{"id":13546131,"url":"https://github.com/ex0dus-0x/confine","last_synced_at":"2025-08-15T03:31:56.083Z","repository":{"id":45615580,"uuid":"207206525","full_name":"ex0dus-0x/confine","owner":"ex0dus-0x","description":"Small container runtime for threat detection","archived":false,"fork":false,"pushed_at":"2021-12-04T20:42:41.000Z","size":276,"stargazers_count":11,"open_issues_count":5,"forks_count":2,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-11-03T14:35:06.729Z","etag":null,"topics":["rust","security"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ex0dus-0x.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-09-09T02:21:59.000Z","updated_at":"2024-08-12T19:52:50.000Z","dependencies_parsed_at":"2022-09-05T01:51:07.744Z","dependency_job_id":null,"html_url":"https://github.com/ex0dus-0x/confine","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ex0dus-0x%2Fconfine","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ex0dus-0x%2Fconfine/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ex0dus-0x%2Fconfine/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ex0dus-0x%2Fconfine/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ex0dus-0x","download_url":"https://codeload.github.com/ex0dus-0x/confine/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":229890095,"owners_count":18140042,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["rust","security"],"created_at":"2024-08-01T12:00:32.315Z","updated_at":"2024-12-15T23:44:58.523Z","avatar_url":"https://github.com/ex0dus-0x.png","language":"Rust","funding_links":[],"categories":["Threat Detection and Forensics","Rust","security"],"sub_categories":["Packing, Obfuscation, Encryption, Anti-analysis"],"readme":"\u003cdiv align=\"center\"\u003e\n    \u003ch1\u003econfine\u003c/h1\u003e\n    \u003cp\u003eContainers, but for dynamic malware analysis\u003c/p\u003e\n\u003c/div\u003e\n\n[![Actions][actions-badge]][actions-url]\n\n[actions-badge]: https://github.com/ex0dus-0x/confine/workflows/CI/badge.svg?branch=master\n[actions-url]: https://github.com/ex0dus-0x/confine/actions\n\n__confine__ is a container runtime for dynamically analyzing suspicious executables. Given a sample suspected of being malware, __confine__ will create a container mount,\ndynamically trace it, and report back to you what threat indicators it has been able to find. No more clunky sandboxes and VMs!\n\n## Features\n\n* __Threat Detection__ - identifies common malware capabilities and behaviors using dynamic tracing!\n* __Automated Builds__ - use `Confinement` policies to quickly provision an environment, and share it with other threat analysts!\n* __Syscall Filtering__ - enforce rules upon system call behaviors to log metrics or block malicious behavior!\n\n## Usage\n\n### Installing \n\nTo install `confine`, use `cargo`:\n\n```\n$ cargo install confine\n```\n\n### Running an Analysis\n\nTo dynamically analyze a sample, we must first create a workspace with a `Confinement` policy to\nspecify how our containerized environment will be provisioned. __confine__ can automatically do that for us:\n\n```\n$ confine new workspace/\n```\n\nHaving a workspace is good for compartmentalizing other necessary dependencies that is used in the\ncontainer, whether its a locally built image, source code, configurations, etc.\n\nA `Confinement` is __confine__'s version of a `Dockerfile`, but for provisioning container environments for tracing an executable.\nSee the [example here](https://github.com/ex0dus-0x/confine/blob/master/examples/simple/Confinement) for more details on how to configure it,\nand set up syscall filtering rules as well.\n\nOnce everything is set, we can now execute an analysis! __confine__ will not only run a dynamic trace, but will also employ its set of detections\nduring execution, outputting the behaviors it encoutners in the end:\n\n```\n$ confine exec workspace/\na.out  example.c\nCaught the debugger!\nintelligent-rest-5105\n[2021-02-19T04:21:56Z ERROR confine::trace::subprocess] confine: [BLOCK] encountered syscall exit_group\n{\n  \"syscalls\": [\n    \"brk\",\n    \"access\",\n    \"mmap\",\n    \"access\",\n    \"open\",\n    \"fstat\",\n    \"mmap\",\n    \"close\",\n    \"access\",\n    \"open\",\n    \"read\",\n    \"fstat\",\n    \"mmap\",\n    \"mprotect\",\n    \"mmap\",\n    \"mmap\",\n    \"close\",\n    \"mmap\",\n    \"mmap\",\n    \"arch_prctl\",\n    \"mprotect\",\n    \"mprotect\",\n    \"mprotect\",\n    \"munmap\",\n    \"ptrace\",\n    \"fstat\",\n    \"mmap\",\n    \"write\",\n    \"uname\",\n    \"write\"\n  ],\n  \"strings\": [\n    \"Caught the debugger!\\n\",\n    \"intelligent-rest-5105\\n\"\n  ],\n  \"networking\": [],\n  \"file_io\": {\n    \"/lib/x86_64-linux-gnu/libc.so.6\": \"524288\",\n    \"/etc/ld.so.cache\": \"524288\"\n  },\n  \"commands\": [],\n  \"capabilities\": {\n    \"evasion\": {\n      \"stalling\": false,\n      \"antidebug\": true,\n      \"antisandbox\": false,\n      \"process_infect\": false\n    },\n    \"persistence\": {\n      \"init_persistence\": false,\n      \"time_persistence\": false,\n      \"config_persistence\": false\n    },\n    \"deception\": false\n  }\n}\n```\n\n## License\n\n[MIT License](https://codemuch.tech/docs/license.txt)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fex0dus-0x%2Fconfine","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fex0dus-0x%2Fconfine","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fex0dus-0x%2Fconfine/lists"}