decaf-platform - plugin_sample.wiki

Keylogger Detector

Leveraging the VMI, tainting and event-driven programing features of DECAF, Keylogger Detector is capable of identifying keyloggers and analyzing their stealthy behaviors.

利用DECAF的VMI，污点传播技术和事件驱动，键盘记录监测可以识别键盘记录并且分析他们的可疑行为。

By sending tainted keystrokes into the guest system and observing if any untrusted code modules access the tainted data, we can detect keylogging behavior.The sample plugin can introduce tainted keystrokes into the guest system and identify which modules read the tainted keystroke by registering to receive DECAF_READ_TAINTMEM_CB and DECAF_KEYSTROKE_CB callback events. To capture the detailed stealthy behaviors, Key- logger Detector implements a shadow call stack by registering for the DECAF_BLOCK_END callback. Whenever the callback is triggered, we check the current instruction. If it is a call instruction, we retrieve the function information using VMI and push the current program counter onto the shadow call stack. If it is a ret instruction and pairs with the entry on the top of the shadow call stack, we pop it from the stack. When the DECAF_READ_TAINTMEM_CB callback is invoked, we retrieve information about which process, module, and function read the tainted keystroke data from the function call stack._

通过发送 敲击被标记的键盘信息 到虚拟环境，观察是否有不背信任的代码快接触被标记的数据，我们可以监测键盘输入行为，提供的插件可以被污染的键盘敲击信息到虚拟环境，识别哪个模块读取了被标记的键盘信息（利用DECAF提供的DECAF_READ_TAINTMEM_CB 和 DECAF_KEYSTROKE_CB）。为了获取更详细的可疑行为，键盘记录监控应用了一个影子调用栈（通过登记 DECAF_BLOCK_END callback.）当callback被调用时，我们检查当前的指令，如果是一个调用指令，我们通过VMI获取函数信息，并且把当前的指针存入影子调用栈；如果是一条返回指令，并且和站定元素相匹配，我们将元素出栈。当DECAF_READ_TAINTMEM_CB 被调用，我们从函数调用栈获取哪个进程，模块或者函数读取污点信息。

To use keylogger detector 1. compile DECAF with tcg tainting and vmi enabled. ``` ./configure --enable-tcg-taint --enable-vmi make

1. compile keylogger detector plugin. # cd to the plugin's source folder ./configure --decaf-path=root directory of DECAF make1. use DECAF to start guest OS and load keylogger detector plugin.

# start virtual machine, change directory to (root directory of decaf)/i386-softmmu/ ./qemu-­system­-i386 -­monitor stdio -­m 512 ­-netdev user,id=mynet -­device rtl8139,netdev=mynet “YOUR_IMAGE” # load plugins load_plugin path/to/keylogger/plugin/keylogger.so

1. enable keylogger detector. you can use "help" command to check the command supported by DECAF and keylogger detector. enable_keylogger_check LOCATION_OF_LOG_FILE 1. turn on pointers tainting. Because guest os needs to translate scan code to ASCII code for every keystroke. This translation is table lookup operation. So we need to turn on pointers tainting. To avoid overtainting problem, we just turn on pointers read tainting. enable_tainting taint_pointers on off 1. start your suspicious program and introduce a tainted keystroke into notepad.exe taint_sendkey c 

enable taining, 因为虚拟环境需要在每次敲击键盘时将读入的键盘数据翻译成ASCII码，这个翻译是table lookup操作，所以我们需要打开taining。为了避免过度污染的问题，我们只打开读取污染。

1. when you see ‘c’ in notepad.exe,you can disable taintmodule check. disable_keylogger_check ``` 1. now check the log to see if keystroke is fetched by your suspicious program. If yes, it's a keylogger malware.