Skip to content
/ Sanctum Public

Sanctum is an experimental proof-of-concept EDR, designed to detect modern malware techniques, above and beyond the capabilities of antivirus. Built in Rust.

fluxsec.red/sanctum-edr-intro
223 stars 25 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

0xflux/Sanctum

BranchesTags

Repository files navigation

Sanctum EDR

Rust Kernel Driver EDR Sanctum

The Sanctum EDR is an 🚧 experimental and in development 🚧 proof of concept for an EDR (Endpoint Detection and Response) tool, fully written in Rust! No C required in this project baby!

I'm documenting this project on my blog!

Up until recently, the readme was in need of some tlc; given how fast the project has grown the readme was out of date and as time went on some fairly specific configuration requirements have arose. See the Deployment Instructions section for clear details on how to install the project to a VM. Do not deploy this on your host machine, as we are tampering with the kernel (Windows 11), you may encounter system instability.

I am not accepting PR's as a rule; unless your contribution is something small / utility based. This project is primarily for my own learning - and hopefully for me to teach the concepts to people interested in low level Windows system security / malware devs / defensive engineering / analysts.

That said; as there is more attention on the project, please feel free to raise issues or use the discussions page as you wish. If you want some integrations, let me know and I will look at building those in!

I'd also recommend opening the driver crate at its crate level from the Developer Command Prompt (e.g. for VSCode: code driver) as I have noticed some issues with Rust-Analyzer if not opened in this way.

🚧 Please note: This project is not currently designed for mass consumption; you may encounter teething issues in the deploy process - you can raise an issue for me to fix; but I provide no guarantee it will work without issue on your deployment. This is a POC project first and foremost. There may be some bugs, or incomplete features on the main branch as I develop it. For bugs, please raise an issue. Incomplete features will be in progress, so please do not raise issues for those.

Contents

Structure

Crate Description
driver Contains the code for the Sanctum driver which is required for kernel monitoring
um_engine The usermode engine of the Sanctum application which communicates with the driver, running processes, and the GUI
injected_dll A DLL injected into all processes for EDR hooking (note that this is currently phased out, having being replaced with kernel-side hooking after I researched Alt Syscalls for Windows 11). I will leave this in the project for legacy / blog post reasons, I have spent a lot of time hooking functions and writing about it on my blog, so good to keep in
gui A GUI for the Sanctum EDR, using Tauri for rendering
etw_installer The installer program for creating the ELAM PPL service (installs sanctum_ppl_runner)
sanctum_ppl_runner A ELAM signed Protected Process Light which monitors Events Tracing for Windows Threat Intelligence provider
shared_* Shared crates for the project, both in std and no_std environments
server Todo, this is to be the telemetry server which will receive signals from endpoints
etw_consumer Deprecated; sanctum_ppl_runner implements all required features this was intended to solve. Leaving in for learning reasons / linked to my blog post

Features

You can check my YouTube channel for some POC videos :)

As a summary of features:

  • Alt Syscalls for kernel-side interception of syscalls
  • Events Tracing for Windows: Threat Intelligence telemetry subscription
  • Uses Ghost Hunting to detect signs of malicious activity
  • Detects tampering of NTDLL (thwarts common malware TTPs)
  • Detects rootkit tampering in the kernel
  • DLL injection of EDR (currently deprecated in favour of Alt Syscalls)

Requirements:

  1. Cargo (obviously..).
  2. Nightly.
  3. Windows Driver Kit & Developer Console (as admin for building the driver).
  4. Cargo make and LLVM tools, see Microsoft's build instructions for installing these.
  5. Tauri build tools, see the documentation for official instructions.

Deployment instructions

The installation instructions are split between your host and guest. If you are having problems deploying this, please use the discussions page or raise and issue and I will do my best to help / fix any bugs from the process.

They are split into instructions for a host machine and a guest VM, this is because I advise against developing & building on your deployment VM (if the driver bricks your VM and it cant boot, then you will lose any development / environment specific setup [assuming no snapshots] that went into you being able to build this project).

If you wish to build and deploy on the same machine (VM only to save your host), then I recommend 2 VM's; one to build, one to deploy, in which case, treat the host section below as your 2nd VM.

As an overview, the driver must be built via cargo make, which is a pipeline provided by Microsoft in the Windows Drivers project. The remaining crates for this project are built via cargo build.

Guest

  1. Install a clean Windows 11 VM; do so first with a Gen2 processor, Secure Boot and TPM so you can properly install windows. I would recommend installing W11 Pro when prompted. You can use either a type 1 or type 2 hypervisor.
  2. Update Windows etc.
  3. Disable Secure Boot and TPM.
  4. Boot the VM
  5. Copy over the installer_clean_vm.ps1 script from this repo root.
  6. Open PowerShell as admin, and cd into where you dropped the script.
  7. Enable running of scripts on your VM via powershell Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
  8. Run ./installer_clean_vm.ps1 - this will initialise the folder structure required, pull down the static files, and enable debug mode and configure your VM for kernel debugging in WinDbg.

Now do the host instructions; we will return to the guest shortly.

Host

This is a little involved due to the signing process. But follow along and you should be good.

Building and signing the driver

  1. Ensure you have Visual Studio build tools installed
  2. Ensure you have this repo cloned
  3. Open Developer Command Prompt as Administrator (I'd recommend running powershell from this cmd prompt to upgrade to powershell)
  4. CD into the driver crate of this repo
  5. Run .\cert.ps1 which will generate a ELAM compatible code signing certificate called sanctum.pfx. The cert will be located in the driver crate root.
  6. Run cargo make - this will build the driver.
  7. Run .\sign.bat - this will sign the driver.
  8. Run certmgr.exe -v target\debug\sanctum_package\sanctum.sys which will output the certificate information of the driver:
    1. Look for the line (just on top of the half way point of the output) which has the heading: Content Hash (To-Be-Signed Hash)::.
    2. Note the hash that is output beneath (will be 2 lines of bytes).
    3. You want to concatenate these bytes into 1 long string. To see an example explanation, check my comment here.
    4. Open driver/build.rs in your favourite code editor, and change the hash from what is there in your cloned copy to the hash you concatenated in the step above, again, see the above link if that doesn't make sense.
  9. Run cargo clean.
  10. Run cargo make.
  11. Run .\sign.bat.

Building and signing your PPL service

Must be build in release mode to match the signing script - if you wanna build in debug mode make sure to edit sign_ppl_runner.bat.

  1. Continuing on from above, go up one dir with cd ../.
  2. Run: cargo build --release -p sanctum_ppl_runner - this will build the PPL service binary in /target/release/.
  3. Sign the service binary via running .\sign_ppl_runner.bat.

Building the rest

(Feel free to build these in debug mode if you wish)

  1. cargo build --release -p elam_installer
  2. cargo build --release -p injected_dll
  3. cargo build --release -p um_engine
  4. cargo tauri build --debug

Guest

Now to finish off, we want to move the binaries into the guest VM and run things!

  1. Move um_engine.exe, elam_installer, app (gui) into ~Desktop\sanctum
  2. Move sanctum.sys, sanctum_ppl_runner.exe, sanctum.dll into %AppData%\Sanctum
  3. In an admin powershell terminal:
    1. cd ~Desktop\sanctum
    2. .\elam_installer.exe - this should work and now prompt you to reboot.
  4. Reboot
  5. In an admin powershell terminal:
    1. cd ~Desktop\sanctum
    2. .\elam_installer.exe - this time no prompt to reboot
    3. sc.exe start sanctum_ppl_runner - This should run your PPL service. If you have issues, check Event Viewer, or go to Services -> sanctum_ppl_runner and start it from there (may give more verbose error messages)
  6. Run um_engine as admin
  7. Run the GUI app.exe as admin
  8. Now you should be good to start the driver from the GUI if all went well!

Deployment problems

If you have problems with the deployment process, please feel free to submit an issue or discussion and I will try help!

About

Sanctum is an experimental proof-of-concept EDR, designed to detect modern malware techniques, above and beyond the capabilities of antivirus. Built in Rust.

fluxsec.red/sanctum-edr-intro

Topics

rust driver kernel-driver antivirus malware-analysis malware-research cyber-security red-team windows-driver blue-team edr tauri rust-driver rust-windows windows-rust tauri-app antivirus-software rust-edr rust-windows-driver

Resources

Readme
Activity

Stars

223 stars

Watchers

4 watching

Forks

25 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages