{"id":18239899,"url":"https://github.com/0xflux/sanctum","last_synced_at":"2025-04-04T08:30:40.879Z","repository":{"id":258797181,"uuid":"871735926","full_name":"0xflux/Sanctum","owner":"0xflux","description":"Sanctum is a proof-of-concept EDR, designed to detect modern malware techniques, above and beyond the capabilities of antivirus.  Built in Rust.","archived":false,"fork":false,"pushed_at":"2025-03-23T18:41:25.000Z","size":19472,"stargazers_count":48,"open_issues_count":35,"forks_count":6,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-03-23T19:33:39.250Z","etag":null,"topics":["antivirus","antivirus-software","blue-team","cyber-security","driver","edr","kernel-driver","malware-analysis","malware-research","red-team","rust","rust-driver","rust-edr","rust-windows","rust-windows-driver","tauri","tauri-app","windows-driver","windows-rust"],"latest_commit_sha":null,"homepage":"https://fluxsec.red/sanctum-edr-intro","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/0xflux.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-10-12T19:41:58.000Z","updated_at":"2025-03-20T07:19:17.000Z","dependencies_parsed_at":"2025-01-08T20:33:01.794Z","dependency_job_id":"0db78ad3-28b4-4779-9418-81f7ab9b411a","html_url":"https://github.com/0xflux/Sanctum","commit_stats":{"total_commits":91,"total_committers":1,"mean_commits":91.0,"dds":0.0,"last_synced_commit":"704116230e8eef16361b310701df0b851da9845f"},"previous_names":["0xflux/sanctum"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xflux%2FSanctum","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xflux%2FSanctum/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xflux%2FSanctum/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xflux%2FSanctum/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/0xflux","download_url":"https://codeload.github.com/0xflux/Sanctum/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247146784,"owners_count":20891562,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["antivirus","antivirus-software","blue-team","cyber-security","driver","edr","kernel-driver","malware-analysis","malware-research","red-team","rust","rust-driver","rust-edr","rust-windows","rust-windows-driver","tauri","tauri-app","windows-driver","windows-rust"],"created_at":"2024-11-05T04:04:14.068Z","updated_at":"2025-04-04T08:30:40.863Z","avatar_url":"https://github.com/0xflux.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Sanctum EDR\n\n![Rust Kernel Driver EDR Sanctum](imgs/evidence/sanctum-cover.webp)\n\nThis project is a Windows Driver written in Rust.\n\nYou can find some demos on my [YouTube channel](https://www.youtube.com/@FluxSec) of the EDR.\n\nSanctum EDR is an Endpoint Detection and Response proof-of-concept product I am building, that I will use to try combat modern malware techniques that I develop.\n\nI have started a blog series on Sanctum, you can check it out [on my blog here](https://fluxsec.red/sanctum-edr-intro). I'm keeping track of the progress and milestones of the project there, so please check that out!\n\nCurrently in its early stages, I have a plan for the project which I will update in due course. If you like this project, or my work, please feel free to reach out!\n\nIf you are here to read some code; the best place to start probably is **um_engine**, followed by either the **driver** or **injected_dll**.\n\n### Project plan\n\nThis is a high level overview for how I would like to structure this project.\n\n![High level overview of Sanctum Rust Windows Driver](imgs/planning/sanctum_overview.jpg)\n\nA high level view of my API design for the internal application (not counting any web API's) looks as below. I have opted to try keep the interface UmEngine a singleton. The design is somewhat problematic in that if the UmEngine were to be mutable, a mutex would be required to mutate any internal state. The difficulty with this is that this could significantly block the main thread depending on what the mutation / action is. So I am opting at the moment for a non-publicly mutable singleton which maintains it's own state internally, allowing actions to be carried across either OS threads or green threads. The API overview (this may not be up-to-date in terms of exported functions etc):\n\n![Sanctum Rust Windows Driver API Overview](imgs/evidence/sanctum_api.jpg)\n\n### Why Rust for writing a Windows Driver\n\nI started writing this driver in C, but having stepped away from C for some time, i missed a lot of Rust's features.\n\nRust is suited to operate in embedded and kernel environments through [libcore no_std](https://doc.rust-lang.org/core/), and with Microsoft's support for developing drivers in Rust, Rust comes up as an excellent candidate for a \"safer\" approach to driver development. I use \"safer\" in quotes because, despite Rust's safety guarantees, we still need to interact with unsafe APIs within the OS.\n\n## Repo\n\nThe EDR code is logically separated in one solution into the kernel mode driver (the driver folder [found here](https://github.com/0xflux/sanctum/tree/master/driver)), the usermode engine ([found here](https://github.com/0xflux/sanctum/tree/master/um_engine)), and usermode DLL (todo).\n\n## ELAM and ETW\n\nThis project now contains **Early Launch AntiMalware** driver technology, **Protected Process Light: Antimalware**, and **Event Tracing for Windows: Threat Intelligence**. Those crates are contained in this repo as they are all part of the same project.\nThey can be found:\n\n- `elam_installer` - Installs the `ELAM` service\n- `sanctum_ppl_runner` - The `PPL` service \n- `etw_consumer` = A child process that will be spawned from `sanctum_ppl_runner` which is able to consume `ETW: Threat Intelligence` thanks to `PPL`.\n\n# Usermode features\n\nThe usermode aspect of this application includes a GUI for you to use as a native windows program. \n\n## Process monitoring \n\nThe EDR can monitor processes, tracking for signs of malicious activity in live time - currently the only supported tracking feature is \nopening remote processes,\n\n## EDR DLL injection\n\nThe EDR `um_engine` will inject a DLL into processes for internal  monitoring of the process.\n\n## EDR DLL syscall hooking\n\nThe EDR injected DLL hooks syscalls and redirects control to a function contained within the DLL for inspection.\nVia IPC, the DLL sends a message to the engine notifying it of the event, which then leads to my [Ghost Hunting](https://fluxsec.red/edr-syscall-hooking) \ntechnique. \n\nExample of hooked syscall:\n\n![ZwOpenProcess](imgs/evidence/zwopenproc.png)\n\nAnd the function to which execution jumps in the DLL:\n\n![Syscall callback](imgs/evidence/hooked.png)\n\nHere's two videos on syscall hooking from this project:\n\n[![YouTube Video](https://img.youtube.com/vi/I2krfjCsRp0/0.jpg)](https://www.youtube.com/watch?v=I2krfjCsRp0)\n\n[![YouTube Video](https://img.youtube.com/vi/6cMPkwEsfvk/0.jpg)](https://www.youtube.com/watch?v=6cMPkwEsfvk)\n\n## Antivirus scanning for malware detection (IOC hash):\n\nScanning a file:\n\n![File scanning](imgs/evidence/av_scan_file.gif)\n\nScanning a folder:\n\n![File scanning](imgs/evidence/scan_folder.gif)\n\n# Driver features\n\n## Callback monitoring\n\nThe driver monitors the creation of new processes, termination of processes, and process handles requested by applications. The driver will then\nsend this data back up to the usermode application (`um_engine`) via IOCTL.\n\n## Basic IOCTL\n\nThe driver can be communicated with both via IOCTLs and named pipes, here is an example of data being sent from the driver back up to user land:\n\n![Rust driver IOCTL](imgs/evidence/drv_msg.png)\n\nDriver checks compatibility with the client version and will panic (usermode) and unload the driver if the versions are not compatible.\n\n![Driver compatibility](imgs/evidence/ioctl_compatible.png)\n\n\n# Additional info\n\n## Installation\n\n### Requirements:\n\n1) Cargo (obviously..).\n2) Nightly.\n3) For ELAM: From the developer command prompt:\n   1) `cargo make`.\n   2) `sign.bat` (This is important to sign the driver with the **custom** self signed cert for ETW access).\n   3) `sanctum_ppl_runner` AND `etw_consumer` must be built in **release mode**.\n   4) In the root sanctum, `sign_ppl_runner.bat` and `sign_etw_consumer.bat` needs running (from developer tools console) to sign the `sanctum_ppl_runner` AND `etw_consumer` binary with the **same** cert that signed the driver.\n4) Windows Driver Kit \u0026 Developer Console (as admin for building the driver).\n5) May wish to add a symlnk for .vscode/settings.json in the driver to that in the root for spelling etc.\n\n## Helpful notes:\n\n1) To see driver install config, regedit: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Sanctum.\n2) The app will create a location in %AppData% where the IOC file and settings are created. You will also need to drop the built driver into this location. A built driver is not shipped with this repo, so it must be built after cloned with cargo make from the driver directory.\n3) To use ETW:TI you must use a self signed cert with specific params. If this cert changes, need to recalculate the hash of it and apply it to the resources hash field in the build script, get this from `To-Be-Signed Hash` from `certmgr.exe -v target/debug/sanctum_package/sanctum.sys`.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xflux%2Fsanctum","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F0xflux%2Fsanctum","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xflux%2Fsanctum/lists"}