Initial public release

Author: Emerson R. Wiley

.gitattributes

@@ -0,0 +1,15 @@
+*.cpp text eol=crlf
+*.hpp text eol=crlf
+*.ini text eol=crlf
+*.md text eol=crlf
+*.yara text eol=crlf
+*.vcxproj text eol=crlf
+*.yar text eol=crlf
+*.h text eol=crlf
+*.c text eol=crlf
+*.rc text eol=crlf
+*.sln text eol=crlf
+*.exe binary
+*.dll binary
+*.lib binary
+*.obj binary

.gitignore

@@ -0,0 +1,42 @@
+*.bat
+*.filters
+*.cmd
+*.sdf
+*.bin
+*.aps
+*.vcxproj.*
+*.log
+*.exe
+*.dll
+*.pdb
+*.ilk
+*.sys
+*.lib
+*.exp
+*/Win10Debug/*
+*/Debug/*
+*/Release/*
+*/Win*Debug/*
+*/Win*Release/*
+*/x64/*
+Debug/*
+Win*Debug/*
+*.opensdf
+*.vs/
+*.py
+*.yar
+*.swp
+.DS_Store
+Thumbs.db
+*.sdv
+*.xml
+*.opendb
+Release/
+Win10Release/
+Win7Release/
+Win8.1Release/
+Win8Release/
+deps/libgit2/x86/git2.dll
+deps/libgit2/x86/git2.lib
+deps/libgit2/x64/git2.dll
+deps/libgit2/x64/git2.lib

COPYING

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2016 GoDaddy Operating Company, LLC.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

LICENSE.md

@@ -0,0 +1,145 @@
+# ProcFilter
+
+ProcFilter is a process filtering system for Windows with built-in YARA integration. YARA rules can be instrumented with custom meta tags that tailor its response to rule matches. It runs as a Windows service and is integrated with [Microsoft's ETW API](https://msdn.microsoft.com/en-us/library/windows/desktop/bb968803%28v=vs.85%29.aspx), making results viewable in Windows Event Log. Installation, activation, and removal can be done dynamically and do not require a reboot.
+
+ProcFilter's intended use is for malware analysts to be able to create YARA signatures that protect their environment against a specific threat. It does not include a large signature set. Think lightweight, precise, and targeted rather than broad or all-encompassing. ProcFilter is also intended for use in controlled analysis environments where custom plugins can perform artifact-specific actions. 
+
+ProcFilter is compatible with Windows 7+ and Windows Server 2008+ systems.
+
+# Installers
+- [ProcFilter x86/x64 Release/Debug Installers](https://github.com/godaddy/procfilter/releases)
+
+# Features
++ Deny processes based on YARA rules
++ Highly configurable via INI-configurable
++ Installation/removal without rebooting
++ Built-in performance measuring and stress testing
++ Plugins extend or augment ProcFilter's behavior
++ Command-line behavior includes YARA scanning, file hashing, and service status querying
+
+# Configuration
+[procfilter.ini](https://github.com/godaddy/procfilter/blob/master/files/procfilter.ini) contains a variety of variety of configurables, including:
++ File/memory scanning on process create/terminate
++ File/memory scanning periodically
++ File/Memory scanning on executable image load
+
+procfilter.ini also include a variety of plugin-specific options in addition.
+
+# Project Goals
+
++ Allow analysts to hook in to process and thread kernel events
++ Operationalize the growing body of knowledge found in YARA signatures in the Windows environment
+* Fill in the gap between detection of a threat and vendor response
++ Be a lightweight, configurable, additional layer of defense
+
+# Project Non-Goals
+
++ Become an A/V replacement
+* A/V does much more than ProcFilter: Behavior based detection, code emulation, centralized management, self-protection, inter-process communication and monitoring, examines file operations, examines network behavior, and many more vendor-specific features
+
+ProcFilter could do some or all of these things in the future through plugins but these features are currently out of scope as the project is being established.
+
+# Signatures
+
+Signatures can either come from disk or more conveniently from a Git repository. Configuration can specify a Git URL to pull updates from and the service will automatically check out and load new commits.
+
+By default ProcFilter will respond to 3 boolean meta tags within YARA rules:
+
+| Meta Tag   | Action |
+| ---------- | ------ |
+| Block      | Block the process associated with rule matches |
+| Log        | Allow the process but log its presence |
+| Quarantine | Make a copy of the associated file in a quarantine location |
+
+ProcFilter comes with a small set of default rules to get analysts started.  It *does not* contain a large rule set meant to catch everything.  In fact, it only includes rules for very select few families.  [View the default rule set here](https://github.com/godaddy/yara-rules). While it is possible to include a massive rule set, consider the potential for false-positives, difficulty in rule creation, and fundamental limitations of signature-based prevention -- all-encompassing rule sets quickly become a much more difficult challenge than it may appear at the outset. See the "Advocacy for Signature Sharing" section below for more details.
+
+Plugins can add handlers for custom meta tags.  The 'cmdline' plugin, for example, looks for ```CaptureCommandLine``` tags that trigger it to record command line options associated with rule matches.
+
+# Jusitification and Effective Usage
+
+ProcFilter is **not** an AntiVirus replacement. ProcFilter contains a *minimal* signature set and will miss most malware by default. Despite this it still has high utility and is a valuable component of a defense-in-depth strategy against unwanted software.
+
+ProcFilter uses YARA and YARA is signature-based. This means that in order to block something it must have been seen before.  Signature evasion is trivial -- repack and evade -- although it does raise the bar of difficulty for an attacker since it generally follows that that the more an attacker tries to hide a payload the more prominent and detectable the hiding mechanism becomes.
+
+Sophisticated payloads tend to be complex pieces of software and like any other complex software do not change drastically over time even though the packing might. Well-written signatures may work for longer periods of time, keying in on aspects of code unlikely to change across obfuscations, packing, or varied compilation options. Sometimes it's possible to "see through" packing as [in this example](https://github.com/godaddy/yara-rules/blob/master/emotet.yara).
+
+Post-execution memory scanning, while resource intensive, can detect post-execution payloads. It's not preventative but it will give you visibility and awareness you wouldn't have had otherwise. Furthermore, this can be used by analysts in a controlled environment to detect payloads of packed malware without having to involve a debugger.
+
+Legitimate software is not often packed and rules that detect packers can help identify unwanted software. You may not need to know what something is -- just that it's hiding its behavior is enough. For example, you may know that packed software should not be run in a specific, tightly-controlled environment, making ProcFilter an effective mitigation or additional indicator of unwanted behavior. Note that this is environment dependent; some legitimate software such as games use packers like UPX to compress game assets and minimize executable size.
+
+### Signature Sharing
+
+Signature sharing is a challenge. If signatures are publicly visible then an attacker can test against them until evasion is successful. Addtionally, the open format of YARA provides a roadmap to exactly what within a family is causing the detection. On the other hand, this consumes the attacker's resources by forcing them to adapt. Additionally, prior releases of the malware will no longer be effective once a signature has been created.
+
+Considering the pros and cons, it's advisable to avoid subscribing to the belief of keeping security-related information private to avoid “tipping the hand to attackers”. The benefit of open information exchange is multiplicative and with that comes the ability to out scale — consider the success of software such as AdBlock. If you have a community of people with the same vested interest in solving the next new problem you’re a lot better off than if you kept your tips & tricks private and remained independent in the fight against malware.
+
+Furthermore, consider that if signature evasion is a problem, custom-written plugins still have plenty of opportunity to perform advanced actions to detect malware. ProcFilter can be extended in many different dimensions to meet a multitude of techniques.
+
+Pros of Sharing:
++ Promotes a community in which resources can be pooled
++ Remains effective against prior releases/deployments of a malware family
++ Reduces duplicated effort which is currently the status quo
++ Once a threat is identified, signatures can be shared across all participants
++ The larger the community defining the threats, the less damage they will be able to do
+
+Cons of Sharing:
++ Attackers can test against public signatures until evasion is successful
++ The open format of YARA provides information as to what exactly needs to be changed to evade signatures
+
+Sharing in a semi-open fashion between trusted partners via private forums can be an effective way to mitigate the cons of open sharing.
+
+# API
+ProcFilter exposes a C API that can extend or alter behavior. For example, a plugin could perform custom actions based on tags in YARA signature's meta sections [cmdline plugin](https://github.com/godaddy/procfilter/blob/master/launchcmd/launchcmd.cpp). The C API header file [is located here](https://github.com/godaddy/procfilter/blob/master/service/include/procfilter/procfilter.h).
+
+Event list (See [procfilter.h](https://github.com/godaddy/procfilter/blob/master/service/include/procfilter/procfilter.h) for the full list):
++ Process Creation/Termination
++ Thread Creation/Termination
++ Executable Image Load
++ Scan start/finish
+
+Example plugins:
++ [SHA1 Whitelisting](https://github.com/godaddy/procfilter/blob/master/sha1/sha1.cpp) - Whitelist/blacklist files based on SHA1 hash
++ [Command Line Capturing](https://github.com/godaddy/procfilter/blob/master/cmdline/cmdline.cpp) - Record command line parameters passed to programs that match rules
++ [Interactive](https://github.com/godaddy/procfilter/blob/master/interactive/interactive.cpp) - Interactively allow/deny processes as they are created
++ [Unpack](https://github.com/godaddy/procfilter/blob/master/unpack/unpack.cpp) - Capture a post-execution process snapshot when a process ends
++ [Launch Command](https://github.com/godaddy/procfilter/blob/master/launchcmd/launchcmd.cpp) - Execute a command when a rule match occurs
++ [Filenames](https://github.com/godaddy/procfilter/tree/master/filenames/filenames.cpp) - Block processes based on filename
++ [Remote Thread Denial](https://github.com/godaddy/procfilter/blob/master/remotethread/remotethread.cpp) - Interactively allow/deny remote thread creation
+
+# Risks
+
+Running ProcFilter introduces attack surface just as any additional software does. While it has been written with security in mind it may have vulnerabilities or the libraries it depends on may have vulnerabilities -- this is no different than any other software. It may be susceptible to system crashes, errant behavior, or security vulnerabilities. Just because this is a security tool does not make it suddenly immune to the pitfalls and caveats of modern programming languages.  The hope is that the tradeoff of risks prevented versus risks introduced is favorable.
+
+ProcFilter is beta and is not quite yet ready for use in production environments.
+
+# Example Use Cases
+
+### Use Case #1
+
+Analysts at a peer organization detected or were hit by a spear phishing attack. They share their YARA signature with you for use in ProcFilter, minimizing the chance your organization will be hit by the same sample, or if the signature is good, other samples within that family.
+
+### Use Case #2
+
+US-CERT releases a report containing a YARA signature for a malware family, [https://www.us-cert.gov/ncas/alerts/TA14-353A](such as in this 2014 report). You incorporate their YARA signatures into your rule set to minimize the chance your organization will be hit by a variant of the same.
+
+### Use Case #3
+
+A specific threat actor is known to upload copies of command shells within a shared access environment. The differing filename or path prevents you from capturing this activity.  In order to detect and analyze this actor's behavior, ProcFilter is run with a signature for the [Windows command shell](https://github.com/godaddy/yara-rules/blob/master/features/command_shell.yara), the [Command Line Capturing](https://github.com/godaddy/procfilter/blob/master/cmdline/cmdline.cpp) plugin enabled, and the ```CaptureCommandLine``` value in the meta section set to true.
+
+When the attacker uploads and runs a command shell that matches the signature the command line arguments are recorded to Event Log.
+
+### Use Case #4
+
+The same TA packs the command shell with UPX so it's no longer detected by file scanning at process launch. ProcFilter's post-execution memory scanning is enabled which matches the command shell signature, consequently capturing the command line at process termination.
+
+### Use Case #5
+
+A malware analyst needs to get a memory snapshot of a packed sample but running it in a controlled debug environment fails because the sample detects the environment and crashes out or exists before it is unpacked in memory. The malware analyst enables the 'unpack' ProcFilter plugin, which successfully takes a memory snapshot at process termination since ProcFilter does act as a debugger. Note that this is a cat and mouse game since ProcFilter is detectable from userland and could be detected by an unpacking stub.
+
+### Use Case #6
+
+A malware analyst wants to know if a packed sample is related to a sample found before. Scans against the file turn up nothing due to the packing. The analyst runs the sample in a controlled environment containing ProcFilter with post-execution memory scanning enabled. At program termination the address space is scanned which matches rules in the set, indicating the type of payload.
+
+# License
+
+ProcFilter is licensed under the MIT license [located here](https://github.com/godaddy/procfilter/blob/master/LICENSE.md).

README.md

@@ -0,0 +1 @@
+sign_binaries.bat & build_installers.bat & sign_installers.bat

build_and_sign.bat

@@ -0,0 +1,4 @@
+"C:\Program Files (x86)\Inno Setup 5\Compil32.exe" /cc ".\procfilter_debug_x86.iss"
+"C:\Program Files (x86)\Inno Setup 5\Compil32.exe" /cc ".\procfilter_release_x86.iss"
+"C:\Program Files (x86)\Inno Setup 5\Compil32.exe" /cc ".\procfilter_debug_x64.iss"
+"C:\Program Files (x86)\Inno Setup 5\Compil32.exe" /cc ".\procfilter_release_x64.iss"

build_installers.bat

@@ -0,0 +1,88 @@
+
+
+
+#include "procfilter/procfilter.h"
+
+#include <winternl.h>
+
+typedef struct match_data SCAN_DATA;
+struct match_data {
+	bool   bCaptureCommandLine; // Should the command line associated with this process be captured?
+	WCHAR *lpszCommandLine;     // A copy of the command line if captured
+};
+
+
+//
+// Store the command line associated with the current process into the SCAN_DATA structure.
+//
+WCHAR*
+CaptureCommandLine(PROCFILTER_EVENT *e)
+{
+	// read the processes PEB and it's Parameters structure
+	WCHAR *lpszResult = NULL;
+	PEB Peb;
+	RTL_USER_PROCESS_PARAMETERS Parameters;
+	if (e->ReadProcessPeb(&Peb) && e->ReadProcessMemory(Peb.ProcessParameters, &Parameters, sizeof(Parameters))) {
+		// check to make sure the command line is present
+		DWORD len = Parameters.CommandLine.Length;
+		if (len > 0) {
+			// allocate memory for the command line and then copy it out from the remote process
+			lpszResult = (WCHAR*)e->AllocateMemory(len + 1, sizeof(WCHAR));
+			if (lpszResult && e->ReadProcessMemory(Parameters.CommandLine.Buffer, lpszResult, len)) {
+				lpszResult[len] = '\0';
+			} else if (lpszResult) {
+				e->FreeMemory(lpszResult);
+				lpszResult = NULL;
+			}
+		}
+	}
+
+	return lpszResult;
+}
+
+
+//
+// ProcFilter event handler
+//
+DWORD
+ProcFilterEvent(PROCFILTER_EVENT *e)
+{
+	DWORD dwResultFlags = PROCFILTER_RESULT_NONE;
+	SCAN_DATA *sd = (SCAN_DATA*)e->lpvScanData;
+	
+	if (e->dwEventId == PROCFILTER_EVENT_INIT) {
+		// register the plugin with the core
+		e->RegisterPlugin(PROCFILTER_VERSION, L"CommandLine", 0, sizeof(SCAN_DATA), false,
+			PROCFILTER_EVENT_YARA_SCAN_INIT, PROCFILTER_EVENT_YARA_SCAN_COMPLETE, PROCFILTER_EVENT_YARA_SCAN_CLEANUP,
+			PROCFILTER_EVENT_YARA_RULE_MATCH, PROCFILTER_EVENT_YARA_RULE_MATCH_META_TAG, PROCFILTER_EVENT_NONE);
+
+	} else if (e->dwEventId == PROCFILTER_EVENT_YARA_SCAN_INIT) {
+		// the match data buffer is zero-initialized by the core, but extra init can be done here if needed
+	} else if (e->dwEventId == PROCFILTER_EVENT_YARA_RULE_MATCH) {
+		// this event happens every time a rule is matched during a scan
+	} else if (e->dwEventId == PROCFILTER_EVENT_YARA_RULE_MATCH_META_TAG) {
+		// this event happens for each meta value name in every rule that matches
+		// since we only care if this tag is set anywhere, its fine if this meta tag
+		// is found in several rules
+		if (_stricmp(e->lpszMetaTagName, "CaptureCommandLine") == 0 && e->dNumericValue) {
+			sd->bCaptureCommandLine = true;
+		}
+	} else if (e->dwEventId == PROCFILTER_EVENT_YARA_SCAN_COMPLETE) {
+		// here we can look at the match data as filled in during prior events and capture the command line accordingly
+		// while the process is still suspended
+		if (sd->bCaptureCommandLine) {
+			sd->lpszCommandLine = CaptureCommandLine(e);
+		}
+	} else if (e->dwEventId == PROCFILTER_EVENT_YARA_SCAN_CLEANUP) {
+		// here we examine the contents as filled in durring scanning, and handle our final results accordingly
+		if (sd->bCaptureCommandLine && sd->lpszCommandLine) {
+			e->LogFmt("Command line for %d %ls: %ls", e->dwProcessId, e->lpszFileName, sd->lpszCommandLine);
+
+			// release previously allocated memory
+			e->FreeMemory(sd->lpszCommandLine);
+		}
+	}
+
+	return dwResultFlags;
+}
+