Monday, May 7, 2018

Script to review PE Imports & detect Malware, rough 1st draft

$inputfile = "Imports.txt"
$importHits = @{}

$importHitDescriptions = @{}
$importHitDescriptions.Add("Keylogger","Logs keystrokes (ex: https://gist.githubusercontent.com/patilswapnilv/7338783/raw/04ff7fe62fde513786dbdfb30511334fca994694/KeyLogger%2520(%2520C%2520Program)%2520 , https://codereview.stackexchange.com/questions/46980/windows-keylogger-in-c )")
$importHitDescriptions.Add("ScreenCapturer","Capture Screenshot (ex: https://msdn.microsoft.com/en-us/library/windows/desktop/dd183402(v=vs.85).aspx )")
$importHitDescriptions.Add("AntiDebug","Pack, Obfuscate, Detect Malware Analysis or Sandbox (ex: https://xorl.wordpress.com/2017/12/09/the-checkremotedebuggerpresent-anti-debugging-technique/, https://ntquery.wordpress.com/2014/03/30/anti-debug-ntqueryobject/, https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/Anti%20Debug/NtSetInformationThread_ThreadHideFromDebugger.cpp, https://www.evilfingers.com/publications/research_EN/EventPairsHandle.pdf )")
$importHitDescriptions.Add("Downloader","Download another remote payload (ex: https://wiremask.eu/articles/download-execute-assembly-x86/ )")
$importHitDescriptions.Add("HookInjection","Hook a function to inject code (ex: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process )")
$importHitDescriptions.Add("IATHooking","Change the Import Address Table to point elsewhere (ex: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process )")
$importHitDescriptions.Add("ExtraWindowInjection","Inject into shared window memory (ex: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process )")
$importHitDescriptions.Add("AtomBombing","Use the Asynchronous Procedure call to inject code (ex: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process )")
$importHitDescriptions.Add("ThreadHijacking","Simliar to Process Hollowing but with Threads (ex: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process )")
$importHitDescriptions.Add("DLLInjection","Write into another process a path to a DLL and call it (ex: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process )")
$importHitDescriptions.Add("Dropper","Contains another payload inside itself to run (ex: https://malwareanalyses.wordpress.com/2016/01/31/a-look-into-a-small-dropper-part-i/ )")
$importHitDescriptions.Add("ProcessHollowing","Unmap legit code in another process, overwrite w/ malicious (ex: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process )")
$importHitDescriptions.Add("CommandAndControl","Listen for or make callouts to a remote system to get instructions")
$importHitDescriptions.Add("Persistence","Create a job, service, registry entry, etc. to ensure malware stays")
$importHitDescriptions.Add("Ransomware","Loop through files and encrypt them")
$importHitDescriptions.Add("Exfiltration","Post or send data to a remote location")
$importHitDescriptions.Add("Recon","Collect data about the victim system or network")
$importHitDescriptions.Add("CredentialTheft","Find credentials in files, memory, etc")

$importDescriptions = @{}
$importDescriptions.Add("Accept","malware c2 may listen for incoming connections")
$importDescriptions.Add("AdjustTokenPrivileges","gain more permissions during process injection")
$importDescriptions.Add("AttachThreadInput","allows another process to see keyboard events")
$importDescriptions.Add("Bind","malware c2 may listen for incoming connections")
$importDescriptions.Add("BitBlt","Copies the pixels in the device context")
$importDescriptions.Add("CertOpenSystemStore","access certificates stored on a pc")
$importDescriptions.Add("ChangeServiceConfig","change values of existing service")
$importDescriptions.Add("ChangeServiceConfigA","change values of existing service")
$importDescriptions.Add("ChangeServiceConfigW","change values of existing service")
$importDescriptions.Add("CheckRemoteDebuggerPresent","checks debug flag returns true if yes")
$importDescriptions.Add("CloseHandle","generate exception if debugged, close newly dropped file")
$importDescriptions.Add("Connect","connect to a remote socket")
$importDescriptions.Add("ConnectNamedPipe","backdoors & trojans can use pipes for c2 traffic")
$importDescriptions.Add("ControlService","start stop and modify services")
$importDescriptions.Add("CreateCompatibleBitmap","Creates a compatible bitmap context for the device context")
$importDescriptions.Add("CreateCompatibleDC","Creates a compatible device context for the screen")
$importDescriptions.Add("CreateEvent","event to inject")
$importDescriptions.Add("CreateEventA","event to inject")
$importDescriptions.Add("CreateEventW","event to inject")
$importDescriptions.Add("CreateFile","Create a new file, the malware file being dropped")
$importDescriptions.Add("CreatefileA","Create a new file, the malware file being dropped")
$importDescriptions.Add("CreateFileMapping","load files into memory (like EXEs) to modify/inject them")
$importDescriptions.Add("CreateMutex","prevents malware from infecting same pc twice")
$importDescriptions.Add("CreatePipe","pass date back & forth locally, used by reverse shells")
$importDescriptions.Add("CreateProcess","start another process, sometimes suspended for hollowing")
$importDescriptions.Add("CreateProcessA","start another process, sometimes suspended for hollowing")
$importDescriptions.Add("CreateRemoteThread","Create a thread in that process to run your DLL start function")
$importDescriptions.Add("CreateService","start a service for persistence")
$importDescriptions.Add("CreateServiceA","start a service for persistence")
$importDescriptions.Add("CreateServiceW","start a service for persistence")
$importDescriptions.Add("CreateToolhelp32Snapshot","loop thru running processes and find debugger or inject victim")
$importDescriptions.Add("CreateWindowEx","create a window")
$importDescriptions.Add("CreateWindowExA","create a window")
$importDescriptions.Add("CreateWindowExW","create a window")
$importDescriptions.Add("CryptAcquireContext","To use microsoft encryption/decryption features")
$importDescriptions.Add("CsrGetProcessID","can open a process and check it's debugging permissions")
$importDescriptions.Add("DeviceIoControl","send messages to a device driver")
$importDescriptions.Add("EnableExecuteProtectionSupport","modify Data Execution Protection (DEP) settings in memory")
$importDescriptions.Add("EnumProcesses","loop thru running processes and find debugger or inject victim")
$importDescriptions.Add("EnumProcessModules","loop thru running processes and find debugger or inject victim")
$importDescriptions.Add("FindFirstFile","find files in a directory")
$importDescriptions.Add("FindFirstFileA","find files in a directory")
$importDescriptions.Add("FindNextFile","find files in a directory")
$importDescriptions.Add("FindNextFileW","find files in a directory")
$importDescriptions.Add("FindProcess","loop and find an analysis executable (procmon.exe, etc.)")
$importDescriptions.Add("FindResource","Find malware hidden/saved in the resources section of a PE")
$importDescriptions.Add("FindWindow","Lookup keylogger window by name to hide it, detect tools")
$importDescriptions.Add("FindWindowA","Lookup keylogger window by name to hide it, detect tools")
$importDescriptions.Add("FindWindowW","Lookup keylogger window by name to hide it, detect tools")
$importDescriptions.Add("FreeLibrary","removes a library after being used (won't remove until 0 refs)")
$importDescriptions.Add("FtpPutFile","upload file to ftp server")
$importDescriptions.Add("GenerateConsoleCtrlEvent","invoke CTRL-C, check for a CTRL-C exception, true if debugged")
$importDescriptions.Add("GetAdaptersInfo","get mac address, network adapters, or detect a virtual machine")
$importDescriptions.Add("GetAsyncKeyState","Is a specific key being pressed right now?")
$importDescriptions.Add("GetDC","Gets reference to a window or whole screen")
$importDescriptions.Add("GetForegroundWindow","find current active window on desktop, for keylogging it")
$importDescriptions.Add("Gethostbyname","try to get ip of a remote hostname for c2")
$importDescriptions.Add("Gethostname","get name of the pc you're on")
$importDescriptions.Add("GetKeyState","check status of a particular key, is it pressed?")
$importDescriptions.Add("GetLocalTime","Run twice, get time difference, detect debug breakpoint")
$importDescriptions.Add("GetMessage","Gets SetWindowsHookEx messages to record keys")
$importDescriptions.Add("GetModuleFilename","get a file in the current process to modify or run it")
$importDescriptions.Add("GetModuleHandle","get current proc to modify or run it, or dynamic load an import")
$importDescriptions.Add("GetModuleHandleA","get current proc to modify or run it, or dynamic load an import")
$importDescriptions.Add("GetProcAddress","obtain the address of an API (so it's hidden from analysts)")
$importDescriptions.Add("GetProcessHeap","can be used to detect presence of a debugger")
$importDescriptions.Add("GetStartupInfo","details on the current running process")
$importDescriptions.Add("GetSystemDefaultLangId","determine language/region the system configured for")
$importDescriptions.Add("GetSystemDirectoryW","access windows folder")
$importDescriptions.Add("GetSystemTime","Run twice, get time difference, detect debug breakpoint")
$importDescriptions.Add("GetSystemTimeAsFileTime","call twice and check if pauses for breakpoints, anti-debug")
$importDescriptions.Add("GetTempPath","get temp folder path so can write malware to it")
$importDescriptions.Add("GetThreadContext","get details on current running process, for hollowing")
$importDescriptions.Add("GetTickCount","Run twice, get time difference, detect debug breakpoint")
$importDescriptions.Add("GetVersionEx","what version of windows is running on this pc?")
$importDescriptions.Add("GetVersionExA","what version of windows is running on this pc?")
$importDescriptions.Add("GetVersionExW","what version of windows is running on this pc?")
$importDescriptions.Add("GetWindowDC","Gets reference to whole screen including title bar, etc.")
$importDescriptions.Add("GetWindowLong","get a window to inject")
$importDescriptions.Add("GetWindowLongA","get a window to inject")
$importDescriptions.Add("GetWindowLongW","get a window to inject")
$importDescriptions.Add("GetWindowsDirectory","get the windows folder location on this pc")
$importDescriptions.Add("HeapAlloc","Allocation memory to decode an encoded hidden EXE")
$importDescriptions.Add("HttpSendRequest","send data remotely")
$importDescriptions.Add("inet_addr","convert a string based ip address to an ip address format")
$importDescriptions.Add("InternetOpen","starting a connection, specific user agent with this")
$importDescriptions.Add("InternetOpenUrl","specify a specificl url or ftp location to connect to")
$importDescriptions.Add("InternetOpenUrlA","specify a specificl url or ftp location to connect to")
$importDescriptions.Add("InternetOpenUrlW","specify a specificl url or ftp location to connect to")
$importDescriptions.Add("InternetReadFile","read data back from an InternetOpenUrl call")
$importDescriptions.Add("InternetWriteFile","post data out to an InternetOpenUrl call")
$importDescriptions.Add("IsDebuggerPresent","checks debug flag returns true if yes")
$importDescriptions.Add("IsNTAdmin","does user have admin rights?")
$importDescriptions.Add("IsWoW64Process","is pc 32 bit or 64 bit?")
$importDescriptions.Add("KiGetTickCount","Run twice, get time difference, detect debug breakpoint")
$importDescriptions.Add("LdrLoadDll","load a dll into a process")
$importDescriptions.Add("LoadLibrary","load library dynamically on the fly")
$importDescriptions.Add("LoadLibraryA","load library dynamically on the fly")
$importDescriptions.Add("LoadLibraryEx","load library dynamically on the fly")
$importDescriptions.Add("LoadLibraryExA","load library dynamically on the fly")
$importDescriptions.Add("LoadLibraryExW","load library dynamically on the fly")
$importDescriptions.Add("LoadLibraryW","load library dynamically on the fly")
$importDescriptions.Add("LoadResource","Load malware hidden/saved in the resources section of a PE")
$importDescriptions.Add("LsaEnumerateLogonSessions","enumerate logged on users for cred theft")
$importDescriptions.Add("MapViewOfFile","read and modify EXEs in memory without using WriteFile")
$importDescriptions.Add("MapVirtualKey","maps virtual keys to their character value")
$importDescriptions.Add("Module32First","list all DLLs in a process, find where to inject")
$importDescriptions.Add("Module32Next","list all DLLs in a process, find where to inject")
$importDescriptions.Add("NetScheduleJobAdd","schedule a job for persistence")
$importDescriptions.Add("NetShareEnum","list out network shares connected")
$importDescriptions.Add("NtClose","when sent an invalid handle, generate exception if debugged")
$importDescriptions.Add("NtContinue","can clear the trap flag thus breaking out of breakpoints")
$importDescriptions.Add("NtQueryDirectoryFile","find files in a directory")
$importDescriptions.Add("NtQueryInformationProcess","can retrieve a process 'DebugPort' property value")
$importDescriptions.Add("NtQueryObject","find debug object indicating a debug tool exists")
$importDescriptions.Add("NtQueryPerformanceCounter","Run twice, get time difference, detect debug breakpoint")
$importDescriptions.Add("NtQuerySystemInformation","find debug object indicating a debug tool exists")
$importDescriptions.Add("NtSetInformationThread","param HideThreadFromDebugger used to hide breakpoints")
$importDescriptions.Add("NtUnmapViewOfSection","swap legit memory with malicious memory")
$importDescriptions.Add("OpenFile","open existing file")
$importDescriptions.Add("OpenFileMappingA","access shared memory (like a pipe)")
$importDescriptions.Add("OpenMutex","prevents malware from infecting same pc twice")
$importDescriptions.Add("OpenProcess","open a specific process that you are injecting into")
$importDescriptions.Add("OpenThread","hijack a thread that is running")
$importDescriptions.Add("OutputDebugString","throws an error when no debugger is present")
$importDescriptions.Add("OutputDebugStringA","throws an error when no debugger is present")
$importDescriptions.Add("OutputDebugStringW","throws an error when no debugger is present")
$importDescriptions.Add("PeekNamedPipe","pass date back & forth locally, used by reverse shells")
$importDescriptions.Add("Process32First","loop thru running processes and find debugger or inject victim")
$importDescriptions.Add("Process32Next","loop thru running processes and find debugger or inject victim")
$importDescriptions.Add("QueryPerformanceCounter","Run twice, get time difference, detect debug breakpoint")
$importDescriptions.Add("QueueUserAPC","can inject code into another process, atom boming")
$importDescriptions.Add("ReadConsoleA","read characters from keyboard")
$importDescriptions.Add("ReadFile","read contents of a file")
$importDescriptions.Add("ReadFileEx","read contents of a file")
$importDescriptions.Add("ReadProcessMemory","read what's in memory of another process")
$importDescriptions.Add("recv","receive data from a remote machine")
$importDescriptions.Add("RegisterClassEx","add a new class")
$importDescriptions.Add("RegisterClassExA","add a new class")
$importDescriptions.Add("RegisterClassExW","add a new class")
$importDescriptions.Add("RegisterHotKey","Create hot-key that will disable turn off keylogger")
$importDescriptions.Add("RegOpenKey","read value in a registry")
$importDescriptions.Add("RegOpenKeyExW","read value in a registry")
$importDescriptions.Add("RegQueryValueA","read value in a registry")
$importDescriptions.Add("RegSetValueA","set value in the registry for persistence")
$importDescriptions.Add("RegSetValueW","set value in the registry for persistence")
$importDescriptions.Add("ResumeThread","resume a previously suspended thread in a process")
$importDescriptions.Add("RtlCreateRegistryKey","create a registry")
$importDescriptions.Add("RtlDecompressBuffer","Decompress an encoded hidden PE before usin git")
$importDescriptions.Add("RtlQueryProcessHeapInformation","can detect events owned by the debugger")
$importDescriptions.Add("RtlWriteRegistryValue","write to a registry")
$importDescriptions.Add("SamIConnect","used by hash dumping programs to get at SAM database")
$importDescriptions.Add("SamIGetPrivateData","used by hash dumping programs to get at SAM database")
$importDescriptions.Add("SamQueryInformationUse","used by hash dumping programs to get at SAM database")
$importDescriptions.Add("SelectObject","Combine the bitmap and device contexts together")
$importDescriptions.Add("send","send data to a remote machine")
$importDescriptions.Add("SendNotifyMessage","send notify message to window")
$importDescriptions.Add("SendNotifyMessageA","send notify message to window")
$importDescriptions.Add("SendNotifyMessageW","send notify message to window")
$importDescriptions.Add("SetConsoleMode","modify the timestamps on a file to hide itself")
$importDescriptions.Add("SetFileAttributesW","set a file to hidden")
$importDescriptions.Add("SetFileTime","modify the timestamps on a file to hide itself")
$importDescriptions.Add("SetThreadContext","modify details of an existing thread")
$importDescriptions.Add("SetUnhandledExceptionFilter","can register a top level exception handler for anti-debugging")
$importDescriptions.Add("SetWindowLong","set window to inject")
$importDescriptions.Add("SetWindowLongA","set window to inject")
$importDescriptions.Add("SetWindowLongW","set window to inject")
$importDescriptions.Add("SetWindowsHookEx","hook keyboard events or other methods")
$importDescriptions.Add("SetWindowsHookExA","hook keyboard events or other methods")
$importDescriptions.Add("SetWindowsHookExW","hook keyboard events or other methods")
$importDescriptions.Add("SfcTerminateWatcherThread","disable windows file protection")
$importDescriptions.Add("ShellExecute","pass the 'open' parameter for a file to run it")
$importDescriptions.Add("ShowWindow","Hide the keylogger window so user doesn't see")
$importDescriptions.Add("SizeOfResource","Grab only so many bytes of a resource where malware hides")
$importDescriptions.Add("Sleep","can be used to delay execution")
$importDescriptions.Add("socket","connect to remote device")
$importDescriptions.Add("StartServiceCtrlDispatcher","indicates the malware is used as a service")
$importDescriptions.Add("StartServiceW","start a service for persistence")
$importDescriptions.Add("SuspendThread","suspend a thread that is running before injecting")
$importDescriptions.Add("System","run another program just like CreateProcess")
$importDescriptions.Add("Thread32First","list threads of current process to find where to inject")
$importDescriptions.Add("Thread32Next","list threads of current process to find where to inject")
$importDescriptions.Add("timeGetTime","Run twice, get time difference, detect debug breakpoint")
$importDescriptions.Add("Toolhelp32ReadProcessMemory","read the memory of another process")
$importDescriptions.Add("TransactNamedPipe","backdoors & trojans can use pipes for c2 traffic")
$importDescriptions.Add("UnhookWindowsHookEx","Disable keylogger hook at hot-key is pressed")
$importDescriptions.Add("URLDownloadToFile","download from internet and save to file")
$importDescriptions.Add("VirtualAllocEx","get more/new memory space in that process to inject into")
$importDescriptions.Add("VirtualProtect","change read-only memory to allow execution within it")
$importDescriptions.Add("VirtualProtectEx","change read-only memory to allow execution within it")
$importDescriptions.Add("WaitForSingleObject","wait for hooked object")
$importDescriptions.Add("WideCharToMultiByte","convert unicode to ascii")
$importDescriptions.Add("WinExec","run command line for 16-bit apps")
$importDescriptions.Add("WinHttpConnect","connect to remote device")
$importDescriptions.Add("WinHttpSendRequest","send data to remote device")
$importDescriptions.Add("WriteConsoleW","display text on screen")
$importDescriptions.Add("WriteFile","Writes pixels of bitmap or decoded buffer to dropped file")
$importDescriptions.Add("WriteFileEx","Writes pixels of bitmap or decoded buffer to dropped file")
$importDescriptions.Add("WriteProcessMemory","Write the contents of your DLL you want into the process")
$importDescriptions.Add("WSAStartup","initializing a network connection")
$importDescriptions.Add("ZwClose","when sent an invalid handle, generate exception if debugged")
$importDescriptions.Add("ZwContinue","can clear the trap flag thus breaking out of breakpoints")
$importDescriptions.Add("ZwQueryInformationProcess","can retrieve a process 'DebugPort' property value")
$importDescriptions.Add("ZwQuerySystemInformation","find debug object indicating a debug tool exists")
$importDescriptions.Add("ZwSetInformationThread","param HideThreadFromDebugger used to hide breakpoints")
$importDescriptions.Add("ZwUnmapViewOfSection","swap legit memory with malicious memory")

function AddImportHit {
Param ([string]$Key, [string]$Import)
    if($importHits.ContainsKey($Key)){
        $importHits[$Key] = $importHits[$Key] + "," + $Import
    }
    else{
        $importHits.Add($Key, $Import)
    } 
}

function CheckKeylogger {
Param ([string]$Import)
    $key = "Keylogger"
    if($Import -ieq "AttachThreadInput" -or
        $Import -ieq "FindWindow" -or
        $Import -ieq "FindWindowA" -or
        $Import -ieq "FindWindowW" -or
        $Import -ieq "GetAsyncKeyState" -or
        $Import -ieq "GetForegroundWindow" -or
        $Import -ieq "GetKeyState" -or
        $Import -ieq "GetMessage" -or
        $Import -ieq "MapVirtualKey" -or
        $Import -ieq "RegisterHotKey" -or
        $Import -ieq "SetWindowsHookEx" -or
        $Import -ieq "SetWindowsHookExA" -or
        $Import -ieq "SetWindowsHookExW" -or
        $Import -ieq "ShowWindow" -or
        $Import -ieq "UnhookWindowsHookEx"){
            AddImportHit -Key $key -Import $Import
    }
}

function CheckScreenCapturer {
Param ([string]$Import)
    $key = "ScreenCapturer"
    if($Import -ieq "BitBlt" -or
        $Import -ieq "CreateCompatibleBitmap" -or
        $Import -ieq "CreateCompatibleDC" -or
        $Import -ieq "GetDC" -or
        $Import -ieq "GetWindowDC" -or
        $Import -ieq "SelectObject" -or
        $Import -ieq "WriteFile" -or
        $Import -ieq "WriteFileEx") {
            AddImportHit -Key $key -Import $Import
    }
}

function CheckAntiDebug {
Param ([string]$Import)
    $key = "AntiDebug"
    if($Import -ieq "CheckRemoteDebuggerPresent" -or
        $Import -ieq "CloseHandle" -or
        $Import -ieq "CreateToolhelp32Snapshot" -or
        $Import -ieq "CryptAcquireContext" -or
        $Import -ieq "CsrGetProcessID" -or
        $Import -ieq "EnumProcesses" -or
        $Import -ieq "FindProcess" -or
        $Import -ieq "FindWindow" -or
        $Import -ieq "FindWindowA" -or
        $Import -ieq "FindWindowW" -or
        $Import -ieq "GenerateConsoleCtrlEvent" -or
        $Import -ieq "GetAdaptersInfo" -or
        $Import -ieq "GetLocalTime" -or
        $Import -ieq "GetModuleHandle" -or
        $Import -ieq "GetModuleHandleA" -or
        $Import -ieq "GetProcAddress" -or
        $Import -ieq "GetProcessHeap" -or
        $Import -ieq "GetSystemTime" -or
        $Import -ieq "GetSystemTimeAsFileTime" -or
        $Import -ieq "GetTickCount" -or
        $Import -ieq "IsDebuggerPresent" -or
        $Import -ieq "KiGetTickCount" -or
        $Import -ieq "LdrLoadDll" -or
        $Import -ieq "LoadLibrary" -or
        $Import -ieq "LoadLibraryA" -or
        $Import -ieq "LoadLibraryW" -or
        $Import -ieq "LoadLibraryEx" -or
        $Import -ieq "LoadLibraryExA" -or
        $Import -ieq "LoadLibraryExW" -or
        $Import -ieq "NtClose" -or
        $Import -ieq "NtContinue" -or
        $Import -ieq "NtQueryInformationProcess" -or
        $Import -ieq "NtQueryObject" -or
        $Import -ieq "NtQueryPerformanceCounter" -or
        $Import -ieq "NtQuerySystemInformation" -or
        $Import -ieq "NtSetInformationThread" -or
        $Import -ieq "OutputDebugString" -or
        $Import -ieq "OutputDebugStringA" -or
        $Import -ieq "OutputDebugStringW" -or
        $Import -ieq "Process32First" -or
        $Import -ieq "Process32Next" -or
        $Import -ieq "QueryPerformanceCounter" -or
        $Import -ieq "RtlQueryProcessHeapInformation" -or
        $Import -ieq "SetConsoleMode" -or
        $Import -ieq "SetFileAttributesW" -or
        $Import -ieq "SetFileTime" -or
        $Import -ieq "SetUnhandledExceptionFilter" -or
        $Import -ieq "Sleep" -or
        $Import -ieq "timeGetTime" -or
        $Import -ieq "ZwClose" -or
        $Import -ieq "ZwQueryInformationProcess" -or
        $Import -ieq "ZwQuerySystemInformation" -or
        $Import -ieq "ZwSetInformationThread") {
            AddImportHit -Key $key -Import $Import
    }
}


function CheckDownloader {
Param ([string]$Import)
    $key = "Downloader"
    if($Import -ieq "InternetOpen" -or
        $Import -ieq "InternetOpenUrl" -or
        $Import -ieq "InternetOpenUrlA" -or
        $Import -ieq "InternetOpenUrlW" -or
        $Import -ieq "InternetReadFile" -or
        $Import -ieq "ShellExecute" -or
        $Import -ieq "socket" -or
        $Import -ieq "URLDownloadToFile" -or
        $Import -ieq "WinExec" -or
        $Import -ieq "WinHttpConnect" -or
        $Import -ieq "WinHttpSendRequest" -or
        $Import -ieq "WSAStartup") {
            AddImportHit -Key $key -Import $Import
    }
}

function CheckHookInjection {
Param ([string]$Import)
    $key = "HookInjection"
    if($Import -ieq "CreateToolhelp32Snapshot" -or
        $Import -ieq "GetProcAddress" -or
        $Import -ieq "LoadLibrary" -or
        $Import -ieq "LoadLibraryA" -or
        $Import -ieq "LoadLibraryW" -or
        $Import -ieq "LoadLibraryEx" -or
        $Import -ieq "LoadLibraryExA" -or
        $Import -ieq "LoadLibraryExW" -or
        $Import -ieq "SetWindowsHookEx" -or
        $Import -ieq "SetWindowsHookExA" -or
        $Import -ieq "SetWindowsHookExW" -or
        $Import -ieq "Thread32Next" -or
        $Import -ieq "UnhookWindowsHookEx" -or
        $Import -ieq "WaitForSingleObject") { 
            AddImportHit -Key $key -Import $Import
    }
}

function CheckIATHooking {
Param ([string]$Import)
    $key = "IATHooking"
    if($Import -ieq "CreateWindowEx" -or
        $Import -ieq "CreateWindowExA" -or
        $Import -ieq "CreateWindowExW" -or
        $Import -ieq "RegisterClassEx" -or
        $Import -ieq "RegisterClassExA" -or
        $Import -ieq "RegisterClassExW" -or
        $Import -ieq "VirtualProtect" -or
        $Import -ieq "VirtualProtectEx") {   
            AddImportHit -Key $key -Import $Import
    }
}

function CheckExtraWindowInjection {
Param ([string]$Import)
    $key = "ExtraWindowInjection"
    if($Import -ieq "CloseHandle" -or
        $Import -ieq "CreateEvent" -or
        $Import -ieq "CreateEventA" -or
        $Import -ieq "CreateEventW" -or
        $Import -ieq "FindWindow" -or
        $Import -ieq "FindWindowA" -or
        $Import -ieq "FindWindowW" -or
        $Import -ieq "GetWindowLong" -or
        $Import -ieq "GetWindowLongA" -or
        $Import -ieq "GetWindowLongW" -or
        $Import -ieq "SendNotifyMessage" -or
        $Import -ieq "SendNotifyMessageA" -or
        $Import -ieq "SendNotifyMessageW" -or
        $Import -ieq "SetWindowLong" -or
        $Import -ieq "SetWindowLongA" -or
        $Import -ieq "SetWindowLongW" -or
        $Import -ieq "WaitForSingleObject") {   
            AddImportHit -Key $key -Import $Import
    }
}

function CheckAtomBombing {
Param ([string]$Import)
    $key = "AtomBombing"
    if($Import -ieq "CloseHandle" -or
        $Import -ieq "LoadLibrary" -or
        $Import -ieq "LoadLibraryA" -or
        $Import -ieq "LoadLibraryW" -or
        $Import -ieq "LoadLibraryEx" -or
        $Import -ieq "LoadLibraryExA" -or
        $Import -ieq "LoadLibraryExW" -or
        $Import -ieq "OpenThread" -or
        $Import -ieq "QueueUserAPC") {   
            AddImportHit -Key $key -Import $Import
    }
}

function CheckThreadHijacking {
Param ([string]$Import)
    $key = "ThreadHijacking"
    if($Import -ieq "GetThreadContext" -or
        $Import -ieq "OpenThread" -or
        $Import -ieq "SetThreadContext" -or
        $Import -ieq "SuspendThread") { 
            AddImportHit -Key $key -Import $Import
    }
}


function CheckDLLInjection {
Param ([string]$Import)
    $key = "DLLInjection"
    if($Import -ieq "AdjustTokenPrivileges" -or
        $Import -ieq "CreateRemoteThread" -or
        $Import -ieq "CreateToolhelp32Snapshot" -or
        $Import -ieq "EnumProcesses" -or
        $Import -ieq "EnumProcessModules" -or
        $Import -ieq "GetModuleFilename" -or
        $Import -ieq "GetModuleHandle" -or
        $Import -ieq "GetModuleHandleA" -or
        $Import -ieq "MapViewOfFile" -or
        $Import -ieq "Module32First" -or
        $Import -ieq "Module32Next" -or
        $Import -ieq "OpenProcess" -or
        $Import -ieq "Process32First" -or
        $Import -ieq "Process32Next" -or
        $Import -ieq "SetThreadContext" -or
        $Import -ieq "SuspendThread" -or
        $Import -ieq "Thread32First" -or
        $Import -ieq "Thread32Next" -or
        $Import -ieq "VirtualAllocEx" -or
        $Import -ieq "VirtualProtect" -or
        $Import -ieq "VirtualProtectEx" -or
        $Import -ieq "WriteProcessMemory") { 
            AddImportHit -Key $key -Import $Import
    }
}


function CheckDropper {
Param ([string]$Import)
    $key = "Dropper"
    if($Import -ieq "CloseHandle" -or
        $Import -ieq "CreateFile" -or
        $Import -ieq "CreatefileA" -or
        $Import -ieq "FindResource" -or
        $Import -ieq "HeapAlloc" -or
        $Import -ieq "LoadResource" -or
        $Import -ieq "RtlDecompressBuffer" -or
        $Import -ieq "SizeOfResource" -or
        $Import -ieq "WriteFile" -or
        $Import -ieq "WriteFileEx") { 
            AddImportHit -Key $key -Import $Import
    }
}

function CheckProcessHollowing {
Param ([string]$Import)
    $key = "ProcessHollowing"
    if($Import -ieq "CreateProcess" -or
        $Import -ieq "CreateProcessA" -or
        $Import -ieq "GetThreadContext" -or
        $Import -ieq "NtUnmapViewOfSection" -or
        $Import -ieq "ResumeThread" -or
        $Import -ieq "ZwUnmapViewOfSection") { 
            AddImportHit -Key $key -Import $Import
    }
}

function CheckCommandAndControl {
Param ([string]$Import)
    $key = "CommandAndControl"
    if($Import -ieq "Accept" -or
        $Import -ieq "Bind" -or
        $Import -ieq "Connect" -or
        $Import -ieq "ConnectNamedPipe" -or
        $Import -ieq "CreatePipe" -or
        $Import -ieq "Gethostbyname" -or
        $Import -ieq "HttpSendRequest" -or
        $Import -ieq "inet_addr" -or
        $Import -ieq "InternetOpen" -or
        $Import -ieq "InternetOpenUrl" -or
        $Import -ieq "InternetOpenUrlA" -or
        $Import -ieq "InternetOpenUrlW" -or
        $Import -ieq "InternetReadFile" -or
        $Import -ieq "InternetWriteFile" -or
        $Import -ieq "OpenFileMappingA" -or
        $Import -ieq "PeekNamedPipe" -or
        $Import -ieq "recv" -or
        $Import -ieq "send" -or
        $Import -ieq "socket" -or
        $Import -ieq "TransactNamedPipe" -or
        $Import -ieq "WinHttpConnect" -or
        $Import -ieq "WinHttpSendRequest" -or
        $Import -ieq "WSAStartup") { 
            AddImportHit -Key $key -Import $Import
    }
}

function CheckPersistence {
Param ([string]$Import)
    $key = "Persistence"
    if($Import -ieq "ChangeServiceConfig" -or
        $Import -ieq "ChangeServiceConfigA" -or
        $Import -ieq "ChangeServiceConfigW" -or
        $Import -ieq "ControlService" -or
        $Import -ieq "CreateService" -or
        $Import -ieq "CreateServiceA" -or
        $Import -ieq "CreateServiceW" -or
        $Import -ieq "NetScheduleJobAdd" -or
        $Import -ieq "RegSetValueA" -or
        $Import -ieq "RegSetValueW" -or
        $Import -ieq "RtlCreateRegistryKey" -or
        $Import -ieq "RtlWriteRegistryValue" -or
        $Import -ieq "SetFileAttributesW" -or
        $Import -ieq "StartServiceCtrlDispatcher" -or
        $Import -ieq "StartServiceW") { 
            AddImportHit -Key $key -Import $Import
    }
}


function CheckRansomware {
Param ([string]$Import)
    $key = "Ransomware"
    if($Import -ieq "CryptAcquireContext" -or
        $Import -ieq "FindFirstFile" -or
        $Import -ieq "FindFirstFileA" -or
        $Import -ieq "FindNextFile" -or
        $Import -ieq "FindNextFileW" -or
        $Import -ieq "NetShareEnum" -or
        $Import -ieq "NtQueryDirectoryFile" -or
        $Import -ieq "OpenFile" -or
        $Import -ieq "ReadFile" -or
        $Import -ieq "ReadFileEx") { 
            AddImportHit -Key $key -Import $Import
    }
}

function CheckExfiltration {
Param ([string]$Import)
    $key = "Exfiltration"
    if($Import -ieq "FtpPutFile" -or
        $Import -ieq "HttpSendRequest" -or
        $Import -ieq "InternetWriteFile" -or
        $Import -ieq "WinHttpSendRequest") { 
            AddImportHit -Key $key -Import $Import
    }
}

function CheckRecon {
Param ([string]$Import)
    $key = "Recon"
    if($Import -ieq "FindFirstFile" -or
        $Import -ieq "FindFirstFileA" -or
        $Import -ieq "FindNextFile" -or
        $Import -ieq "FindNextFileW" -or
        $Import -ieq "Gethostname" -or
        $Import -ieq "GetStartupInfo" -or
        $Import -ieq "GetSystemDefaultLangId" -or
        $Import -ieq "GetSystemDirectoryW" -or
        $Import -ieq "GetThreadContext" -or
        $Import -ieq "GetVersionEx" -or
        $Import -ieq "GetVersionExA" -or
        $Import -ieq "GetVersionExW" -or
        $Import -ieq "GetWindowsDirectory" -or
        $Import -ieq "IsNTAdmin" -or
        $Import -ieq "IsWoW64Process" -or
        $Import -ieq "LsaEnumerateLogonSessions" -or
        $Import -ieq "NetShareEnum" -or
        $Import -ieq "NtQueryDirectoryFile") { 
            AddImportHit -Key $key -Import $Import
    }
}

function CheckCredentialTheft {
Param ([string]$Import)
    $key = "CredentialTheft"
    if($Import -ieq "FindFirstFile" -or
        $Import -ieq "FindFirstFileA" -or
        $Import -ieq "FindNextFile" -or
        $Import -ieq "FindNextFileW" -or
        $Import -ieq "LsaEnumerateLogonSessions" -or
        $Import -ieq "NtQueryDirectoryFile" -or
        $Import -ieq "OpenFile" -or
        $Import -ieq "ReadFile" -or
        $Import -ieq "ReadFileEx" -or
        $Import -ieq "SamIConnect" -or
        $Import -ieq "SamIGetPrivateData" -or
        $Import -ieq "SamQueryInformationUse") {
            AddImportHit -Key $key -Import $Import
    }
}

function PrintImportHits {
Param ()
    $importHits.Keys | ForEach-Object {
        $message = '{0}: {1}' -f $_, $importHits[$_]
        $description = $importHitDescriptions[$_]
        Write-Output $message"`r`n`t"$description
        $imports = $importHits[$_]
        $importList = $imports.Split("{,}")
        $importList | ForEach {
            $definition = "`t`t" + '{0}: {1}' -f $_, $importDescriptions[$_]
            Write-Output $definition
        }
        Write-Output "-----------------------------"
    }
}



$allOfthem = Get-Content $inputfile
foreach($importMethod in $allOfthem)
{
    CheckKeylogger $importMethod
    CheckScreenCapturer $importMethod
    CheckAntiDebug $importMethod
    CheckDownloader $importMethod
    CheckHookInjection $importMethod
    CheckIATHooking $importMethod
    CheckExtraWindowInjection $importMethod
    CheckAtomBombing $importMethod
    CheckThreadHijacking $importMethod
    CheckDLLInjection $importMethod
    CheckDropper $importMethod
    CheckProcessHollowing $importMethod
    CheckCommandAndControl $importMethod
    CheckPersistence $importMethod
    CheckRansomware $importMethod
    CheckExfiltration $importMethod
    CheckRecon $importMethod
    CheckCredentialTheft $importMethod
}
PrintImportHits

No comments:

Post a Comment