signature: add anti_debugging_ptraceme.go sig

roikol · rafaeldtinoco · commit cd2682382cfa · 2022-10-20T22:55:13.000-03:00
diff --git a/signatures/golang/anti_debugging_ptraceme.go b/signatures/golang/anti_debugging_ptraceme.go
@@ -0,0 +1,80 @@
+package main
+
+import (
+	"fmt"
+
+	"github.com/aquasecurity/tracee/signatures/helpers"
+	"github.com/aquasecurity/tracee/types/detect"
+	"github.com/aquasecurity/tracee/types/protocol"
+	"github.com/aquasecurity/tracee/types/trace"
+)
+
+type AntiDebuggingPtraceme struct {
+	cb            detect.SignatureHandler
+	ptraceTraceMe string
+}
+
+func (sig *AntiDebuggingPtraceme) Init(cb detect.SignatureHandler) error {
+	sig.cb = cb
+	sig.ptraceTraceMe = "PTRACE_TRACEME"
+	return nil
+}
+
+func (sig *AntiDebuggingPtraceme) GetMetadata() (detect.SignatureMetadata, error) {
+	return detect.SignatureMetadata{
+		ID:          "TRC-2",
+		Version:     "1",
+		Name:        "Anti-Debugging detected",
+		Description: "A process used anti-debugging techniques to block a debugger. Malware use anti-debugging to stay invisible and inhibit analysis of their behavior.",
+		Properties: map[string]interface{}{
+			"Severity":             1,
+			"Category":             "defense-evasion",
+			"Technique":            "Debugger Evasion",
+			"Kubernetes_Technique": "",
+			"id":                   "attack-pattern--e4dc8c01-417f-458d-9ee0-bb0617c1b391",
+			"external_id":          "T1622",
+		},
+	}, nil
+}
+
+func (sig *AntiDebuggingPtraceme) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {
+	return []detect.SignatureEventSelector{
+		{Source: "tracee", Name: "ptrace", Origin: "*"},
+	}, nil
+}
+
+func (sig *AntiDebuggingPtraceme) OnEvent(event protocol.Event) error {
+
+	eventObj, ok := event.Payload.(trace.Event)
+	if !ok {
+		return fmt.Errorf("invalid event")
+	}
+
+	switch eventObj.EventName {
+
+	case "ptrace":
+		requestArg, err := helpers.GetTraceeStringArgumentByName(eventObj, "request")
+		if err != nil {
+			return err
+		}
+
+		if requestArg == sig.ptraceTraceMe {
+			metadata, err := sig.GetMetadata()
+			if err != nil {
+				return err
+			}
+			sig.cb(detect.Finding{
+				SigMetadata: metadata,
+				Event:       event,
+				Data:        nil,
+			})
+		}
+
+	}
+	return nil
+}
+
+func (sig *AntiDebuggingPtraceme) OnSignal(s detect.Signal) error {
+	return nil
+}
+func (sig *AntiDebuggingPtraceme) Close() {}
diff --git a/signatures/golang/anti_debugging_ptraceme_test.go b/signatures/golang/anti_debugging_ptraceme_test.go
@@ -0,0 +1,97 @@
+package main
+
+import (
+	"testing"
+
+	"github.com/aquasecurity/tracee/signatures/signaturestest"
+	"github.com/aquasecurity/tracee/types/detect"
+	"github.com/aquasecurity/tracee/types/trace"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestAntiDebuggingPtraceme(t *testing.T) {
+	testCases := []struct {
+		Name     string
+		Events   []trace.Event
+		Findings map[string]detect.Finding
+	}{
+		{
+			Name: "should trigger detection",
+			Events: []trace.Event{
+				{
+					EventName: "ptrace",
+					Args: []trace.Argument{
+						{
+							ArgMeta: trace.ArgMeta{
+								Name: "request",
+							},
+							Value: interface{}("PTRACE_TRACEME"),
+						},
+					},
+				},
+			},
+			Findings: map[string]detect.Finding{
+				"TRC-2": {
+					Data: nil,
+					Event: trace.Event{
+						EventName: "ptrace",
+						Args: []trace.Argument{
+							{
+								ArgMeta: trace.ArgMeta{
+									Name: "request",
+								},
+								Value: interface{}("PTRACE_TRACEME"),
+							},
+						},
+					}.ToProtocol(),
+					SigMetadata: detect.SignatureMetadata{
+						ID:          "TRC-2",
+						Version:     "1",
+						Name:        "Anti-Debugging detected",
+						Description: "A process used anti-debugging techniques to block a debugger. Malware use anti-debugging to stay invisible and inhibit analysis of their behavior.",
+						Properties: map[string]interface{}{
+							"Severity":             1,
+							"Category":             "defense-evasion",
+							"Technique":            "Debugger Evasion",
+							"Kubernetes_Technique": "",
+							"id":                   "attack-pattern--e4dc8c01-417f-458d-9ee0-bb0617c1b391",
+							"external_id":          "T1622",
+						},
+					},
+				},
+			},
+		},
+		{
+			Name: "should not trigger detection - wrong request",
+			Events: []trace.Event{
+				{
+					EventName: "ptrace",
+					Args: []trace.Argument{
+						{
+							ArgMeta: trace.ArgMeta{
+								Name: "request",
+							},
+							Value: interface{}("PTRACE_PEEKTEXT"),
+						},
+					},
+				},
+			},
+			Findings: map[string]detect.Finding{},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.Name, func(t *testing.T) {
+			holder := signaturestest.FindingsHolder{}
+			sig := AntiDebuggingPtraceme{}
+			sig.Init(holder.OnFinding)
+
+			for _, e := range tc.Events {
+				err := sig.OnEvent(e.ToProtocol())
+				require.NoError(t, err)
+			}
+			assert.Equal(t, tc.Findings, holder.GroupBySigID())
+		})
+	}
+}
diff --git a/signatures/golang/export.go b/signatures/golang/export.go
@@ -24,4 +24,5 @@ var ExportedSignatures = []detect.Signature{
 	&ProcKcoreRead{},
 	&ProcMemAccess{},
 	&HiddenFileCreated{},
+	&AntiDebuggingPtraceme{},
 }

Original file line number	Diff line number	Diff line change
`@@ -24,4 +24,5 @@ var ExportedSignatures = []detect.Signature{`
`24`	`24`	`&ProcKcoreRead{},`
`25`	`25`	`&ProcMemAccess{},`
`26`	`26`	`&HiddenFileCreated{},`
	`27`	`+ &AntiDebuggingPtraceme{},`
`27`	`28`	`}`