Skip to content

FS_FindEvil

ufrisk edited this page Apr 26, 2021 · 19 revisions

The findevil root, forensic and per-process directories

IMPORTANT NOTE! - FindEvil is work in progress. FindEvil will miss certain types of malware while quickly locating others. FindEvil only detects user-mode malware. FindEvil have false positives in its current implementation. FindEvil is only available on 64-bit Windows 10 and 8.1.

The directory findevil exists as a sub-directory to the file system root under /misc/findevil, /forensic/findevil and in each process directory.

The find evil task will start when a per-process directory is viewed and asynchronously when the /misc/findevil is viewed.

FindEvil locates signs of malware by analyzing select indicators of evil. FindEvil swiftly discovers certain code injection techniques commonly employed by malware while it is completely unaware of other not-yet implemented indicators.

The files in the findevil directories are listed in the table below:

File Description
findevil.txt Result file with possible detections of evil.
readme.txt Readme file.
progress_percent.txt Progress indicator in percent % of findevil progress. Only in /misc/findevil

Files in the findevil directories are read-only.

Description of findevil.txt

#       PID Process         Type        VirtualAddress   ModuleName
=======================================================================
0000   2188 spoolsv.exe     PE_INJECT   0000000001840000 ext_server_priv.x64.dll
0001    356 SecurityHealth  PE_NOLINK   00007ffd700d0000 AppCore.dll
0002    356 SecurityHealth  PE_NOLINK   00007ffd702d0000 Windows.Storage.dll
0003    356 SecurityHealth  PE_NOLINK   00007ffd71ad0000 Wldp.dll

...

#       PID Process         Type        VirtualAddress OffSet:Bytes PhysicalAddr              PTE Flags      VADVirtAddr  VadPhysAddr           VadPTE VadFlagsType   VadName
=============================================================================================================================================================================
04ef   1192 svchost.exe     PE_PATCHED  00007ffd723f2000  000:fde   000000123000 0000000000123157 A rwx ffffbe8e75a83930 000070dee000 0a00000070dee121 A Image ---wxc \Windows\System32\msvcp_win.dll
04f0   1192 svchost.exe     PE_PATCHED  00007ffd723fe000  000:f41   000054686000 0000000054686477 A rwx ffffbe8e75a83930 000003ce1000 0a00000003ce1121 A Image ---wxc \Windows\System32\msvcp_win.dll
04f1   5392 MicrosoftEdgeC  PE_PATCHED  00007ffd6f69d000  000:f51   0000510af000 02000000510af005 A r-x ffffbe8e7a2341c0 00006f097000 8a0000006f097121 A Image ---wxc ndows\System32\CoreMessaging.dll
04f2   5392 MicrosoftEdgeC  PE_PATCHED  00007ffd6f6a0000  000:f59   00005119c000 020000005119c005 A r-x ffffbe8e7a2341c0 00006f098000 8a0000006f098121 A Image ---wxc ndows\System32\CoreMessaging.dll                   
04fa   2188 spoolsv.exe     PRIVATE_RWX 0000000001840000            0000131a8000 08000000131a8867 A rwx ffffbe8e77e690b0 000000000000 0000000000000000 -       p-rwx-
04fb   2188 spoolsv.exe     PRIVATE_RWX 0000000001841000            000031629000 0800000031629867 A rwx ffffbe8e77e690b0 000000000000 0000000000000000 -       p-rwx-
04fc   2188 spoolsv.exe     PRIVATE_RWX 0000000001842000            00005f9aa000 080000005f9aa867 A rwx ffffbe8e77e690b0 000000000000 0000000000000000 -       p-rwx-
04fd   2188 spoolsv.exe     PRIVATE_RWX 0000000001843000            00001ffab000 080000001ffab867 A rwx ffffbe8e77e690b0 000000000000 0000000000000000 -       p-rwx-
0508   4312 svchost.exe     PRIVATE_RX  00000139cfe07000            000000000000 0000000000000015 A r-x ffffbe8e79f0a4c0 000000000000 0000000000000000 -       p-rw--
0509   1172 svchost.exe     NOIMAGE_RX  00007ff502202000            000000f00000 0000000000f00745 A r-x ffffbe8e7a1028a0 000000000000 0000000000000000 -       ------

Example

The example below shows the global misc/findevil/findevil.txt and with indications of a cobalt strike infection in the svchost, powershell and rundll32 processes. Please note that it may take a few seconds to render the findevil.txt listing asynchronously from first folder access.

Indicators of Evil

Indicators of Evil are generally sorted by likelyhood and severeness. Some indicators are only reported a certain number of times before being suppressed.

PE_INJECT Injected Modules
Description: PE_INJECT locates malware by scanning for valid .DLLs and .EXEs with executable pages in their page tables located in a private (non-image) virtual address descriptor.
False Positives: LOW
Side Effects: Injected modules are loaded into the general module map and may be accessed as files and modules.

PEB_MASQ PEB Masquerading
Description: PEB_MASQ will flag PEB Masquerading attempts. If PEB_MASQ is detected please investigate further in /sys/proc/proc-v.txt
False Positives: LOW
Side Effects: PE_NOLINK findings are suppressed.

PEB_BAD_LDR No Modules enumerated from PEB/LDR_DATA
Description: BAD_PEB_LDR will flag if no in-process modules are enumerated from the PEB/LDR_DATA structures.
False Positives: HIGH : Often trigger on corrupt PEB/LDR_DATA memory for non-malware reasons - such as paged out or otherwise unavailable memory; or drift during memory acquisition.
Side Effects: PE_NOLINK findings are suppressed.

PE_NOLINK Unlinked Modules
Description: PE_NOLINK locates malware in image virtual address descriptors which is not linked from the in-process PEB/Ldr lists.
False Positives: HIGH : Often trigger on corrupt memory for non-malware reasons - such as paged out or otherwise unavailable memory; or drift during memory acquisition.
Side Effects: None.

PE_PATCHED Patched Modules
Description: PE_PATCHED locates malware in image virtual address descriptors which executable pages (in the page tables) differs from kernel prototype memory.
False Positives: HIGH : Commonly triggers on relocations predominantly in 32-bit processes. Number of pages reported is limited to 4 per VAD.
Side Effects: None.

PRIVATE_RWX Private Read/Write/Execute
Description: PRIVATE_RWX locates malware with read/write/execute (RWX) pages in the page table which belongs to a private memory virtual address descriptor.
False Positives: MEDIUM : RWX memory should be relatively rare on most systems; but in some processes with Just-In-Time code (JIT) it may be common. Number of pages reported is limited to 4 per VAD. Detection is avoided on some processes.
Side Effects: None.

NOIMAGE_RWX No-Image Read/Write/Execute
Description: NOIMAGE_RWX locates malware with read/write/execute (RWX) pages in the page table which does not belong to image (module) virtual address descriptors.
False Positives: MEDIUM : RWX memory should be relatively rare on most systems; but in some processes with Just-In-Time code (JIT) it may be common. Number of pages reported is limited to 4 per VAD. Detection is avoided on some processes.
Side Effects: None.

PRIVATE_RX Private Read/Execute
Description: PRIVATE_RX locates malware with read/execute (RX) pages in the page table which belongs to a private memory virtual address descriptor.
False Positives: MEDIUM : RX memory should be relatively rare on most systems; but in some processes with Just-In-Time code (JIT) it may be common. Number of pages reported is limited to 4 per VAD. Detection is avoided on some processes.
Side Effects: None.

NOIMAGE_RX No-Image Read/Execute
Description: NOIMAGE_RX locates malware with read/execute (RX) pages in the page table which does not belong to image (module) virtual address descriptors.
False Positives: MEDIUM : RX memory should be relatively rare on most systems; but in some processes with Just-In-Time code (JIT) it may be common. Number of pages reported is limited to 4 per VAD. Detection is avoided on some processes.
Side Effects: None.

For Developers

The findevil sub-directories are implemented as a built-in native C-code plugin. The plugin source is located in the file m_findevil.c in the vmm project.

Clone this wiki locally