From a5f765799cbbd1b74366bef32acb836f607771d5 Mon Sep 17 00:00:00 2001
From: Still Hsu <dev@stillu.cc>
Date: Tue, 12 Mar 2024 15:31:40 +0800
Subject: [PATCH] Add SysWhisper2 detection & add int 2e to syscall detection

Signed-off-by: Still Hsu <dev@stillu.cc>
---
 nursery/execute-syscall-instruction.yml       |  8 +++-
 nursery/populate-syswhisper2-syscall-list.yml | 44 +++++++++++++++++++
 2 files changed, 51 insertions(+), 1 deletion(-)
 create mode 100644 nursery/populate-syswhisper2-syscall-list.yml

diff --git a/nursery/execute-syscall-instruction.yml b/nursery/execute-syscall-instruction.yml
index fa284e5d..dcfca05d 100644
--- a/nursery/execute-syscall-instruction.yml
+++ b/nursery/execute-syscall-instruction.yml
@@ -5,15 +5,21 @@ rule:
     authors:
       - "@kulinacs"
       - "@mr-tz"
+      - still@teamt5.org
     description: may be used to evade hooks or hinder analysis
     scopes:
       static: basic block
       dynamic: unsupported  # requires mnemonic features
     references:
       - https://github.com/j00ru/windows-syscalls
+      - https://codemachine.com/articles/system_call_instructions.html
   features:
     - and:
-      - mnemonic: syscall
+      - or:
+        - mnemonic: syscall
+        - instruction:
+          - mnemonic: int
+          - operand[0].number: 0x2e
       - or:
         - mnemonic: ret
         - mnemonic: retn
diff --git a/nursery/populate-syswhisper2-syscall-list.yml b/nursery/populate-syswhisper2-syscall-list.yml
new file mode 100644
index 00000000..40819f1c
--- /dev/null
+++ b/nursery/populate-syswhisper2-syscall-list.yml
@@ -0,0 +1,44 @@
+rule:
+  meta:
+    name: populate syswhisper2 syscall list
+    namespace: linking/runtime-linking
+    authors:
+      - still@teamt5.org
+    scopes:
+      static: function
+      dynamic: unsupported
+    att&ck:
+      - Execution::Shared Modules [T1129]
+      - Execution::Native API [T1106]
+      - Defense Evasion::Obfuscated Files or Information::Indicator Removal from Tools [T1027.005]
+    references:
+      - https://github.com/jthuraisamy/SysWhispers2/blob/main/data/base.c#L32
+    examples:
+      - 932dab8756ad4ae9a62bde0772d952e4:0x14001BD1E
+  features:
+    - and:
+      - and:
+        - description: check ntdll.dll
+        - instruction:
+          - mnemonic: or
+          - operand[1].number: 0x20202020
+        - or:
+          - instruction:
+            - mnemonic: cmp
+            - operand[1].number: 0x6C64746E
+          - instruction:
+            - mnemonic: cmp
+            - operand[1].number: 0x6C642E6C
+      - and:
+        - description: check system call starting with 'Zw'
+        - instruction:
+          - description: check 'Zw'
+          - mnemonic: cmp
+          - operand[1].number: 0x775a
+      - and: # this is optional but this should reduce false positives if any at all
+        - description: syscall list sorting
+        - instruction:
+          - mnemonic: add
+          - operand[1].number: 1
+        - mnemonic: lea
+        - mnemonic: mov