Skip to content
/ Psi Public

Using techniques from malware to detect malware

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

cas1m1r/Psi

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

28 Commits
latest_kernel
latest_kernel
 
 
old_kernel
old_kernel
 
 
README.md
README.md
 
 
guest2host.gif
guest2host.gif
 
 
testing.gif
testing.gif
 
 

Repository files navigation

PSI

Could you take the techniques used in rootkit malware to make tools for discovering malware? In this repo I use code from a few different rootkits to built a small kernel module that will log nearly every system operation of interest to dmesg.

Thus far the kernel module will hook system call table for intercepting attepts to open files or change user permissions. It will also enumerate incoming/outgoing packets via network sockets.

testing

Logging

To make this more useful though we need to be able to parse/interpret what is coming from dmesg in real time. This is a bit harder than you'd think though, because we've hooked every action of the VM most things we do will end up appearing in the logs.

Well a rootkit uses the same idea to hide things like internet traffic, so again borrowing those ideas we can implement the feature of not logging messages from specific IP addresses (in this case local ones).

Once that works, we can simple setup a listener on our host machine, and launch a shell script in the VM that will build the kernel module, insert it, and then begin piping dmesg back to listening port.

guest2host

From here we can start writing code to analyze what's happening in real time!

WARNING This code is not very stable at the moment, and from my testing has led to unstability of the Ubuntu instance after running for a while. This code is in active development, and I am simply learning, so use at your own risk!

Installing

If you do feel brave and want to try using this module you can:

  • clone the repo
  • go to the Psi/latest_kernel folder
  • run make to build project.
  • If build works, you should have a psi.ko object. Insert the module using insmod psi.ko

Latest Kernel Tested: Linux 5.19.0-46-generic in Ubuntu 22.04 LTS.

DISCLAIMER

The contents of this repository are designed purely for educational purposes only. I've designed, tested, and written this code solely for testing on my own personal machines to better understand the techniques and design of Linux based Malware and Security related Programming topics. DO NOT use any of this on equipment that is not yours or do not have permission do so with. I am not responsible for any of the poor choices you may or not make.

About

Using techniques from malware to detect malware

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages