Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Execute all exported functions #366

Open
bartblaze opened this issue Jun 19, 2019 · 1 comment
Open

Execute all exported functions #366

bartblaze opened this issue Jun 19, 2019 · 1 comment

Comments

@bartblaze
Copy link
Contributor

bartblaze commented Jun 19, 2019

Certain implants that perform DLL sideloading include dummy functions to throw off analysis systems or researchers. For example, in the RedLeaves sample seen here on page 5:
https://www.accenture.com/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf#zoom=50

Could be an idea to to have an option, for example, "allfunctions", and if the DLL package is triggered, to run all exported functions present (as opposed to the "function" option, which allows you to set a specific function yourself).

In the Behavior Analysis, the Process Tree would then allow to determine which function is real or being used.

@kevoreilly
Copy link
Contributor

This is a great idea and something I have looked at - I realised it would require pefile to be installed in the guest in order to enumerate the exports. I also considered the likelihood of crashing the process if an exported function was called with bad args, so decided it would be best done with a new process for every export. Other than that it should be straightforward. I will try and get this done, thanks for the suggestion.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants