{"id":13546130,"url":"https://github.com/0xcpu/bonomen","last_synced_at":"2025-04-02T17:32:38.000Z","repository":{"id":189596827,"uuid":"76990508","full_name":"0xcpu/bonomen","owner":"0xcpu","description":"BONOMEN - Hunt for Malware Critical Process Impersonation","archived":true,"fork":false,"pushed_at":"2020-11-30T21:16:11.000Z","size":34,"stargazers_count":46,"open_issues_count":0,"forks_count":10,"subscribers_count":7,"default_branch":"master","last_synced_at":"2024-11-03T14:35:11.346Z","etag":null,"topics":["malware-analysis","malware-research","unix","windows"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/0xcpu.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2016-12-20T20:47:18.000Z","updated_at":"2024-03-18T03:17:24.000Z","dependencies_parsed_at":"2023-08-20T23:00:50.802Z","dependency_job_id":"34aa5f68-00e5-4d68-a762-b1eeb84d00eb","html_url":"https://github.com/0xcpu/bonomen","commit_stats":null,"previous_names":["0xcpu/bonomen"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xcpu%2Fbonomen","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xcpu%2Fbonomen/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xcpu%2Fbonomen/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xcpu%2Fbonomen/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/0xcpu","download_url":"https://codeload.github.com/0xcpu/bonomen/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246860274,"owners_count":20845636,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["malware-analysis","malware-research","unix","windows"],"created_at":"2024-08-01T12:00:32.288Z","updated_at":"2025-04-02T17:32:37.723Z","avatar_url":"https://github.com/0xcpu.png","language":"Rust","funding_links":[],"categories":["Threat Detection and Forensics"],"sub_categories":["Packing, Obfuscation, Encryption, Anti-analysis"],"readme":"# BOnum NOMEN - *good name*\n\n# Hunt for Malware Critical Process Impersonation\n\n## How it works\n\nThe purpose of this tool is to detect process name impersonation using *Damerau-Levenshtein* algorithm.\nFor example, a malware process could run under the name `chr0me` (note the 0 not o), thus observing that\nit's a possibly malicious process becomes harder.\n\nTo detect a process that tries to become stealth by process name impersonation, `bonomen` reads all the\nrunning processes on your system and compares their names with the processes(that you) provided in a file.\n\nThe processes you trust should be included in a file provided to `bonomen` at runtime with `-f` command line\noption, otherwise `bonomen` searches for the default file `default_procs.txt`.\nEvery process should be written on a separate line, following the format:\n\n```\nprocess name;threshold;executable path\n```\n     \nwhere:\n     \n`process name`    - is the name of the process you trust, for example `init`\n     \n`threshold`       - is the maximum distance between process names, for example between `chrome` and `chr0me` the distance is 1.\n     \n`executable path` - is the path to the executable of the process you trust, for example `/sbin/init`. This is used to\n \t\t    check for processes that may be whitelisted.\n\n\n## Compile\n\n   In the root directory, for\n\n   * release version, run:\n\n   ```cargo build --release```\n\n   * debug version, run:\n\n   ```cargo build```\n\n\n   The compiled executable will be in `target\\{release|debug}\\`\n\n\n## Requirements\n\n   * Unix OS (developed and tested on Debian GNU/Linux 8 64-bit).\n\n   * Windows OS (developed and tested on Windows 10 64-bit).\n   \n   * Rust programming language version \u003e= 1.13.0\n   \n   * File containing system critical processes using the following format:\n   \n     ```\n     process name;threshold;process executable absolute path\n     ```\n     \n     Example:\n     \n     ```\n     init;1;/sbin/init\n     sshd;2;/usr/sbin/sshd\n     ```\n    \n## References \u0026 Acknowledgements\n\n   * [Damerau-Levenshtein distance](https://en.wikipedia.org/wiki/Damerau%E2%80%93Levenshtein_distance)\n\n   * [Rust Docs](https://www.rust-lang.org/en-US/documentation.html)\n\n   * Rust IRC #rust, especially to @retep998 and @DoumanAsh for helping with Windows support, @mbrubeck, @steveklabnik, @Quxxy, @Havvy. Thank you!\n\n   * [Detect-Respond blog](https://detect-respond.blogspot.ro/2016/11/hunting-for-malware-critical-process.html) The implementation idea came from this article. Thank you!\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xcpu%2Fbonomen","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F0xcpu%2Fbonomen","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xcpu%2Fbonomen/lists"}