Merge recent annotation additions into main (#19)

* Tweaks

* Tweaks

* Suggest fuzzing option

* Tweaks dictionary

* Improve pe annotations

* Bump version

* Added authz api for PE

* Update packages

* Bug fix

* Bug fix

* Bug fix

* Symbols metadata enhancements

* Use python 3.10

* Package updates

* Package updates

* Package updates

* Bug fix for packed x86_64 executables

* Readme update

* Github actions

* Github actions

* Github actions

* Github actions

* Github actions

* Update packages

* Update packages

* Package updates

Signed-off-by: Prabhu Subramanian <[email protected]>

* Update packages

Signed-off-by: Prabhu Subramanian <[email protected]>

* monero wip

Signed-off-by: Prabhu Subramanian <[email protected]>

* initial commit

* initial commit

* Update project website

* initial commit

Signed-off-by: Caroline Russell <[email protected]>

* Banshee and Nidhogg Annotations (#18)

* initial commit

* Updated summaries and fixed indentation.

* Updated nidhogg ID

---------

Signed-off-by: Prabhu Subramanian <[email protected]>
Signed-off-by: Caroline Russell <[email protected]>
Co-authored-by: Prabhu Subramanian <[email protected]>
Co-authored-by: Prabhu Subramanian <[email protected]>
Co-authored-by: Prabhu Subramanian <[email protected]>
Co-authored-by: Caroline Russell <[email protected]>

Author: 4 people

.github/workflows/linux.yml

@@ -48,4 +48,4 @@ jobs:
       with:
         files: |
           blint/dist/blint
-          blint/dist/blint.sha256
+          blint/dist/blint.sha256

.github/workflows/win.yml

@@ -43,4 +43,4 @@ jobs:
       with:
         files: |
           blint/dist/blint.exe
-          blint/dist/blint.exe.sha256
+          blint/dist/blint.exe.sha256

blint/data/annotations/review_monero_rust

@@ -0,0 +1,31 @@
+---
+text: Review for Monero identified in a binary produced by cargo build
+group: SYMBOL_REVIEWS
+exe_type: genericbinary
+rules:
+  - id: MONERO_API_RUST
+    title: Detect monero API
+    summary: 
+    description: |
+      Monero is a cryptocurrency focused on private and censorship-resistant transactions.
+    patterns:
+      - blockdata::block::Block
+      - blockdata::block::BlockHeader
+      - blockdata::transaction::OwnedTxOut
+      - blockdata::transaction::Transaction
+      - blockdata::transaction::TransactionPrefix
+      - blockdata::transaction::TxIn
+      - blockdata::transaction::TxOut
+      - consensus_encode
+      - consensus_decode
+      - cryptonote::hash::Hash
+      - monero::blockdata::transaction::Transaction
+      - monero::consensus::encode::deserialize
+      - monero::util::key
+      - Network::Mainnet
+      - Network::Stagenet
+      - util::amount::SignedAmount
+      - MONERO_MUL_FACTOR
+      - consensus::encode::Encodable
+      - TxOutTarget
+      - tx_pubkey

blint/data/annotations/review_rootkits_win.yml

@@ -0,0 +1,178 @@
+---
+text: Review for Windows rootkits
+group: METHOD_REVIEWS
+exe_type:
+  - x86_64-executable
+rules:
+  - id: BANSHEE
+    title: Detect Banshee
+    summary: Patches Kernel to Gain Privileged Access
+    description: |
+      Banshee is an experimental Windows x64 Kernel Driver/Rootkit.
+    patterns:
+      - banshee.Banshee
+      - banshee.deviceName
+      - banshee.driverPath
+      - banshee.hDevice
+      - banshee.hSCManager
+      - banshee.hService
+      - banshee.Initialize
+      - banshee.Install
+      - banshee.InstallDriver
+      - banshee.IoCtlBuryProcess
+      - banshee.IoCtlElevateProcessAccessToken
+      - banshee.IoCtlEnumerateCallbacks
+      - banshee.IoCtlHideProcess
+      - banshee.IoCtlKillProcess
+      - banshee.IoCtlProtectProcess
+      - banshee.IoCtlTestDriver
+      - banshee.serviceDescription
+      - banshee.serviceName
+      - banshee.StartDriver
+      - banshee.Unload
+      - BANSHEE_STATUS
+      - BE_IOCTL_BURY_PROCESS
+      - BE_IOCTL_ELEVATE_TOKEN
+      - BE_IOCTL_ENUMERATE_PROCESS_CALLBACKS
+      - BE_IOCTL_ENUMERATE_THREAD_CALLBACKS
+      - BE_IOCTL_HIDE_PROCESS
+      - BE_IOCTL_KILL_PROCESS
+      - BE_IOCTL_PROTECT_PROCESS
+      - BE_IOCTL_TEST_DRIVER
+      - BeBury_ProcessNotifyRoutineEx
+      - BeEnumerateDrivers
+      - BeEnumerateKernelCallbacks
+      - BeGetAccessTokenOffset
+      - BeGetDriverForAddress
+      - BeGetEprocessByPid
+      - BeGetEprocessProcessProtectionOffset
+      - BeGetKernelBaseAddr
+      - BeGetKernelCallbackArrayAddr
+      - BeGetProcessLinkedListOffset
+      - BeGlobals::beBuryMutex
+      - BeGlobals::beBuryTargetProcesses
+      - BeInitGlobals
+      - BeGlobals::driverObject
+      - BeGlobals::NtOsKrnlAddr
+      - BeIoControl
+      - BeIoctlBuryProcess
+      - BeIoCtlElevateProcessAcessToken
+      - BeIoctlEnumerateCallbacks
+      - BeIoctlHideProcess
+      - BeIoctlKillProcess
+      - BeIoctlProtectProcess
+      - BeIoctlTestDriver
+      - BeIsStringNull
+      - BeIsStringTerminated
+      - BeUnSupportedFunction
+
+  - id: NIDHOGG
+    title: Detect Nidhogg
+    summary: Provides Tools for Gaining Privileged Access and Injecting Malicious Code
+    description: |
+      Nidhogg is a multi-functional rootkit.
+    patterns:
+      - CmCallback
+      - CmCallbacksList
+      - IOCTL_NIDHOGG_CLEAR_FILE_PROTECTION
+      - IOCTL_NIDHOGG_CLEAR_PROCESS_PROTECTION
+      - IOCTL_NIDHOGG_CLEAR_REGITEMS
+      - IOCTL_NIDHOGG_CLEAR_THREAD_PROTECTION
+      - IOCTL_NIDHOGG_ELEVATE_PROCESS
+      - IOCTL_NIDHOGG_ENABLE_DISABLE_ETWTI
+      - IOCTL_NIDHOGG_HIDE_PROCESS
+      - IOCTL_NIDHOGG_HIDE_THREAD
+      - IOCTL_NIDHOGG_INJECT_DLL
+      - IOCTL_NIDHOGG_INJECT_SHELLCODE
+      - IOCTL_NIDHOGG_LIST_OBCALLBACKS
+      - IOCTL_NIDHOGG_LIST_PSROUTINES
+      - IOCTL_NIDHOGG_LIST_REGCALLBACKS
+      - IOCTL_NIDHOGG_PATCH_MODULE
+      - IOCTL_NIDHOGG_PROTECT_FILE
+      - IOCTL_NIDHOGG_PROTECT_PROCESS
+      - IOCTL_NIDHOGG_PROTECT_REGITEM
+      - IOCTL_NIDHOGG_PROTECT_THREAD
+      - IOCTL_NIDHOGG_QUERY_FILES
+      - IOCTL_NIDHOGG_QUERY_PROTECTED_PROCESSES
+      - IOCTL_NIDHOGG_QUERY_PROTECTED_THREADS
+      - IOCTL_NIDHOGG_QUERY_REGITEMS
+      - IOCTL_NIDHOGG_READ_DATA
+      - IOCTL_NIDHOGG_REMOVE_CALLBACK
+      - IOCTL_NIDHOGG_RESTORE_CALLBACK
+      - IOCTL_NIDHOGG_SET_PROCESS_SIGNATURE_LEVEL
+      - IOCTL_NIDHOGG_UNHIDE_PROCESS
+      - IOCTL_NIDHOGG_UNPROTECT_FILE
+      - IOCTL_NIDHOGG_UNPROTECT_PROCESS
+      - IOCTL_NIDHOGG_UNPROTECT_REGITEM
+      - IOCTL_NIDHOGG_UNPROTECT_THREAD
+      - IOCTL_NIDHOGG_WRITE_DATA
+      - Nidhogg::AntiAnalysis
+      - Nidhogg::FileUtils
+      - Nidhogg::ModuleUtils
+      - Nidhogg::ProcessUtils
+      - Nidhogg::RegistryUtils
+      - NIDHOGG_ERROR_CONNECT_DRIVER
+      - NIDHOGG_ERROR_DEVICECONTROL_DRIVER
+      - NIDHOGG_GENERAL_ERROR
+      - NIDHOGG_INVALID_COMMAND
+      - NIDHOGG_INVALID_OPTION
+      - NIDHOGG_SUCCESS
+      - NidhoggAmsiBypass
+      - NidhoggDisableCallback
+      - NidhoggEnableDisableEtwTi
+      - NidhoggETWBypass
+      - NidhoggFileClearAllProtection
+      - NidhoggFileProtect
+      - NidhoggFileUnprotect
+      - NidhoggInjectDll
+      - NidhoggInjectShellcode
+      - NidhoggListObCallbacks
+      - NidhoggListPsRoutines
+      - NidhoggListRegistryCallbacks
+      - NidhoggPatchModule
+      - NidhoggProcessClearAllProtection
+      - NidhoggProcessElevate
+      - NidhoggProcessHide
+      - NidhoggProcessProtect
+      - NidhoggProcessSetProtection
+      - NidhoggProcessUnhide
+      - NidhoggProcessUnprotect
+      - NidhoggQueryFiles
+      - NidhoggQueryProcesses
+      - NidhoggQueryThreads
+      - NidhoggReadData
+      - NidhoggRegistryClearAll
+      - NidhoggRegistryHideKey
+      - NidhoggRegistryHideValue
+      - NidhoggRegistryProtectKey
+      - NidhoggRegistryProtectValue
+      - NidhoggRegistryQueryHiddenKeys
+      - NidhoggRegistryQueryHiddenValues
+      - NidhoggRegistryQueryProtectedKeys
+      - NidhoggRegistryQueryProtectedValues
+      - NidhoggRegistryUnhideKey
+      - NidhoggRegistryUnhideValue
+      - NidhoggRegistryUnprotectKey
+      - NidhoggRegistryUnprotectValue
+      - NidhoggRestoreCallback
+      - NidhoggThreadClearAllProtection
+      - NidhoggThreadHide
+      - NidhoggThreadProtect
+      - NidhoggThreadUnprotect
+      - NidhoggWriteData
+      - ObCallbacksList
+      - PatchedModule.FunctionName
+      - PatchedModule.ModuleName
+      - PatchedModule.Patch
+      - PatchedModule.PatchLength
+      - PatchedModule.Pid
+      - PkgReadWriteData
+      - PROCESS_TYPE_PROTECTED
+      - PROCESS_TYPE_SPOOFED
+      - ProcessSignature.Pid
+      - ProcessSignature.SignatureSigner
+      - ProcessSignature.SignerType
+      - PsRoutinesList
+      - ShellcodeInformation
+
+

blint/data/annotations/review_symbols_hooka.yml

@@ -0,0 +1,50 @@
+---
+text: Review for Hooka
+group: SYMBOL_REVIEWS
+exe_type:
+  - gobinary
+  - x86_64-executable
+  - genericbinary
+rules:
+  - id: HOOKA
+    title: Detect use of Hooka tools
+    summary:
+    description: |
+      Hooka is a shellcode loader with bypassing capabilities, hooks detector and more written in Golang
+    patterns:
+      - hooka.CreateRemoteThreadHalos
+      - hooka.DetectHooks
+      - hooka.DetectHooks
+      - hooka.DumpLsass
+      - hooka.ElevateProcessToken
+      - hooka.EnumSystemLocales
+      - hooka.EnumSystemLocalesHalos
+      - hooka.EtwpCreateEtwThread
+      - hooka.Execute
+      - hooka.Fibers
+      - hooka.FullUnhook
+      - hooka.FuncFromHash
+      - hooka.GetEventLogPid
+      - hooka.GetFuncPtr
+      - hooka.GetShellcodeFromFile
+      - hooka.GetShellcodeFromFile
+      - hooka.GetShellcodeFromUrl
+      - hooka.GetShellcodeFromUrl
+      - hooka.GetSysId
+      - hooka.HashFromFunc
+      - hooka.Inject
+      - hooka.IsHooked
+      - hooka.PatchAmsi
+      - hooka.PatchAmsi
+      - hooka.PatchEtw
+      - hooka.PerunsUnhook
+      - hooka.Phant0m
+      - hooka.Phant0mWithOutput
+      - hooka.Phant0mWithOutput
+      - hooka.QueueUserApc
+      - hooka.RtlCreateUserThread
+      - hooka.Syscall
+      - hooka.UuidFromString
+      - hooka.WriteMemory
+
+