signature: add ptrace_code_injection.go sig

roikol · rafaeldtinoco · commit cc469cbd8df3 · 2022-10-20T22:55:13.000-03:00
diff --git a/signatures/golang/export.go b/signatures/golang/export.go
@@ -25,4 +25,5 @@ var ExportedSignatures = []detect.Signature{
 	&ProcMemAccess{},
 	&HiddenFileCreated{},
 	&AntiDebuggingPtraceme{},
+	&PtraceCodeInjection{},
 }
diff --git a/signatures/golang/ptrace_code_injection.go b/signatures/golang/ptrace_code_injection.go
@@ -0,0 +1,80 @@
+package main
+
+import (
+	"fmt"
+
+	"github.com/aquasecurity/tracee/signatures/helpers"
+	"github.com/aquasecurity/tracee/types/detect"
+	"github.com/aquasecurity/tracee/types/protocol"
+	"github.com/aquasecurity/tracee/types/trace"
+)
+
+type PtraceCodeInjection struct {
+	cb             detect.SignatureHandler
+	ptracePokeText string
+}
+
+func (sig *PtraceCodeInjection) Init(cb detect.SignatureHandler) error {
+	sig.cb = cb
+	sig.ptracePokeText = "PTRACE_POKETEXT"
+	return nil
+}
+
+func (sig *PtraceCodeInjection) GetMetadata() (detect.SignatureMetadata, error) {
+	return detect.SignatureMetadata{
+		ID:          "TRC-3",
+		Version:     "1",
+		Name:        "Code injection detected using ptrace",
+		Description: "Possible code injection into another process was detected. Code injection is an exploitation technique used to run malicious code, adversaries may use it in order to execute their malware.",
+		Properties: map[string]interface{}{
+			"Severity":             3,
+			"Category":             "defense-evasion",
+			"Technique":            "Ptrace System Calls",
+			"Kubernetes_Technique": "",
+			"id":                   "attack-pattern--ea016b56-ae0e-47fe-967a-cc0ad51af67f",
+			"external_id":          "T1055.008",
+		},
+	}, nil
+}
+
+func (sig *PtraceCodeInjection) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {
+	return []detect.SignatureEventSelector{
+		{Source: "tracee", Name: "ptrace", Origin: "*"},
+	}, nil
+}
+
+func (sig *PtraceCodeInjection) OnEvent(event protocol.Event) error {
+
+	eventObj, ok := event.Payload.(trace.Event)
+	if !ok {
+		return fmt.Errorf("invalid event")
+	}
+
+	switch eventObj.EventName {
+
+	case "ptrace":
+		requestArg, err := helpers.GetTraceeStringArgumentByName(eventObj, "request")
+		if err != nil {
+			return err
+		}
+
+		if requestArg == sig.ptracePokeText {
+			metadata, err := sig.GetMetadata()
+			if err != nil {
+				return err
+			}
+			sig.cb(detect.Finding{
+				SigMetadata: metadata,
+				Event:       event,
+				Data:        nil,
+			})
+		}
+
+	}
+	return nil
+}
+
+func (sig *PtraceCodeInjection) OnSignal(s detect.Signal) error {
+	return nil
+}
+func (sig *PtraceCodeInjection) Close() {}
diff --git a/signatures/golang/ptrace_code_injection_test.go b/signatures/golang/ptrace_code_injection_test.go
@@ -0,0 +1,97 @@
+package main
+
+import (
+	"testing"
+
+	"github.com/aquasecurity/tracee/signatures/signaturestest"
+	"github.com/aquasecurity/tracee/types/detect"
+	"github.com/aquasecurity/tracee/types/trace"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestPtraceCodeInjection(t *testing.T) {
+	testCases := []struct {
+		Name     string
+		Events   []trace.Event
+		Findings map[string]detect.Finding
+	}{
+		{
+			Name: "should trigger detection",
+			Events: []trace.Event{
+				{
+					EventName: "ptrace",
+					Args: []trace.Argument{
+						{
+							ArgMeta: trace.ArgMeta{
+								Name: "request",
+							},
+							Value: interface{}("PTRACE_POKETEXT"),
+						},
+					},
+				},
+			},
+			Findings: map[string]detect.Finding{
+				"TRC-3": {
+					Data: nil,
+					Event: trace.Event{
+						EventName: "ptrace",
+						Args: []trace.Argument{
+							{
+								ArgMeta: trace.ArgMeta{
+									Name: "request",
+								},
+								Value: interface{}("PTRACE_POKETEXT"),
+							},
+						},
+					}.ToProtocol(),
+					SigMetadata: detect.SignatureMetadata{
+						ID:          "TRC-3",
+						Version:     "1",
+						Name:        "Code injection detected using ptrace",
+						Description: "Possible code injection into another process was detected. Code injection is an exploitation technique used to run malicious code, adversaries may use it in order to execute their malware.",
+						Properties: map[string]interface{}{
+							"Severity":             3,
+							"Category":             "defense-evasion",
+							"Technique":            "Ptrace System Calls",
+							"Kubernetes_Technique": "",
+							"id":                   "attack-pattern--ea016b56-ae0e-47fe-967a-cc0ad51af67f",
+							"external_id":          "T1055.008",
+						},
+					},
+				},
+			},
+		},
+		{
+			Name: "should not trigger detection - wrong request",
+			Events: []trace.Event{
+				{
+					EventName: "ptrace",
+					Args: []trace.Argument{
+						{
+							ArgMeta: trace.ArgMeta{
+								Name: "request",
+							},
+							Value: interface{}("PTRACE_PEEKTEXT"),
+						},
+					},
+				},
+			},
+			Findings: map[string]detect.Finding{},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.Name, func(t *testing.T) {
+			holder := signaturestest.FindingsHolder{}
+			sig := PtraceCodeInjection{}
+			sig.Init(holder.OnFinding)
+
+			for _, e := range tc.Events {
+				err := sig.OnEvent(e.ToProtocol())
+				require.NoError(t, err)
+			}
+			assert.Equal(t, tc.Findings, holder.GroupBySigID())
+		})
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -25,4 +25,5 @@ var ExportedSignatures = []detect.Signature{`
`25`	`25`	`&ProcMemAccess{},`
`26`	`26`	`&HiddenFileCreated{},`
`27`	`27`	`&AntiDebuggingPtraceme{},`
	`28`	`+ &PtraceCodeInjection{},`
`28`	`29`	`}`