Baldo Scanner is malware scanner for Linux systems. It can do static malware analysis by signature matching and Yara rules, where a database of signatures and rules can be automatically fetched from abuse.ch. Baldo scanner also implements a simple firewall to block network traffic on provided ips, kprobe-based syscall monitoring, and a sandbox environment for running untrusted applications.
The application is composed of:
-
A
kernel module: This will hook into syscalls withkprobesbased on user defined rules, and send an event to the user space daemon vianetlinkand/orcharacter devices. A future implementation may useeBPFfor hooking. The kernel module also implements a simple IP-based firewall. -
A
user space daemon: An event driven daemon that listens for events from the kernel module, updates it's malware DB with online resources, spawns threads when analyzing with the analysis engine, sets iptables rules, runs processes in a sandbox environment. It logs the system calls into a DB. -
A
Malware DB: Collection of malware signatures andYARArules. -
An
analysis engine: Scans a file's signature and binary data based onYARArules and signatures in the malware db. -
A
cliapplication to interface with the daemon viaBerkley Sockets -
There might be a web UI in the future
If you want to use the firewall and syscall tracing, then you need to load the kernel module (instruction for building can be found later). Note that this is optional:
insmod ./kernel/baldo.ko
You need to run the daemon as root:
sudo baldo-daemon
$> sudo baldo-cli -h
Allowed options:
Generic options:
-h [ --help ] produce help message and exit
-v [ --version ] print version information and exit
Daemon options:
-u [ --update ] update Malware signatures database
-q [ --quit ] quit daemon gracefully
-Q [ --force-quit ] force quit daemon
Scan Options:
-s [ --scan ] arg scan a file or directory
-t [ --type ] arg type of scan: 0=signature 1=rules, 2=all[default]
-l [ --load ] arg load signatures CSV
-y [ --yara-rules ] arg set directory of yara rules
--no-multithread disable multithreading
Firewall options:
-b [ --block-ip ] arg block an IPv4 address
-B [ --unblock-ip ] arg unblock an IPv4 address
Sandbox Options:
-S [ --sandbox ] arg execute a file in a sandboxed environment, format:
name,arg1,arg2,...-
C++20compiler -
cmaketo build the project -
libcurlandlibcurlppto fetch web APIs -
unzip -
openssl3.3 -
libnl3.8.0 -
libseccomp -
libyara -
boost::program_options
Install dependencies on ubuntu/debian:
sudo apt install curl libboost1.81-dev libcurlpp-dev libyara-dev libnl-3-dev libseccomp-devTo build the project with cmake, run:
cmake -Bbuild
cmake --build buildThe binaries build/baldo-daemon and build/baldo-cli will be generated.
You can compile the docs with doxygen:
doxygen scripts/doxygen.confTo test the kernel module, we advise you to use a virtual machine. We will now see how to build the kernel module and run a VM with qemu.
You need to build the scanner with cmake as specified above, and
compile the kernel module for your specific kernel version.
# Download and prepare the kernel
./scripts/download-linux.sh
cd linux-src
make defconfig
make modules_prepare
make vmlinux -j$(nproc)
make modules -j$(nproc)
make -j$(nproc)
# Build the kernel module
cd ..
make./scripts/create-image.sh
./scripts/copy-module.sh
./scripts/run-qemu.shYou can login with root:root or test:test.
Both netlink and character devices are supported to communicate with
the kernel module by compiling the module with the flag BALDO_NETLINK
or BALDO_CHAR_DEV.
# Data Collection
echo "HELLO" > /dev/baldo_notify # start collecting data
echo "FETCH" > /dev/baldo_notify # copy the data (do this before reading)
cat /dev/baldo_notify # read the data
echo "BYE" > /dev/baldo_notify # stop collecting data
# Firewall
echo "3646206603" > /dev/baldo_firewall # block ip (in network byte notation)