BONOMEN - Hunt for Malware Critical Process Impersonation

Related tags

Security tools windows unix malware-analysis malware-research
Overview

BOnum NOMEN - good name

Hunt for Malware Critical Process Impersonation

How it works

The purpose of this tool is to detect process name impersonation using Damerau-Levenshtein algorithm. For example, a malware process could run under the name chr0me (note the 0 not o), thus observing that it's a possibly malicious process becomes harder.

To detect a process that tries to become stealth by process name impersonation, bonomen reads all the running processes on your system and compares their names with the processes(that you) provided in a file.

The processes you trust should be included in a file provided to bonomen at runtime with -f command line option, otherwise bonomen searches for the default file default_procs.txt. Every process should be written on a separate line, following the format:

process name;threshold;executable path

where:

process name - is the name of the process you trust, for example init

threshold - is the maximum distance between process names, for example between chrome and chr0me the distance is 1.

executable path - is the path to the executable of the process you trust, for example /sbin/init. This is used to check for processes that may be whitelisted.

Compile

In the root directory, for

  • release version, run:

cargo build --release

  • debug version, run:

cargo build

The compiled executable will be in target\{release|debug}\

Requirements

  • Unix OS (developed and tested on Debian GNU/Linux 8 64-bit).

  • Windows OS (developed and tested on Windows 10 64-bit).

  • Rust programming language version >= 1.13.0

  • File containing system critical processes using the following format:

    process name;threshold;process executable absolute path

    Example:

    init;1;/sbin/init
sshd;2;/usr/sbin/sshd

References & Acknowledgements

You might also like...
SCEMU The crates.io lib, x86 cpu and systems emulator focused mainly for anti-malware

SCEMU Usage Download the maps32.zip or maps64.zip from: https://github.com/sha0coder/scemu/releases/download/maps/maps32.zip https://github.com/sha0co

sha0coder 11 Dec 25, 2022
x86-64 Malware Crypter built in Rust for Windows with Anti-VM, powered by memexec

Rust Crypter x86-64 Malware Crypter built in Rust for Windows with Anti-VM, powered by memexec Usage Put your Portable Executable in /crypt/ and renam

Daniel Ballard 10 May 28, 2023
RustRedOps is a repository dedicated to gathering and sharing advanced techniques and malware for Red Team, with a specific focus on the Rust programming language. (In Construction)

RustRedOps In Construction.... The project is still under development Overview RustRedOps is a repository that houses various tools and projects relat

João Victor 17 Dec 14, 2023
secmem-proc is a crate designed to harden a process against low-privileged attackers running on the same system trying to obtain secret memory contents of the current process.

secmem-proc is a crate designed to harden a process against low-privileged attackers running on the same system trying to obtain secret memory contents of the current process. More specifically, the crate disables core dumps and tries to disable tracing on unix-like OSes.

null 3 Dec 19, 2022
A Rust on-site channel benchmarking helper. Inter-Process (async / busy) & Intra-Process (async single threaded / async multi threaded)

On-Site Rust Channel Benchmarking Helper Deploy on server to determine which public crates are the fastest for communicating in different architecture

null 23 Jul 9, 2024
Business Process eXecution Engine

BPXE (Business Process eXecution Engine) BPMN 2.0 based business process execution engine implemented in Rust. BPMN stands for Business Process Model

BPXE 36 Oct 28, 2022
Fuse filesystem that returns symlinks to executables based on the PATH of the requesting process.

Envfs Fuse filesystem that returns symlinks to executables based on the PATH of the requesting process. This is useful to execute shebangs on NixOS th

Jörg Thalheim 98 Jan 2, 2023
Task runner and process manager for Rust
Task runner and process manager for Rust

Steward Task runner and process manager for Rust. If you're not happy managing your infrastructure with a pile of bash scripts, this crate might be he

Alex Fedoseev 24 Dec 26, 2022
A cross-platform graphical process/system monitor with a customizable interface and a multitude of features
A cross-platform graphical process/system monitor with a customizable interface and a multitude of features

A cross-platform graphical process/system monitor with a customizable interface and a multitude of features. Supports Linux, macOS, and Windows. Inspired by both gtop and gotop.

Clement Tsang 5.8k Jan 8, 2023
Utility to run a regtest bitcoind process, useful in integration testing environment

Bitcoind Utility to run a regtest bitcoind process, useful in integration testing environment. use bitcoincore_rpc::RpcApi; let bitcoind = bitcoind::B

Riccardo Casatta 14 Jan 3, 2023
MiniDump a process in memory with rust

safetydump Rust in-memory MiniDump implementation. Features ntdll!NtGetNextProcess to obtain a handle for the desired ProcessId as opposed to kernel32

null 26 Oct 11, 2022
Structure-aware, in-process, coverage-guided, evolutionary fuzzing engine for Rust functions.

fuzzcheck Fuzzcheck is a structure-aware, in-process, coverage-guided, evolutionary fuzzing engine for Rust functions. Given a function test: (T) - b

Loïc Lecrenier 394 Dec 20, 2022
🚧 (Alpha stage software) Binary that supports remote filesystem and process operations. 🚧

distant Binary to connect with a remote machine to edit files and run programs. 🚧 (Alpha stage software) This program is in rapid development and may

Chip Senkbeil 296 Dec 28, 2022
Process killer daemon for out-of-memory scenarios

bustd: Available memory or bust! bustd is a lightweight process killer daemon for out-of-memory scenarios for Linux! Features Small memory usage! bust

Vinícius Miguel 188 Dec 14, 2022
Rust single-process scheduling. Ported from schedule for Python

Rust single-process scheduling. Ported from schedule for Python, in turn inspired by clockwork (Ruby), and "Rethinking Cron" by Adam Wiggins.

Ben Lovy 13 May 30, 2022
This is a simple Telegram bot with interface to Firefly III to process and store simple transactions.
This is a simple Telegram bot with interface to Firefly III to process and store simple transactions.

Firefly Telegram Bot Fireflies are free, so beautiful. (Les lucioles sont libres, donc belles.) ― Charles de Leusse, Les Contes de la nuit This is a s

null 13 Dec 14, 2022
Rust wrapper for Eclipse iceoryx™ - true zero-copy inter-process-communication
Rust wrapper for Eclipse iceoryx™ - true zero-copy inter-process-communication

iceoryx-rs Experimental rust wrapper for the iceoryx IPC middleware. clone and build The iceoryx repo is include as git submodule, therefore keep in m

null 43 Jan 4, 2023
CLI tools to process cryptocurrency data

crypto-cli-tools A collection of CLI tools to process cryptocurrency data. Install: RUSTFLAGS="-C target-cpu=native" cargo install crypto-cli-tools cr

soulmachine 2 Mar 23, 2022
argmax is a library that allows Rust applications to avoid Argument list too long errors (E2BIG) by providing a std::process::Command wrapper with a

argmax argmax is a library that allows Rust applications to avoid Argument list too long errors (E2BIG) by providing a std::process::Command wrapper w

David Peter 22 Nov 20, 2022
Owner
panda bear
nothing interesting
panda bear
GitHub
Checks whether the process is running as root/sudo/admin permission in Windows and Unix systems

Is_sudo Checks if program is running as sudo in unix systems, or using admin permission in windows. Usage use is_sudo::check; use is_sudo::RunningAs;

Spark 2 Aug 12, 2022
Process injection through entry points hijacking.

EPI EPI (Entry Point Injection) is a tool that leverages a new threadless process injection technique that relies on hijacking loaded dll's entry poin

Kurosh Dabbagh Escalante 208 Jun 16, 2023
Easy c̵̰͠r̵̛̠ö̴̪s̶̩̒s̵̭̀-t̶̲͝h̶̯̚r̵̺͐e̷̖̽ḁ̴̍d̶̖̔ ȓ̵͙ė̶͎ḟ̴͙e̸̖͛r̶̖͗ë̶̱́ṉ̵̒ĉ̷̥e̷͚̍ s̷̹͌h̷̲̉a̵̭͋r̷̫̊ḭ̵̊n̷̬͂g̵̦̃ f̶̻̊ơ̵̜ṟ̸̈́ R̵̞̋ù̵̺s̷̖̅ţ̸͗!̸̼͋

Rust S̵̓i̸̓n̵̉ I̴n̴f̶e̸r̵n̷a̴l mutability! Howdy, friendly Rust developer! Ever had a value get m̵̯̅ð̶͊v̴̮̾ê̴̼͘d away right under your nose just when

null 294 Dec 23, 2022
Rapidly Search and Hunt through Windows Event Logs

Rapidly Search and Hunt through Windows Event Logs Chainsaw provides a powerful ‘first-response’ capability to quickly identify threats within Windows

F-Secure Countercept 1.8k Dec 31, 2022
Ed25519 suitable for use in consensus-critical contexts.

Ed25519 for consensus-critical contexts This library provides an Ed25519 implementation with validation rules intended for consensus-critical contexts

Penumbra 33 Dec 29, 2022
Rapidly Search and Hunt through Windows Event Logs

Rapidly Search and Hunt through Windows Event Logs Chainsaw provides a powerful ‘first-response’ capability to quickly identify threats within Windows

F-Secure Countercept 1.8k Dec 28, 2022
An easily deployable service to monitor mission-critical SPL token accounts

Vault watcher Monitoring critical spl-token accounts in real time Table of contents Introduction Usage Configuration Configuration examples Grafana In

null 21 Nov 29, 2022
Source code of Ferrocene, safety-critical Rust toolchain

Ferrocene is a toolchain to enable the use of the Rust programming language in safety-critical environments. It is a proper downstream of the main Rus

Ferrocene 530 Oct 7, 2023
Shuttle.rs Christmas Code Hunt 2023

?? Shuttle.rs Christmas Code Hunt 2023 Submissions ?? These are my submissions for the Christmas Code Hunt hosted by shuttle.rs This is using a custom

null 4 Dec 7, 2023
A minimalistic cross-platform malware scanner with non-blocking realtime filesystem monitoring using YARA rules.

Sauron is a minimalistic, YARA based malware scanner with realtime filesystem monitoring written in Rust. Features Realtime scan of created and modifi

Simone Margaritelli 155 Dec 26, 2022