Feature request: Match yara and suspend process
DigiAngel opened this issue · 3 comments
I would love to be able to get procfilter to suspend a process on matching a yara rule. Thank you.
That is a good idea but I don't have the availability to develop it now. However it is easy and you could do it without too much effort.
The plugin https://github.com/godaddy/procfilter/blob/master/launchcmd/launchcmd.cpp#L52 is a good example of adding a tag handler for a YARA rule match. You'd have to change the "LaunchCommand" string to your new YARA meta tag and then check if the value is set (e->lpszStringValue) and non-zero. If so, set a boolean in the match_data struct to true.
Then when the scan is complete on line 57 test if that boolean had been set during the scan and then you can do whatever you'd like based on the rule hit. You'd want to iterate through all threads in the process and suspend them via the SuspendThread() Windows API call.
If your use case is ad-hoc testing with some malware, this is probably enough. If you want to use this feature in production there is more you would need to do, like keep track of all the threads in all processes that have been suspended, that way if ProcFilter is unloaded you it can resume them when it exits, to avoid leaking system resources.
Thank you....kind of new to this so I'll see what I can manage to get working. Ideally this could be used as a standalone app with no parameters to monitor all processes, or to specify a process after execution (I imagine I'd run the malware, suspend it, then fire procfilter off with a -pid cli and have procfilter monitor for the string I'm looking for). Thanks again.
If you want to do that you could check out the 'antimalware' plugin. We're entering into the undocumented & testing features of ProcFilter but it may suit your needs. If you enable that plugin you can create a directory named "malware" and then ProcFilter will interactively prompt you on DLL load, subprocess creation, thread creation (including remote threads), and process termination events of all processes spawned from that path.
The features are considered testing so I only recommend using them in a VM.
Don't hesitate to ask if you have any questions.