lisp>> confine>> 返回
项目作者: ex0dus-0x

项目描述 :
Small container runtime for threat detection
高级语言: Rust
项目地址: git://github.com/ex0dus-0x/confine.git
创建时间: 2019-09-09T02:21:59Z
项目社区:https://github.com/ex0dus-0x/confine
开源协议:
下载



confine


Containers, but for dynamic malware analysis


Actions

confine is a container runtime for dynamically analyzing suspicious executables. Given a sample suspected of being malware, confine will create a container mount,
dynamically trace it, and report back to you what threat indicators it has been able to find. No more clunky sandboxes and VMs!

Features

  • Threat Detection - identifies common malware capabilities and behaviors using dynamic tracing!
  • Automated Builds - use Confinement policies to quickly provision an environment, and share it with other threat analysts!
  • Syscall Filtering - enforce rules upon system call behaviors to log metrics or block malicious behavior!

Usage

Installing

To install confine, use cargo:

  1. $ cargo install confine

Running an Analysis

To dynamically analyze a sample, we must first create a workspace with a Confinement policy to
specify how our containerized environment will be provisioned. confine can automatically do that for us:

  1. $ confine new workspace/

Having a workspace is good for compartmentalizing other necessary dependencies that is used in the
container, whether its a locally built image, source code, configurations, etc.

A Confinement is confine‘s version of a Dockerfile, but for provisioning container environments for tracing an executable.
See the example here for more details on how to configure it,
and set up syscall filtering rules as well.

Once everything is set, we can now execute an analysis! confine will not only run a dynamic trace, but will also employ its set of detections
during execution, outputting the behaviors it encoutners in the end:

  1. $ confine exec workspace/
  2. a.out  example.c
  3. Caught the debugger!
  4. intelligent-rest-5105
  5. [2021-02-19T04:21:56Z ERROR confine::trace::subprocess] confine: [BLOCK] encountered syscall exit_group
  6. {
  7.   "syscalls": [
  8.     "brk",
  9.     "access",
  10.     "mmap",
  11.     "access",
  12.     "open",
  13.     "fstat",
  14.     "mmap",
  15.     "close",
  16.     "access",
  17.     "open",
  18.     "read",
  19.     "fstat",
  20.     "mmap",
  21.     "mprotect",
  22.     "mmap",
  23.     "mmap",
  24.     "close",
  25.     "mmap",
  26.     "mmap",
  27.     "arch_prctl",
  28.     "mprotect",
  29.     "mprotect",
  30.     "mprotect",
  31.     "munmap",
  32.     "ptrace",
  33.     "fstat",
  34.     "mmap",
  35.     "write",
  36.     "uname",
  37.     "write"
  38.   ],
  39.   "strings": [
  40.     "Caught the debugger!\n",
  41.     "intelligent-rest-5105\n"
  42.   ],
  43.   "networking": [],
  44.   "file_io": {
  45.     "/lib/x86_64-linux-gnu/libc.so.6": "524288",
  46.     "/etc/ld.so.cache": "524288"
  47.   },
  48.   "commands": [],
  49.   "capabilities": {
  50.     "evasion": {
  51.       "stalling": false,
  52.       "antidebug": true,
  53.       "antisandbox": false,
  54.       "process_infect": false
  55.     },
  56.     "persistence": {
  57.       "init_persistence": false,
  58.       "time_persistence": false,
  59.       "config_persistence": false
  60.     },
  61.     "deception": false
  62.   }
  63. }

License

MIT License