The tool doesn't scan the Sysnative folder

Question

The tool doesn't scan the Sysnative folder

msuhanov opened this issue 3 years ago · 2 comments

Hello.

I have created a path-based rule for two files, one placed in the C:\Windows\ folder and another one placed in the C:\Windows\System32\ folder (both match the same rule used for this test). Since the tool is running under the Wow64 subsystem, the real System32 folder is called Sysnative (C:\Windows\Sysnative\). And the tool doesn't inspect that folder during the scan.

The problem is that the Sysnative folder isn't visible when enumerating the Windows folder, so one needs to explicitly try that name.

Here is related output (the tool is running with administrator privileges):

C:\Users\MS\Desktop\loki>loki.exe --nopesieve --nolevcheck --noprocscan --allhds


      __   ____  __ ______
     / /  / __ \/ //_/  _/
    / /__/ /_/ / ,< _/ /
   /____/\____/_/|_/___/
   YARA and IOC Scanner

   by Florian Roth, GNU General Public License
   version 0.44.2 (Python 3 release)

   DISCLAIMER - USE AT YOUR OWN RISK



[NOTICE] Starting Loki Scan VERSION: 0.44.2 SYSTEM: [removed] TIME: 20211214T19:23:52Z PLATFORM: 10 10.0.22000 SP0 Multiprocessor Free PROC: Intel64 Family 6 Model 142 Stepping 12, GenuineIntel ARCH: 32bit WindowsPE
[NOTICE] PE-Sieve successfully initialized BINARY: C:\Users\MS\Desktop\loki\tools\pe-sieve64.exe SOURCE: https://github.com/hasherezade/pe-sieve
[INFO] File Name Characteristics initialized with 3274 regex patterns
[INFO] C2 server indicators initialized with 0 elements
[INFO] Malicious MD5 Hashes initialized with 0 hashes
[INFO] Malicious SHA1 Hashes initialized with 0 hashes
[INFO] Malicious SHA256 Hashes initialized with 0 hashes
[INFO] False Positive Hashes initialized with 0 hashes
[INFO] Processing YARA rules folder C:\Users\MS\Desktop\loki\signature-base\yara
[INFO] Initializing all YARA rules at once (composed string of all rule files)
[INFO] Initialized 0 Yara rules
[INFO] Current user has admin rights - very good
[INFO] Setting LOKI process with PID: 1376 to priority IDLE
[INFO] Scanning Path C:\ ...
[WARNING]
FILE: C:\Program Files\Autopsy-4.19.2\autopsy\photorec_exec\bin\testdisk_win.exe SCORE: 99 TYPE: EXE SIZE: 679992
FIRST_BYTES: 4d5a90000300000004000000ffff0000b8000000 / <filter object at 0x03E30D78>
MD5: 6fc7cd21e60a4c95039d325670498e7f
SHA1: 5350a1e1608c4cd5c8379c2e8d81ec9cc925743e
SHA256: 1b478018b9513e1c1f9da96c88a571d84b30a10748544b9b06f00da9ce761e56 CREATED: Mon Oct  4 10:58:20 2021 MODIFIED: Mon Oct  4 10:58:20 2021 ACCESSED: Tue Dec 14 22:25:35 2021
REASON_1: File Name IOC matched PATTERN: \\test.*\.exe SUBSCORE: 99 DESC: This is a test
[NOTICE]
FILE: C:\Users\MS\OneDrive\Рабочий стол\Z.exe SCORE: 45 TYPE: EXE SIZE: 5580124
FIRST_BYTES: b'-'  CREATED: Mon Oct 11 19:52:00 2021 MODIFIED: Tue Mar  3 09:56:43 2020 ACCESSED: Tue Dec 14 23:02:27 2021
REASON_1: File Name IOC matched PATTERN: \\[a-zA-Z]\.exe$ SUBSCORE: 45 DESC: Typical Malware Name
[WARNING]
FILE: C:\WINDOWS\test_easy.exe SCORE: 99 TYPE: UNKNOWN SIZE: 24
FIRST_BYTES: 22746573745f72756c655f6c6f6b695f7363616e / <filter object at 0x03E30B98>
MD5: 28809807382ee195f63a4198c75644ad
SHA1: 88130e99668780a7966e0be13f370a8a7dd91434
SHA256: 47fbeab8d68881282113fdccfb357ddc6213ca6c6dcd5e8c3adea3a7d339b5a0 CREATED: Tue Dec 14 17:27:27 2021 MODIFIED: Tue Dec 14 17:27:27 2021 ACCESSED: Tue Dec 14 23:03:19 2021
REASON_1: File Name IOC matched PATTERN: \\test.*\.exe SUBSCORE: 99 DESC: This is a test
[NOTICE] Results: 0 alerts, 2 warnings, 3 notices
[RESULT] Suspicious objects detected!
[RESULT] Loki recommends a deeper analysis of the suspicious objects.
[INFO] Please report false positives via https://github.com/Neo23x0/signature-base
[NOTICE] Finished LOKI Scan SYSTEM: [removed] TIME: 20211214T20:29:32Z

C:\Users\MS\Desktop\loki>

Here are two files matching the rule, only one of them was detected:

C:\Users\MS\Desktop\loki>dir C:\windows\test_easy.exe
 Том в устройстве C имеет метку Windows
 Серийный номер тома: [removed]

 Содержимое папки C:\windows

14.12.2021  17:27                24 test_easy.exe
               1 файлов             24 байт
               0 папок  347 492 102 144 байт свободно

C:\Users\MS\Desktop\loki>dir C:\windows\system32\test.exe
 Том в устройстве C имеет метку Windows
 Серийный номер тома: [removed]

 Содержимое папки C:\windows\system32

14.12.2021  17:27                24 test.exe
               1 файлов             24 байт
               0 папок  347 492 102 144 байт свободно

C:\Users\MS\Desktop\loki>

Answer 1 · 2021-12-14T21:47:58.000Z

Please simply use THOR Lite https://www.nextron-systems.com/thor-lite/

…

-- Florian Roth Key material (Keybase, S/MIME, PGP, Threema): https://keybase.pub/johngalt/

Answer 2 · 2022-06-21T14:21:04.000Z

The loki.exe provided in the release package is only a 32bit executable. It won't see certain folders.
As said in the comment, better use THOR Lite instead. I won't work on my build process and won't provide a loki64.exe anytime soon. It's not worth it when there's already an improved scanner based on a completely different code base.