mace 0.1.4

Automated extration of malware configuration, focusing on C2 communication
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93

mod counter;
mod prefix;
mod primes;
mod rules;
mod tld;

use anyhow::Result;
use exe::{PEType, VecPE};

use crate::{
    configuration::MalwareConfiguration,
    extractor::dmsniff::{
        counter::extract_counter_from_call_dga_func, prefix::extract_prefix_from_dga_function,
        primes::extract_primes_from_dga_function, tld::extract_tlds_from_dga_func,
    },
    utils::generate_function_overview,
};

pub fn extract(sample_data: &[u8]) -> Result<MalwareConfiguration> {
    let pe = VecPE::from_data(PEType::Disk, sample_data);
    let mut function_overview = generate_function_overview(&pe)?;

    // sort functions by size (average size of the dga function is 447 bytes) for better
    // performance
    function_overview.sort_by(|f1, f2| {
        f1.data
            .len()
            .abs_diff(447)
            .cmp(&f2.data.len().abs_diff(447))
    });

    let mut primes = vec![];
    let mut prefix = String::new();
    let mut counter = 0;
    let mut tlds = vec![];

    let mut found = false;

    for dga_func in &function_overview {
        // try extract primes from function
        if let Ok(tmp_primes) = extract_primes_from_dga_function(&pe, &dga_func.data) {
            primes = tmp_primes;

            // extract prefix and tlds from dga function
            prefix = extract_prefix_from_dga_function(&pe, &dga_func.data)?;
            tlds = extract_tlds_from_dga_func(&pe, dga_func)?;

            // find function that calls the dga function
            for f in function_overview
                .iter()
                .filter(|f| f.function_calls.contains(&dga_func.address))
            {
                // try extract the number of domains generated from function
                if let Ok(tmp_counter) = extract_counter_from_call_dga_func(&pe, &f.data) {
                    counter = tmp_counter;
                    break;
                }
            }
            found = true;
            break;
        }
    }

    if !found {
        return Err(anyhow::anyhow!("Could not find dga function"));
    }

    // create malware config from sample data
    let mut config = MalwareConfiguration::from((sample_data, "DMSniff"));

    config
        .data
        .dga_parameters
        .number_sequences
        .insert("primes".to_string(), primes);
    config
        .data
        .dga_parameters
        .strings
        .insert("prefix".to_string(), prefix);
    config
        .data
        .dga_parameters
        .magic_numbers
        .insert("counter".to_string(), counter.into());
    config
        .data
        .dga_parameters
        .string_sequences
        .insert("tlds".to_string(), tlds);

    Ok(config)
}