Skip to content

ex0dus-0x/confine

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

87 Commits
.github/workflows
.github/workflows
 
 
examples
examples
 
 
src
src
 
 
.gitignore
.gitignore
 
 
Cargo.lock
Cargo.lock
 
 
Cargo.toml
Cargo.toml
 
 
README.md
README.md
 
 

Repository files navigation

confine

Containers, but for dynamic malware analysis

Actions

confine is a container runtime for dynamically analyzing suspicious executables. Given a sample suspected of being malware, confine will create a container mount, dynamically trace it, and report back to you what threat indicators it has been able to find. No more clunky sandboxes and VMs!

Features

  • Threat Detection - identifies common malware capabilities and behaviors using dynamic tracing!
  • Automated Builds - use Confinement policies to quickly provision an environment, and share it with other threat analysts!
  • Syscall Filtering - enforce rules upon system call behaviors to log metrics or block malicious behavior!

Usage

Installing

To install confine, use cargo:

$ cargo install confine

Running an Analysis

To dynamically analyze a sample, we must first create a workspace with a Confinement policy to specify how our containerized environment will be provisioned. confine can automatically do that for us:

$ confine new workspace/

Having a workspace is good for compartmentalizing other necessary dependencies that is used in the container, whether its a locally built image, source code, configurations, etc.

A Confinement is confine's version of a Dockerfile, but for provisioning container environments for tracing an executable. See the example here for more details on how to configure it, and set up syscall filtering rules as well.

Once everything is set, we can now execute an analysis! confine will not only run a dynamic trace, but will also employ its set of detections during execution, outputting the behaviors it encoutners in the end:

$ confine exec workspace/
a.out  example.c
Caught the debugger!
intelligent-rest-5105
[2021-02-19T04:21:56Z ERROR confine::trace::subprocess] confine: [BLOCK] encountered syscall exit_group
{
  "syscalls": [
    "brk",
    "access",
    "mmap",
    "access",
    "open",
    "fstat",
    "mmap",
    "close",
    "access",
    "open",
    "read",
    "fstat",
    "mmap",
    "mprotect",
    "mmap",
    "mmap",
    "close",
    "mmap",
    "mmap",
    "arch_prctl",
    "mprotect",
    "mprotect",
    "mprotect",
    "munmap",
    "ptrace",
    "fstat",
    "mmap",
    "write",
    "uname",
    "write"
  ],
  "strings": [
    "Caught the debugger!\n",
    "intelligent-rest-5105\n"
  ],
  "networking": [],
  "file_io": {
    "/lib/x86_64-linux-gnu/libc.so.6": "524288",
    "/etc/ld.so.cache": "524288"
  },
  "commands": [],
  "capabilities": {
    "evasion": {
      "stalling": false,
      "antidebug": true,
      "antisandbox": false,
      "process_infect": false
    },
    "persistence": {
      "init_persistence": false,
      "time_persistence": false,
      "config_persistence": false
    },
    "deception": false
  }
}

License

MIT License

About

Small container runtime for threat detection

Topics

rust security

Resources

Readme
Activity

Stars

12 stars

Watchers

3 watching

Forks

2 forks
Report repository

Languages