BONOMEN - Hunt for Malware Critical Process Impersonation

Overview

BOnum NOMEN - good name

Hunt for Malware Critical Process Impersonation

How it works

The purpose of this tool is to detect process name impersonation using Damerau-Levenshtein algorithm. For example, a malware process could run under the name chr0me (note the 0 not o), thus observing that it's a possibly malicious process becomes harder.

To detect a process that tries to become stealth by process name impersonation, bonomen reads all the running processes on your system and compares their names with the processes(that you) provided in a file.

The processes you trust should be included in a file provided to bonomen at runtime with -f command line option, otherwise bonomen searches for the default file default_procs.txt. Every process should be written on a separate line, following the format:

process name;threshold;executable path

where:

process name - is the name of the process you trust, for example init

threshold - is the maximum distance between process names, for example between chrome and chr0me the distance is 1.

executable path - is the path to the executable of the process you trust, for example /sbin/init. This is used to check for processes that may be whitelisted.

Compile

In the root directory, for

  • release version, run:

cargo build --release

  • debug version, run:

cargo build

The compiled executable will be in target\{release|debug}\

Requirements

  • Unix OS (developed and tested on Debian GNU/Linux 8 64-bit).

  • Windows OS (developed and tested on Windows 10 64-bit).

  • Rust programming language version >= 1.13.0

  • File containing system critical processes using the following format:

    process name;threshold;process executable absolute path
    

    Example:

    init;1;/sbin/init
    sshd;2;/usr/sbin/sshd
    

References & Acknowledgements

You might also like...
SCEMU The crates.io lib, x86 cpu and systems emulator focused mainly for anti-malware

SCEMU Usage Download the maps32.zip or maps64.zip from: https://github.com/sha0coder/scemu/releases/download/maps/maps32.zip https://github.com/sha0co

x86-64 Malware Crypter built in Rust for Windows with Anti-VM, powered by memexec

Rust Crypter x86-64 Malware Crypter built in Rust for Windows with Anti-VM, powered by memexec Usage Put your Portable Executable in /crypt/ and renam

RustRedOps is a repository dedicated to gathering and sharing advanced techniques and malware for Red Team, with a specific focus on the Rust programming language. (In Construction)

RustRedOps In Construction.... The project is still under development Overview RustRedOps is a repository that houses various tools and projects relat

secmem-proc is a crate designed to harden a process against low-privileged attackers running on the same system trying to obtain secret memory contents of the current process.

secmem-proc is a crate designed to harden a process against low-privileged attackers running on the same system trying to obtain secret memory contents of the current process. More specifically, the crate disables core dumps and tries to disable tracing on unix-like OSes.

A Rust on-site channel benchmarking helper. Inter-Process (async / busy) & Intra-Process (async single threaded / async multi threaded)

On-Site Rust Channel Benchmarking Helper Deploy on server to determine which public crates are the fastest for communicating in different architecture

Business Process eXecution Engine

BPXE (Business Process eXecution Engine) BPMN 2.0 based business process execution engine implemented in Rust. BPMN stands for Business Process Model

Fuse filesystem that returns symlinks to executables based on the PATH of the requesting process.

Envfs Fuse filesystem that returns symlinks to executables based on the PATH of the requesting process. This is useful to execute shebangs on NixOS th

Task runner and process manager for Rust
Task runner and process manager for Rust

Steward Task runner and process manager for Rust. If you're not happy managing your infrastructure with a pile of bash scripts, this crate might be he

A cross-platform graphical process/system monitor with a customizable interface and a multitude of features
A cross-platform graphical process/system monitor with a customizable interface and a multitude of features

A cross-platform graphical process/system monitor with a customizable interface and a multitude of features. Supports Linux, macOS, and Windows. Inspired by both gtop and gotop.

Utility to run a regtest bitcoind process, useful in integration testing environment

Bitcoind Utility to run a regtest bitcoind process, useful in integration testing environment. use bitcoincore_rpc::RpcApi; let bitcoind = bitcoind::B

MiniDump a process in memory with rust

safetydump Rust in-memory MiniDump implementation. Features ntdll!NtGetNextProcess to obtain a handle for the desired ProcessId as opposed to kernel32

Structure-aware, in-process, coverage-guided, evolutionary fuzzing engine for Rust functions.

fuzzcheck Fuzzcheck is a structure-aware, in-process, coverage-guided, evolutionary fuzzing engine for Rust functions. Given a function test: (T) - b

🚧 (Alpha stage software) Binary that supports remote filesystem and process operations. 🚧

distant Binary to connect with a remote machine to edit files and run programs. 🚧 (Alpha stage software) This program is in rapid development and may

Process killer daemon for out-of-memory scenarios

bustd: Available memory or bust! bustd is a lightweight process killer daemon for out-of-memory scenarios for Linux! Features Small memory usage! bust

Rust single-process scheduling. Ported from schedule for Python

Rust single-process scheduling. Ported from schedule for Python, in turn inspired by clockwork (Ruby), and "Rethinking Cron" by Adam Wiggins.

This is a simple Telegram bot with interface to Firefly III to process and store simple transactions.
This is a simple Telegram bot with interface to Firefly III to process and store simple transactions.

Firefly Telegram Bot Fireflies are free, so beautiful. (Les lucioles sont libres, donc belles.) ― Charles de Leusse, Les Contes de la nuit This is a s

Rust wrapper for Eclipse iceoryx™ - true zero-copy inter-process-communication
Rust wrapper for Eclipse iceoryx™ - true zero-copy inter-process-communication

iceoryx-rs Experimental rust wrapper for the iceoryx IPC middleware. clone and build The iceoryx repo is include as git submodule, therefore keep in m

CLI tools to process cryptocurrency data

crypto-cli-tools A collection of CLI tools to process cryptocurrency data. Install: RUSTFLAGS="-C target-cpu=native" cargo install crypto-cli-tools cr

argmax is a library that allows Rust applications to avoid Argument list too long errors (E2BIG) by providing a std::process::Command wrapper with a

argmax argmax is a library that allows Rust applications to avoid Argument list too long errors (E2BIG) by providing a std::process::Command wrapper w

Owner
panda bear
nothing interesting
panda bear
Checks whether the process is running as root/sudo/admin permission in Windows and Unix systems

Is_sudo Checks if program is running as sudo in unix systems, or using admin permission in windows. Usage use is_sudo::check; use is_sudo::RunningAs;

Spark 2 Aug 12, 2022
Process injection through entry points hijacking.

EPI EPI (Entry Point Injection) is a tool that leverages a new threadless process injection technique that relies on hijacking loaded dll's entry poin

Kurosh Dabbagh Escalante 208 Jun 16, 2023
Easy c̵̰͠r̵̛̠ö̴̪s̶̩̒s̵̭̀-t̶̲͝h̶̯̚r̵̺͐e̷̖̽ḁ̴̍d̶̖̔ ȓ̵͙ė̶͎ḟ̴͙e̸̖͛r̶̖͗ë̶̱́ṉ̵̒ĉ̷̥e̷͚̍ s̷̹͌h̷̲̉a̵̭͋r̷̫̊ḭ̵̊n̷̬͂g̵̦̃ f̶̻̊ơ̵̜ṟ̸̈́ R̵̞̋ù̵̺s̷̖̅ţ̸͗!̸̼͋

Rust S̵̓i̸̓n̵̉ I̴n̴f̶e̸r̵n̷a̴l mutability! Howdy, friendly Rust developer! Ever had a value get m̵̯̅ð̶͊v̴̮̾ê̴̼͘d away right under your nose just when

null 294 Dec 23, 2022
Rapidly Search and Hunt through Windows Event Logs

Rapidly Search and Hunt through Windows Event Logs Chainsaw provides a powerful ‘first-response’ capability to quickly identify threats within Windows

F-Secure Countercept 1.8k Dec 31, 2022
Ed25519 suitable for use in consensus-critical contexts.

Ed25519 for consensus-critical contexts This library provides an Ed25519 implementation with validation rules intended for consensus-critical contexts

Penumbra 33 Dec 29, 2022
Rapidly Search and Hunt through Windows Event Logs

Rapidly Search and Hunt through Windows Event Logs Chainsaw provides a powerful ‘first-response’ capability to quickly identify threats within Windows

F-Secure Countercept 1.8k Dec 28, 2022
An easily deployable service to monitor mission-critical SPL token accounts

Vault watcher Monitoring critical spl-token accounts in real time Table of contents Introduction Usage Configuration Configuration examples Grafana In

null 21 Nov 29, 2022
Source code of Ferrocene, safety-critical Rust toolchain

Ferrocene is a toolchain to enable the use of the Rust programming language in safety-critical environments. It is a proper downstream of the main Rus

Ferrocene 530 Oct 7, 2023
Shuttle.rs Christmas Code Hunt 2023

?? Shuttle.rs Christmas Code Hunt 2023 Submissions ?? These are my submissions for the Christmas Code Hunt hosted by shuttle.rs This is using a custom

null 4 Dec 7, 2023
A minimalistic cross-platform malware scanner with non-blocking realtime filesystem monitoring using YARA rules.

Sauron is a minimalistic, YARA based malware scanner with realtime filesystem monitoring written in Rust. Features Realtime scan of created and modifi

Simone Margaritelli 155 Dec 26, 2022