-
-
Notifications
You must be signed in to change notification settings - Fork 410
FS_FindEvil
IMPORTANT NOTE! - FindEvil is work in progress. FindEvil will miss certain types of malware while quickly locating others. FindEvil only detects user-mode malware. FindEvil have false positives in its current implementation. FindEvil is only available on 64-bit Windows 10 and 8.1.
The directory findevil exists as a sub-directory to the file system root under /misc/findevil, /forensic/findevil and in each process directory.
The find evil task will start when a per-process directory is viewed and asynchronously when the /misc/findevil is viewed.
FindEvil locates signs of malware by analyzing select indicators of evil. FindEvil swiftly discovers certain code injection techniques commonly employed by malware while it is completely unaware of other not-yet implemented indicators.
The files in the findevil directories are listed in the table below:
File | Description |
---|---|
findevil.txt | Result file with possible detections of evil. |
readme.txt | Readme file. |
progress_percent.txt | Progress indicator in percent % of findevil progress. Only in /misc/findevil |
Files in the findevil directories are read-only.
# PID Process Type VirtualAddress ModuleName
=======================================================================
0000 2188 spoolsv.exe PE_INJECT 0000000001840000 ext_server_priv.x64.dll
0001 356 SecurityHealth PE_NOLINK 00007ffd700d0000 AppCore.dll
0002 356 SecurityHealth PE_NOLINK 00007ffd702d0000 Windows.Storage.dll
0003 356 SecurityHealth PE_NOLINK 00007ffd71ad0000 Wldp.dll
...
# PID Process Type VirtualAddress OffSet:Bytes PhysicalAddr PTE Flags VADVirtAddr VadPhysAddr VadPTE VadFlagsType VadName
=============================================================================================================================================================================
04ef 1192 svchost.exe PE_PATCHED 00007ffd723f2000 000:fde 000000123000 0000000000123157 A rwx ffffbe8e75a83930 000070dee000 0a00000070dee121 A Image ---wxc \Windows\System32\msvcp_win.dll
04f0 1192 svchost.exe PE_PATCHED 00007ffd723fe000 000:f41 000054686000 0000000054686477 A rwx ffffbe8e75a83930 000003ce1000 0a00000003ce1121 A Image ---wxc \Windows\System32\msvcp_win.dll
04f1 5392 MicrosoftEdgeC PE_PATCHED 00007ffd6f69d000 000:f51 0000510af000 02000000510af005 A r-x ffffbe8e7a2341c0 00006f097000 8a0000006f097121 A Image ---wxc ndows\System32\CoreMessaging.dll
04f2 5392 MicrosoftEdgeC PE_PATCHED 00007ffd6f6a0000 000:f59 00005119c000 020000005119c005 A r-x ffffbe8e7a2341c0 00006f098000 8a0000006f098121 A Image ---wxc ndows\System32\CoreMessaging.dll
04fa 2188 spoolsv.exe PRIVATE_RWX 0000000001840000 0000131a8000 08000000131a8867 A rwx ffffbe8e77e690b0 000000000000 0000000000000000 - p-rwx-
04fb 2188 spoolsv.exe PRIVATE_RWX 0000000001841000 000031629000 0800000031629867 A rwx ffffbe8e77e690b0 000000000000 0000000000000000 - p-rwx-
04fc 2188 spoolsv.exe PRIVATE_RWX 0000000001842000 00005f9aa000 080000005f9aa867 A rwx ffffbe8e77e690b0 000000000000 0000000000000000 - p-rwx-
04fd 2188 spoolsv.exe PRIVATE_RWX 0000000001843000 00001ffab000 080000001ffab867 A rwx ffffbe8e77e690b0 000000000000 0000000000000000 - p-rwx-
0508 4312 svchost.exe PRIVATE_RX 00000139cfe07000 000000000000 0000000000000015 A r-x ffffbe8e79f0a4c0 000000000000 0000000000000000 - p-rw--
0509 1172 svchost.exe NOIMAGE_RX 00007ff502202000 000000f00000 0000000000f00745 A r-x ffffbe8e7a1028a0 000000000000 0000000000000000 - ------
The example below shows the global misc/findevil/findevil.txt and with indications of a cobalt strike infection in the svchost, powershell and rundll32 processes. Please note that it may take a few seconds to render the findevil.txt listing asynchronously from first folder access.
Indicators of Evil are generally sorted by likelyhood and severeness. Some indicators are only reported a certain number of times before being suppressed.
PE_INJECT |
Injected Modules |
---|---|
Description: | PE_INJECT locates malware by scanning for valid .DLLs and .EXEs with executable pages in their page tables located in a private (non-image) virtual address descriptor. |
False Positives: | LOW |
Side Effects: | Injected modules are loaded into the general module map and may be accessed as files and modules. |
PEB_MASQ |
PEB Masquerading |
---|---|
Description: | PEB_MASQ will flag PEB Masquerading attempts. If PEB_MASQ is detected please investigate further in /sys/proc/proc-v.txt |
False Positives: | LOW |
Side Effects: | PE_NOLINK findings are suppressed. |
PEB_BAD_LDR |
No Modules enumerated from PEB/LDR_DATA |
---|---|
Description: | BAD_PEB_LDR will flag if no in-process modules are enumerated from the PEB/LDR_DATA structures. |
False Positives: | HIGH : Often trigger on corrupt PEB/LDR_DATA memory for non-malware reasons - such as paged out or otherwise unavailable memory; or drift during memory acquisition. |
Side Effects: | PE_NOLINK findings are suppressed. |
PROC_NOLINK |
Module not found in EPROCESS linked list |
---|---|
Description: | PROC_NOLINK will flag if the process does not exist in the kernel _EPROCESS linked list. |
False Positives: | MEDIUM: May trigger on slightly corrupt memory as well as malware activities. |
Side Effects: | None. |
PROC_PARENT |
Well known process has bad parent process |
---|---|
Description: | PROC_PARENT will flag if a well known process has a bad parent process. |
False Positives: | MEDIUM: May trigger if another process has the same name as a well known process. |
Side Effects: | None. |
PROC_USER |
Process is executing as non standard user |
---|---|
Description: | PROC_USER may trigger if well known processes are executing as a strange user. Example cmd.exe as SYSTEM. |
False Positives: | MEDIUM: May trigger if another process has the same name as a well known process. |
Side Effects: | None. |
PE_NOLINK |
Unlinked Modules |
---|---|
Description: | PE_NOLINK locates malware in image virtual address descriptors which is not linked from the in-process PEB/Ldr lists. |
False Positives: | HIGH : Often trigger on corrupt memory for non-malware reasons - such as paged out or otherwise unavailable memory; or drift during memory acquisition. |
Side Effects: | None. |
PE_PATCHED |
Patched Modules |
---|---|
Description: | PE_PATCHED locates malware in image virtual address descriptors which executable pages (in the page tables) differs from kernel prototype memory. |
False Positives: | HIGH : Commonly triggers on relocations predominantly in 32-bit processes. Number of pages reported is limited to 4 per VAD. |
Side Effects: | None. |
DRIVER_PATH |
Kernel driver loaded from non-standard path |
---|---|
Description: | DRIVER_PATH flag kernel drivers that are loaded from a non-standard path. DRIVER_PATH also flag if no corresponding module could be located. |
False Positives: | MEDIUM : Legit drivers aren't usually loaded from non-standard paths - but they exist. Missing modules may flag on corrupt memory. |
Side Effects: | None. |
PRIVATE_RWX |
Private Read/Write/Execute |
---|---|
Description: | PRIVATE_RWX locates malware with read/write/execute (RWX) pages in the page table which belongs to a private memory virtual address descriptor. |
False Positives: | MEDIUM : RWX memory should be relatively rare on most systems; but in some processes with Just-In-Time code (JIT) it may be common. Number of pages reported is limited to 4 per VAD. Detection is avoided on some processes. |
Side Effects: | None. |
NOIMAGE_RWX |
No-Image Read/Write/Execute |
---|---|
Description: | NOIMAGE_RWX locates malware with read/write/execute (RWX) pages in the page table which does not belong to image (module) virtual address descriptors. |
False Positives: | MEDIUM : RWX memory should be relatively rare on most systems; but in some processes with Just-In-Time code (JIT) it may be common. Number of pages reported is limited to 4 per VAD. Detection is avoided on some processes. |
Side Effects: | None. |
PRIVATE_RX |
Private Read/Execute |
---|---|
Description: | PRIVATE_RX locates malware with read/execute (RX) pages in the page table which belongs to a private memory virtual address descriptor. |
False Positives: | MEDIUM : RX memory should be relatively rare on most systems; but in some processes with Just-In-Time code (JIT) it may be common. Number of pages reported is limited to 4 per VAD. Detection is avoided on some processes. |
Side Effects: | None. |
NOIMAGE_RX |
No-Image Read/Execute |
---|---|
Description: | NOIMAGE_RX locates malware with read/execute (RX) pages in the page table which does not belong to image (module) virtual address descriptors. |
False Positives: | MEDIUM : RX memory should be relatively rare on most systems; but in some processes with Just-In-Time code (JIT) it may be common. Number of pages reported is limited to 4 per VAD. Detection is avoided on some processes. |
Side Effects: | None. |
The findevil sub-directories are implemented as a built-in native C-code plugin. The plugin source is located in the file m_findevil.c in the vmm project.
Sponsor PCILeech and MemProcFS:
PCILeech and MemProcFS is free and open source!
I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute by becoming a sponsor!
If you like what I've created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: /~https://github.com/sponsors/ufrisk
Thank You 💖