About Capture BAT
Capture BAT is a behavioral analysis tool developed at Victoria University of Wellington by Ramon Steenson and Christian Seifert. It fulfills the requirements of high confidence in the report, portability and transparency. Capture BAT originates from our high interaction client honeypot Capture-HPC, but in stand-alone mode it can also function as a behavioral analysis tool for software running on the Win32 family of operating systems including the latest version of Windows Vista.
Functional Description
Capture BAT analyzes the state of the operating system and applications that execute on the system by monitoring the file system, the registry, and process monitor and generating reports for any events received by the three monitors
Since normal events are constantly generated, portable exclusion lists instruct the monitors to omit events from the final report. There is one exclusion list for each monitor: FileSystemMonitor.exl, RegistryMonitor.exl, and ProcessMonitor.exl. The exclusion lists are simple text based files that can be created once and moved around different environments and configurations. This allows the analyst community to create a set of reusable exclusion lists that can be shared. For example, one could create an exclusion list for an idle Microsoft Windows XPSP2 system. Analysts can reuse this list and customize it for their specific needs.
Each not-excluded event that is triggered during the execution of Capture BAT is output into a report. The report includes the name of the monitor and the event information.
Technical Description
Capture BAT consists of two components, a set of kernel drivers and a user space process. The kernel drivers operate in kernel space and use event-based detection mechanisms for monitoring the system's state changes, that application like Microsoft Word and Internet Explorer cause. The user space process, which communicates with the kernel drivers, filters the events based on the exclusion lists and outputs the events into a report. Each component is written in unmanaged C code.
Kernel Drivers
The Capture BAT uses kernel drivers to monitor the system by using the existing kernel callback mechanism of the kernel that notifies registered drivers when a certain event happens. These callbacks invoke functions inside of a kernel driver and pass the actual event information so that it can either be modified or, in Capture BAT's case, monitored. The following callback functions are registered by Capture BAT:
- CmRegistryCallback
- PsSetCreateProcessNotifyRoutine
- FilterLoad, FltRegisterFilter
When events are received inside the Capture BAT kernel drivers, they are queued waiting to be sent to the user space component of the tool. This is accomplished by passing a user allocated buffer from user space into kernel space where the kernel drivers then copy information into that buffer, so the application can process it in user space.
User Space Process
The user space process is an application that resides in user space. It is the entry point of the Capture BAT application. It is responsible to load the drivers, process the events received by the drivers and output the events to the report.
As mentioned above, the user space application, once it has loaded the drivers, creates a buffer and passes it from user space to the kernel drivers. Passing of the buffer occurs via the Win32 API and the IO Manager. The kernel drivers copy the event data into the buffer, so the user level application can process the events. Each event is serialized and compared against the entries in the exclusion list. The exclusion lists are built using regular expressions, which means event exclusions can be grouped into one line. This functionality is provided by the Boost::regex library. For each monitor, an exclusion list is parsed and internally mapped between event types and allowed regular expressions are created. If a received event is included in the list, the event is dropped; otherwise, it is output to the final report that Capture BAT generates.
