diff options
| author | Toni <matzeton@googlemail.com> | 2024-04-05 14:43:28 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-04-05 14:43:28 +0200 |
| commit | 0f77f49b770a379bf54870a17462c73ae4db0dca (patch) | |
| tree | dc5b19bfbff0be262717ce4dafc68eb1fe94a28e | |
| parent | 99e521eaf8b79ef38764edc204ae588f15ea2291 (diff) | |
Add PE32/PE32+ risk detection (detect transmitted windows executables). (#2312)
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
| -rw-r--r-- | src/lib/ndpi_main.c | 42 | ||||
| -rw-r--r-- | tests/cfgs/default/pcap/portable_executable.pcap | bin | 0 -> 25564 bytes | |||
| -rw-r--r-- | tests/cfgs/default/result/portable_executable.pcap.out | 37 |
3 files changed, 79 insertions, 0 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 7e277d121..1ebc851e1 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -8160,6 +8160,44 @@ static int ndpi_is_ntop_protocol(ndpi_protocol *ret) { /* ********************************************************************************* */ +/* PE32/PE32+ format specs: https://learn.microsoft.com/en-us/windows/win32/debug/pe-format */ +static void ndpi_search_portable_executable(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) +{ + struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; + static const uint16_t dos_signature = 0x4d5a; /* MZ */ + static const uint32_t pe_signature = 0x50450000; /* PE */ + + NDPI_LOG_DBG(ndpi_struct, "search Portable Executable (PE) file\n"); + + if (flow->packet_counter > 5) + { + return; + } + + if (packet->payload_packet_len < 0x3C /* offset to PE header */ + 4) + { + return; + } + + if (ntohs(get_u_int16_t(packet->payload, 0)) != dos_signature) + { + return; + } + + uint32_t const pe_offset = le32toh(get_u_int32_t(packet->payload, 0x3C)); + if (packet->payload_packet_len <= pe_offset + 4 || + be32toh(get_u_int32_t(packet->payload, pe_offset)) != pe_signature) + { + return; + } + + NDPI_LOG_INFO(ndpi_struct, "found Portable Executable (PE) file\n"); + ndpi_set_risk(flow, NDPI_BINARY_APPLICATION_TRANSFER, "Portable Executable (PE32/PE32+) found"); +} + +/* ********************************************************************************* */ + static int ndpi_check_protocol_port_mismatch_exceptions(default_ports_tree_node_t *expected_proto, ndpi_protocol *returned_proto) { /* @@ -8553,6 +8591,10 @@ static ndpi_protocol ndpi_internal_detection_process_packet(struct ndpi_detectio flow->first_pkt_fully_encrypted = fully_enc_heuristic(ndpi_str, flow); } + if(ret.app_protocol == NDPI_PROTOCOL_UNKNOWN) { + ndpi_search_portable_executable(ndpi_str, flow); + } + return(ret); } diff --git a/tests/cfgs/default/pcap/portable_executable.pcap b/tests/cfgs/default/pcap/portable_executable.pcap Binary files differnew file mode 100644 index 000000000..5f13f87fb --- /dev/null +++ b/tests/cfgs/default/pcap/portable_executable.pcap diff --git a/tests/cfgs/default/result/portable_executable.pcap.out b/tests/cfgs/default/result/portable_executable.pcap.out new file mode 100644 index 000000000..223f46309 --- /dev/null +++ b/tests/cfgs/default/result/portable_executable.pcap.out @@ -0,0 +1,37 @@ +Guessed flow protos: 1 + +DPI Packets (TCP): 30 (15.00 pkts/flow) +Confidence Unknown : 1 (flows) +Confidence Match by port : 1 (flows) +Num dissector calls: 504 (252.00 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/6/0 (insert/search/found) +LRU cache zoom: 0/0/0 (insert/search/found) +LRU cache stun: 0/0/0 (insert/search/found) +LRU cache tls_cert: 0/0/0 (insert/search/found) +LRU cache mining: 0/2/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache stun_zoom: 0/0/0 (insert/search/found) +Automa host: 0/0 (search/found) +Automa domain: 0/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 0/0 (search/found) +Automa common alpns: 0/0 (search/found) +Patricia risk mask: 2/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 0/0 (search/found) +Patricia risk IPv6: 0/0 (search/found) +Patricia protocols: 4/0 (search/found) +Patricia protocols IPv6: 0/0 (search/found) + +Unknown 15 12160 1 +DNS 15 12154 1 + +Acceptable 15 12154 1 +Unrated 15 12160 1 + + 1 TCP 64.227.107.71:53 <-> 172.16.99.10:49652 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 15][cat: Network/14][11 pkts/11914 bytes <-> 4 pkts/240 bytes][Goodput ratio: 95/0][0.37 sec][::][bytes ratio: 0.961 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 40/182 362/364 114/182][Pkt Len c2s/s2c min/avg/max/stddev: 58/60 1083/60 1310/60 481/0][Risk: ** Binary App Transfer **** Malformed Packet **][Risk Score: 160][Risk Info: Invalid DNS Header / Portable Executable (PE32/PE32+) found][PLAIN TEXT (This program cannot be run in D)][Plen Bins: 10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,90,0,0,0,0,0,0,0,0] + + +Undetected flows: + 1 TCP 172.16.99.201:1732 <-> 64.227.107.71:4444 [proto: 0/Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][DPI packets: 15][4 pkts/246 bytes <-> 11 pkts/11914 bytes][Goodput ratio: 0/95][0.73 sec][bytes ratio: -0.960 (Download)][IAT c2s/s2c min/avg/max/stddev: 329/0 364/45 398/398 34/125][Pkt Len c2s/s2c min/avg/max/stddev: 60/58 62/1083 66/1310 3/481][Risk: ** Binary App Transfer **][Risk Score: 150][Risk Info: Portable Executable (PE32/PE32+) found][PLAIN TEXT (This program cannot be run in D)][Plen Bins: 10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,90,0,0,0,0,0,0,0,0] |