Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Drv - Intercept syscalls #17

Open
1 task
0xflux opened this issue Oct 27, 2024 · 0 comments
Open
1 task

Drv - Intercept syscalls #17

0xflux opened this issue Oct 27, 2024 · 0 comments
Assignees
@0xflux

Comments

@0xflux
Copy link
Owner

0xflux commented Oct 27, 2024
edited
Loading

Intercept syscalls and look at what parameters are being passed, is there anything suspicious going on? Some key syscalls of interest:

  • Creating remote threads
  • Allocating memory in foreign processes

Notes

This may more be required from the injected DLL - but to research if this can also be done in the kernel. If so, this feature / issue should handle overwriting syscalls with jumps to the Sanctum DLL for the inspection. This telemetry should then be sent back to the engine for processing, in tandem with any kernel messages.

Additional features:

  • If the driver can intercept syscalls once they reach the kernel, then it would be good to check that the injected DLL was also privvy to the call, if it wasnt, it could indicate hells/heavens gate etc.
@0xflux 0xflux self-assigned this Oct 27, 2024
@0xflux 0xflux converted this from a draft issue Oct 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@0xflux 0xflux

Labels
None yet
Projects
Sanctum project
Status: Driver backlog
Milestone
No milestone
Development

No branches or pull requests
1 participant
@0xflux