
Delayed,
|
|
Never,
|
|
Conditional,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub enum DeallocationCompleteness {
|
|
Complete,
|
|
Partial,
|
|
Minimal,
|
|
None,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub struct HeapSprayIndicator {
|
|
pub spray_size: usize,
|
|
pub spray_pattern: Vec<u8>,
|
|
pub target_addresses: Vec<usize>,
|
|
pub success_probability: f32,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub struct NetworkUsagePattern {
|
|
pub connection_patterns: Vec<ConnectionPattern>,
|
|
pub data_exfiltration: Vec<ExfiltrationIndicator>,
|
|
pub command_control: Vec<C2Indicator>,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub struct ConnectionPattern {
|
|
pub destination: String,
|
|
pub port: u16,
|
|
pub protocol: String,
|
|
pub frequency: ConnectionFrequency,
|
|
pub purpose: ConnectionPurpose,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub enum ConnectionFrequency {
|
|
SingleConnection,
|
|
Periodic,
|
|
Burst,
|
|
Continuous,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub enum ConnectionPurpose {
|
|
CommandControl,
|
|
DataExfiltration,
|
|
UpdateCheck,
|
|
Reconnaissance,
|
|
Tunneling,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub struct ExfiltrationIndicator {
|
|
pub data_volume: usize,
|
|
pub transfer_rate: f32,
|
|
pub encryption_used: bool,
|
|
pub steganography_used: bool,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub struct C2Indicator {
|
|
pub communication_protocol: String,
|
|
pub beacon_interval: Duration,
|
|
pub jitter_factor: f32,
|
|
pub encryption_method: Option<String>,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub struct FileSystemUsagePattern {
|
|
pub file_operations: Vec<FileOperation>,
|
|
pub persistence_mechanisms: Vec<PersistenceMechanism>,
|
|
pub artifact_cleanup: ArtifactCleanup,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub struct FileOperation {
|
|
pub operation_type: FileOperationType,
|
|
pub file_path: String,
|
|
pub frequency: u32,
|
|
pub timing_pattern: TimingPattern,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub enum FileOperationType {
|
|
Create,
|
|
Read,
|
|
Write,
|
|
Delete,
|
|
Modify,
|
|
Rename,
|
|
Copy,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub enum TimingPattern {
|
|
Immediate,
|
|
Scheduled,
|
|
Triggered,
|
|
Random,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub struct PersistenceMechanism {
|
|
pub mechanism_type: PersistenceType,
|
|
pub location: String,
|
|
pub stealth_level: StealthLevel,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub enum PersistenceType {
|
|
RegistryRun,
|
|
ServiceInstallation,
|
|
ScheduledTask,
|
|
StartupFolder,
|
|
DllHijacking,
|
|
ProcessHollowing,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub enum StealthLevel {
|
|
Obvious,
|
|
Hidden,
|
|
Obfuscated,
|
|
Rootkit,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub struct ArtifactCleanup {
|
|
pub cleanup_thoroughness: CleanupThoroughness,
|
|
pub timing: CleanupTiming,
|
|
pub methods_used: Vec<CleanupMethod>,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub enum CleanupThoroughness {
|
|
None,
|
|
Minimal,
|
|
Moderate,
|
|
Comprehensive,
|
|
Forensic,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub enum CleanupTiming {
|
|
Never,
|
|
OnExit,
|
|
Periodic,
|
|
OnDetection,
|
|
Immediate,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub enum CleanupMethod {
|
|
SimpleDelete,
|
|
SecureDelete,
|
|
Overwrite,
|
|
MetadataWipe,
|
|
TimestampModification,
|
|
}
|
|
|
|
/// Code obfuscation and packing detection
|
|
#[derive(Debug)]
|
|
pub struct ObfuscationDetector {
|
|
packer_signatures: Vec<PackerSignature>,
|
|
obfuscation_patterns: Vec<ObfuscationPattern>,
|
|
encryption_indicators: Vec<EncryptionIndicator>,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub struct PackerSignature {
|
|
pub packer_name: String,
|
|
pub signature_bytes: Vec<u8>,
|
|
pub signature_offset: usize,
|
|
pub unpacking_method: UnpackingMethod,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub enum UnpackingMethod {
|
|
RuntimeUnpacking,
|
|
StaticUnpacking,
|
|
MemoryDumping,
|
|
DynamicAnalysis,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub struct ObfuscationPattern {
|
|
pub pattern_type: ObfuscationType,
|
|
pub detection_signature: String,
|
|
pub deobfuscation_difficulty: DeobfuscationDifficulty,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub enum ObfuscationType {
|
|
StringObfuscation,
|
|
ControlFlowObfuscation,
|
|
DataObfuscation,
|
|
ApiObfuscation,
|
|
InstructionSubstitution,
|
|
Polymorphism,
|
|
Metamorphism,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub enum DeobfuscationDifficulty {
|
|
Trivial,
|
|
Easy,
|
|
Moderate,
|
|
Hard,
|
|
Extreme,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub struct EncryptionIndicator {
|
|
pub encryption_type: EncryptionType,
|
|
pub key_derivation: KeyDerivation,
|
|
pub entropy_level: f32,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub enum EncryptionType {
|
|
XOR,
|
|
AES,
|
|
RC4,
|
|
ChaCha20,
|
|
Custom,
|
|
Nested,
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub enum KeyDerivation {
|
|
Hardcoded,
|
|
Environmental,
|
|
Algorithmic,
|
|
NetworkBased,
|
|
UserInput,
|
|
}
|
|
|
|
impl Default for EvasionDetector {
|
|
fn default() -> Self {
|
|
Self::new()
|
|
}
|
|
}
|
|
|
|
impl EvasionDetector {
|
|
pub fn new() -> Self {
|
|
Self {
|
|
timing_analyzer: TimingAnalyzer::new(),
|
|
environment_checker: EnvironmentChecker::new(),
|
|
behavior_analyzer: BehaviorAnalyzer::new(),
|
|
obfuscation_detector: ObfuscationDetector::new(),
|
|
}
|
|
}
|
|
|
|
/// Comprehensive evasion analysis
|
|
pub fn analyze_evasion(
|
|
&mut self,
|
|
process: &ProcessInfo,
|
|
memory_regions: &[MemoryRegion],
|
|
threads: &[ThreadInfo],
|
|
) -> EvasionResult {
|
|
let mut evasion_techniques = Vec::new();
|
|
let mut confidence = 0.0f32;
|
|
let mut sophistication_score = 0.0f32;
|
|
let mut anti_analysis_indicators = Vec::new();
|
|
|
|
// Timing-based evasion analysis
|
|
let timing_result = self
|
|
.timing_analyzer
|
|
.analyze_timing_evasion(process, threads);
|
|
if !timing_result.techniques.is_empty() {
|
|
evasion_techniques.extend(timing_result.techniques);
|
|
confidence += timing_result.confidence * 0.3;
|
|
sophistication_score += timing_result.sophistication * 0.25;
|
|
}
|
|
|
|
// Environment checking analysis
|
|
let env_result = self.environment_checker.check_environment_evasion(process);
|
|
if !env_result.techniques.is_empty() {
|
|
evasion_techniques.extend(env_result.techniques);
|
|
confidence += env_result.confidence * 0.3;
|
|
sophistication_score += env_result.sophistication * 0.25;
|
|
}
|
|
|
|
// Behavioral analysis
|
|
let behavior_result =
|
|
self.behavior_analyzer
|
|
.analyze_behavior_evasion(process, memory_regions, threads);
|
|
if !behavior_result.techniques.is_empty() {
|
|
evasion_techniques.extend(behavior_result.techniques);
|
|
confidence += behavior_result.confidence * 0.25;
|
|
sophistication_score += behavior_result.sophistication * 0.3;
|
|
}
|
|
|
|
// Obfuscation analysis
|
|
let obfuscation_result = self
|
|
.obfuscation_detector
|
|
.detect_obfuscation(process, memory_regions);
|
|
if !obfuscation_result.techniques.is_empty() {
|
|
evasion_techniques.extend(obfuscation_result.techniques);
|
|
confidence += obfuscation_result.confidence * 0.15;
|
|
sophistication_score += obfuscation_result.sophistication * 0.2;
|
|
}
|
|
|
|
// Compile anti-analysis indicators
|
|
anti_analysis_indicators.extend(timing_result.indicators);
|
|
anti_analysis_indicators.extend(env_result.indicators);
|
|
anti_analysis_indicators.extend(behavior_result.indicators);
|
|
anti_analysis_indicators.extend(obfuscation_result.indicators);
|
|
|
|
// Normalize scores
|
|
confidence = confidence.min(1.0);
|
|
sophistication_score = sophistication_score.min(1.0);
|
|
|
|
EvasionResult {
|
|
evasion_techniques,
|
|
confidence,
|
|
sophistication_score,
|
|
anti_analysis_indicators,
|
|
}
|
|
}
|
|
}
|
|
|
|
impl Default for TimingAnalyzer {
|
|
fn default() -> Self {
|
|
Self::new()
|
|
}
|
|
}
|
|
|
|
impl TimingAnalyzer {
|
|
pub fn new() -> Self {
|
|
Self {
|
|
execution_timings: HashMap::new(),
|
|
sleep_patterns: HashMap::new(),
|
|
}
|
|
}
|
|
|
|
pub fn analyze_timing_evasion(
|
|
&mut self,
|
|
process: &ProcessInfo,
|
|
threads: &[ThreadInfo],
|
|
) -> TimingEvasionResult {
|
|
let mut techniques = Vec::new();
|
|
let mut confidence = 0.0f32;
|
|
let mut sophistication = 0.0f32;
|
|
let mut indicators = Vec::new();
|
|
|
|
// Detect sleep-based evasion
|
|
if let Some(sleep_evasion) = self.detect_sleep_evasion(process) {
|
|
techniques.push(sleep_evasion);
|
|
confidence += 0.4;
|
|
sophistication += 0.3;
|
|
indicators.push("Suspicious sleep patterns detected".to_string());
|
|
}
|
|
|
|
// Detect execution timing anomalies
|
|
if let Some(timing_evasion) = self.detect_timing_anomalies(process, threads) {
|
|
techniques.push(timing_evasion);
|
|
confidence += 0.3;
|
|
sophistication += 0.4;
|
|
indicators.push("Execution timing anomalies detected".to_string());
|
|
}
|
|
|
|
TimingEvasionResult {
|
|
techniques,
|
|
confidence,
|
|
sophistication,
|
|
indicators,
|
|
}
|
|
}
|
|
|
|
fn detect_sleep_evasion(&self, _process: &ProcessInfo) -> Option<EvasionTechnique> {
|
|
// Detect various sleep-based evasion techniques
|
|
// This would analyze actual sleep patterns in a real implementation
|
|
Some(EvasionTechnique {
|
|
technique_name: "Sleep-based Evasion".to_string(),
|
|
mitre_id: "T1497.003".to_string(),
|
|
description: "Process uses sleep calls to evade dynamic analysis".to_string(),
|
|
confidence: 0.7,
|
|
indicators: vec![
|
|
"Extended sleep periods before malicious activity".to_string(),
|
|
"Random delay patterns".to_string(),
|
|
],
|
|
severity: EvasionSeverity::Medium,
|
|
})
|
|
}
|
|
|
|
fn detect_timing_anomalies(
|
|
&self,
|
|
_process: &ProcessInfo,
|
|
_threads: &[ThreadInfo],
|
|
) -> Option<EvasionTechnique> {
|
|
// Detect timing-based anti-analysis techniques
|
|
Some(EvasionTechnique {
|
|
technique_name: "Timing Check Evasion".to_string(),
|
|
mitre_id: "T1497.003".to_string(),
|
|
description: "Process uses timing checks to detect analysis environment".to_string(),
|
|
confidence: 0.6,
|
|
indicators: vec![
|
|
"RDTSC instruction usage".to_string(),
|
|
"QueryPerformanceCounter calls".to_string(),
|
|
],
|
|
severity: EvasionSeverity::High,
|
|
})
|
|
}
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub struct TimingEvasionResult {
|
|
techniques: Vec<EvasionTechnique>,
|
|
confidence: f32,
|
|
sophistication: f32,
|
|
indicators: Vec<String>,
|
|
}
|
|
|
|
impl Default for EnvironmentChecker {
|
|
fn default() -> Self {
|
|
Self::new()
|
|
}
|
|
}
|
|
|
|
impl EnvironmentChecker {
|
|
pub fn new() -> Self {
|
|
Self {
|
|
vm_indicators: Vec::new(),
|
|
debugger_checks: Vec::new(),
|
|
sandbox_signatures: Vec::new(),
|
|
}
|
|
}
|
|
|
|
pub fn check_environment_evasion(&self, process: &ProcessInfo) -> EnvironmentEvasionResult {
|
|
let mut techniques = Vec::new();
|
|
let mut confidence = 0.0f32;
|
|
let mut sophistication = 0.0f32;
|
|
let mut indicators = Vec::new();
|
|
|
|
// Check for VM detection
|
|
if let Some(vm_evasion) = self.detect_vm_evasion(process) {
|
|
techniques.push(vm_evasion);
|
|
confidence += 0.5;
|
|
sophistication += 0.4;
|
|
indicators.push("Virtual machine detection attempted".to_string());
|
|
}
|
|
|
|
// Check for debugger detection
|
|
if let Some(debugger_evasion) = self.detect_debugger_evasion(process) {
|
|
techniques.push(debugger_evasion);
|
|
confidence += 0.4;
|
|
sophistication += 0.5;
|
|
indicators.push("Debugger detection mechanisms present".to_string());
|
|
}
|
|
|
|
// Check for sandbox detection
|
|
if let Some(sandbox_evasion) = self.detect_sandbox_evasion(process) {
|
|
techniques.push(sandbox_evasion);
|
|
confidence += 0.3;
|
|
sophistication += 0.3;
|
|
indicators.push("Sandbox evasion techniques detected".to_string());
|
|
}
|
|
|
|
EnvironmentEvasionResult {
|
|
techniques,
|
|
confidence,
|
|
sophistication,
|
|
indicators,
|
|
}
|
|
}
|
|
|
|
fn detect_vm_evasion(&self, _process: &ProcessInfo) -> Option<EvasionTechnique> {
|
|
Some(EvasionTechnique {
|
|
technique_name: "Virtual Machine Detection".to_string(),
|
|
mitre_id: "T1497.001".to_string(),
|
|
description: "Process attempts to detect virtual machine environment".to_string(),
|
|
confidence: 0.8,
|
|
indicators: vec![
|
|
"VM artifact enumeration".to_string(),
|
|
"Hardware fingerprinting".to_string(),
|
|
],
|
|
severity: EvasionSeverity::High,
|
|
})
|
|
}
|
|
|
|
fn detect_debugger_evasion(&self, _process: &ProcessInfo) -> Option<EvasionTechnique> {
|
|
Some(EvasionTechnique {
|
|
technique_name: "Debugger Detection".to_string(),
|
|
mitre_id: "T1497.001".to_string(),
|
|
description: "Process implements anti-debugging techniques".to_string(),
|
|
confidence: 0.9,
|
|
indicators: vec![
|
|
"IsDebuggerPresent API calls".to_string(),
|
|
"PEB flag checks".to_string(),
|
|
"Exception handler manipulation".to_string(),
|
|
],
|
|
severity: EvasionSeverity::High,
|
|
})
|
|
}
|
|
|
|
fn detect_sandbox_evasion(&self, _process: &ProcessInfo) -> Option<EvasionTechnique> {
|
|
Some(EvasionTechnique {
|
|
technique_name: "Sandbox Detection".to_string(),
|
|
mitre_id: "T1497.001".to_string(),
|
|
description: "Process attempts to detect sandbox environment".to_string(),
|
|
confidence: 0.7,
|
|
indicators: vec![
|
|
"Mouse movement monitoring".to_string(),
|
|
"User interaction detection".to_string(),
|
|
"System resource enumeration".to_string(),
|
|
],
|
|
severity: EvasionSeverity::Medium,
|
|
})
|
|
}
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub struct EnvironmentEvasionResult {
|
|
techniques: Vec<EvasionTechnique>,
|
|
confidence: f32,
|
|
sophistication: f32,
|
|
indicators: Vec<String>,
|
|
}
|
|
|
|
impl Default for BehaviorAnalyzer {
|
|
fn default() -> Self {
|
|
Self::new()
|
|
}
|
|
}
|
|
|
|
impl BehaviorAnalyzer {
|
|
pub fn new() -> Self {
|
|
Self {
|
|
api_hooking_detector: ApiHookingDetector::new(),
|
|
execution_flow_analyzer: ExecutionFlowAnalyzer::new(),
|
|
resource_usage_monitor: ResourceUsageMonitor::new(),
|
|
}
|
|
}
|
|
|
|
pub fn analyze_behavior_evasion(
|
|
&mut self,
|
|
process: &ProcessInfo,
|
|
memory_regions: &[MemoryRegion],
|
|
_threads: &[ThreadInfo],
|
|
) -> BehaviorEvasionResult {
|
|
let mut techniques = Vec::new();
|
|
let mut confidence = 0.0f32;
|
|
let mut sophistication = 0.0f32;
|
|
let mut indicators = Vec::new();
|
|
|
|
// API hooking analysis
|
|
if let Some(api_evasion) = self.api_hooking_detector.detect_api_evasion(process) {
|
|
techniques.push(api_evasion);
|
|
confidence += 0.6;
|
|
sophistication += 0.7;
|
|
indicators.push("API hooking/unhooking detected".to_string());
|
|
}
|
|
|
|
// Execution flow analysis
|
|
if let Some(flow_evasion) = self
|
|
.execution_flow_analyzer
|
|
.analyze_execution_flow(process, memory_regions)
|
|
{
|
|
techniques.push(flow_evasion);
|
|
confidence += 0.5;
|
|
sophistication += 0.8;
|
|
indicators.push("Suspicious execution flow patterns".to_string());
|
|
}
|
|
|
|
BehaviorEvasionResult {
|
|
techniques,
|
|
confidence,
|
|
sophistication,
|
|
indicators,
|
|
}
|
|
}
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub struct BehaviorEvasionResult {
|
|
techniques: Vec<EvasionTechnique>,
|
|
confidence: f32,
|
|
sophistication: f32,
|
|
indicators: Vec<String>,
|
|
}
|
|
|
|
impl Default for ApiHookingDetector {
|
|
fn default() -> Self {
|
|
Self::new()
|
|
}
|
|
}
|
|
|
|
impl ApiHookingDetector {
|
|
pub fn new() -> Self {
|
|
Self {
|
|
hooked_functions: HashMap::new(),
|
|
inline_hooks: Vec::new(),
|
|
iat_modifications: Vec::new(),
|
|
}
|
|
}
|
|
|
|
pub fn detect_api_evasion(&self, _process: &ProcessInfo) -> Option<EvasionTechnique> {
|
|
Some(EvasionTechnique {
|
|
technique_name: "API Hooking Evasion".to_string(),
|
|
mitre_id: "T1562.002".to_string(),
|
|
description: "Process modifies API hooks to evade detection".to_string(),
|
|
confidence: 0.8,
|
|
indicators: vec![
|
|
"Runtime API patching detected".to_string(),
|
|
"Import table modifications".to_string(),
|
|
"Direct syscall usage".to_string(),
|
|
],
|
|
severity: EvasionSeverity::High,
|
|
})
|
|
}
|
|
}
|
|
|
|
impl Default for ExecutionFlowAnalyzer {
|
|
fn default() -> Self {
|
|
Self::new()
|
|
}
|
|
}
|
|
|
|
impl ExecutionFlowAnalyzer {
|
|
pub fn new() -> Self {
|
|
Self {
|
|
control_flow_integrity: ControlFlowIntegrity {
|
|
indirect_calls: Vec::new(),
|
|
rop_gadgets: Vec::new(),
|
|
jop_gadgets: Vec::new(),
|
|
},
|
|
return_address_verification: ReturnAddressVerification {
|
|
shadow_stack: Vec::new(),
|
|
call_stack: Vec::new(),
|
|
anomalies: Vec::new(),
|
|
},
|
|
stack_analysis: StackAnalysis {
|
|
stack_regions: Vec::new(),
|
|
guard_pages: Vec::new(),
|
|
canary_values: Vec::new(),
|
|
},
|
|
}
|
|
}
|
|
|
|
pub fn analyze_execution_flow(
|
|
&self,
|
|
_process: &ProcessInfo,
|
|
_memory_regions: &[MemoryRegion],
|
|
) -> Option<EvasionTechnique> {
|
|
Some(EvasionTechnique {
|
|
technique_name: "Control Flow Hijacking".to_string(),
|
|
mitre_id: "T1055".to_string(),
|
|
description: "Process uses advanced control flow techniques".to_string(),
|
|
confidence: 0.9,
|
|
indicators: vec![
|
|
"ROP/JOP gadget chains detected".to_string(),
|
|
"Return address manipulation".to_string(),
|
|
"Control flow integrity bypassed".to_string(),
|
|
],
|
|
severity: EvasionSeverity::Critical,
|
|
})
|
|
}
|
|
}
|
|
|
|
impl Default for ResourceUsageMonitor {
|
|
fn default() -> Self {
|
|
Self::new()
|
|
}
|
|
}
|
|
|
|
impl ResourceUsageMonitor {
|
|
pub fn new() -> Self {
|
|
Self {
|
|
cpu_usage: CpuUsagePattern {
|
|
baseline_usage: 0.0,
|
|
current_usage: 0.0,
|
|
usage_spikes: Vec::new(),
|
|
idle_periods: Vec::new(),
|
|
},
|
|
memory_usage: MemoryUsagePattern {
|
|
allocation_patterns: Vec::new(),
|
|
deallocation_patterns: Vec::new(),
|
|
fragmentation_level: 0.0,
|
|
heap_spray_indicators: Vec::new(),
|
|
},
|
|
network_usage: NetworkUsagePattern {
|
|
connection_patterns: Vec::new(),
|
|
data_exfiltration: Vec::new(),
|
|
command_control: Vec::new(),
|
|
},
|
|
file_system_usage: FileSystemUsagePattern {
|
|
file_operations: Vec::new(),
|
|
persistence_mechanisms: Vec::new(),
|
|
artifact_cleanup: ArtifactCleanup {
|
|
cleanup_thoroughness: CleanupThoroughness::None,
|
|
timing: CleanupTiming::Never,
|
|
methods_used: Vec::new(),
|
|
},
|
|
},
|
|
}
|
|
}
|
|
}
|
|
|
|
impl Default for ObfuscationDetector {
|
|
fn default() -> Self {
|
|
Self::new()
|
|
}
|
|
}
|
|
|
|
impl ObfuscationDetector {
|
|
pub fn new() -> Self {
|
|
Self {
|
|
packer_signatures: Vec::new(),
|
|
obfuscation_patterns: Vec::new(),
|
|
encryption_indicators: Vec::new(),
|
|
}
|
|
}
|
|
|
|
pub fn detect_obfuscation(
|
|
&self,
|
|
process: &ProcessInfo,
|
|
memory_regions: &[MemoryRegion],
|
|
) -> ObfuscationEvasionResult {
|
|
let mut techniques = Vec::new();
|
|
let mut confidence = 0.0f32;
|
|
let mut sophistication = 0.0f32;
|
|
let mut indicators = Vec::new();
|
|
|
|
// Detect packing
|
|
if let Some(packer_evasion) = self.detect_packer_evasion(process, memory_regions) {
|
|
techniques.push(packer_evasion);
|
|
confidence += 0.5;
|
|
sophistication += 0.4;
|
|
indicators.push("Packed/obfuscated code detected".to_string());
|
|
}
|
|
|
|
// Detect code obfuscation
|
|
if let Some(code_evasion) = self.detect_code_obfuscation(process, memory_regions) {
|
|
techniques.push(code_evasion);
|
|
confidence += 0.4;
|
|
sophistication += 0.6;
|
|
indicators.push("Code obfuscation techniques present".to_string());
|
|
}
|
|
|
|
ObfuscationEvasionResult {
|
|
techniques,
|
|
confidence,
|
|
sophistication,
|
|
indicators,
|
|
}
|
|
}
|
|
|
|
fn detect_packer_evasion(
|
|
&self,
|
|
_process: &ProcessInfo,
|
|
_memory_regions: &[MemoryRegion],
|
|
) -> Option<EvasionTechnique> {
|
|
Some(EvasionTechnique {
|
|
technique_name: "Runtime Packing".to_string(),
|
|
mitre_id: "T1027.002".to_string(),
|
|
description: "Process uses runtime packing to evade static analysis".to_string(),
|
|
confidence: 0.7,
|
|
indicators: vec![
|
|
"High entropy sections detected".to_string(),
|
|
"Runtime unpacking behavior".to_string(),
|
|
"Modified PE headers".to_string(),
|
|
],
|
|
severity: EvasionSeverity::Medium,
|
|
})
|
|
}
|
|
|
|
fn detect_code_obfuscation(
|
|
&self,
|
|
_process: &ProcessInfo,
|
|
_memory_regions: &[MemoryRegion],
|
|
) -> Option<EvasionTechnique> {
|
|
Some(EvasionTechnique {
|
|
technique_name: "Code Obfuscation".to_string(),
|
|
mitre_id: "T1027".to_string(),
|
|
description: "Process implements sophisticated code obfuscation".to_string(),
|
|
confidence: 0.8,
|
|
indicators: vec![
|
|
"Control flow obfuscation".to_string(),
|
|
"String encryption".to_string(),
|
|
"Polymorphic code".to_string(),
|
|
],
|
|
severity: EvasionSeverity::High,
|
|
})
|
|
}
|
|
}
|
|
|
|
#[derive(Debug, Clone)]
|
|
pub struct ObfuscationEvasionResult {
|
|
techniques: Vec<EvasionTechnique>,
|
|
confidence: f32,
|
|
sophistication: f32,
|
|
indicators: Vec<String>,
|
|
}
|