Ghost in the Machine: Sanctum EDR Uses Rust and “Ghost Hunting” to Unmask Stealth Malware
Sanctum is going to be an EDR, built in Rust, designed to perform the job of both an antivirus (AV) and Endpoint Detection and Response (EDR).
Structure
| Crate | Description |
|---|---|
| driver | Contains the code for the Sanctum driver which is required for kernel monitoring |
| um_engine | The usermode engine of the Sanctum application which communicates with the driver, running processes, and the GUI |
| injected_dll | A DLL injected into all processes for EDR hooking (note that this is currently phased out, having being replaced with kernel-side hooking after I researched Alt Syscalls for Windows 11). I will leave this in the project for legacy / blog post reasons, I have spent a lot of time hooking functions and writing about it on my blog, so good to keep in |
| gui | A GUI for the Sanctum EDR, using Tauri for rendering |
| shared_* | Shared crates for the project, both in std and no_std environments |
| server | Todo, this is to be the telemetry server which will receive signals from endpoints |
Deprecated modules
The following modules (crates) were used in the project, and documented on my blog, but are now no longer required. If my setup guide refers to these, then you can swiftly disregard those parts.
| Crate | Description |
|---|---|
| etw_installer | The installer program for creating the ELAM PPL service (installs sanctum_ppl_runner) |
| sanctum_ppl_runner | A ELAM signed Protected Process Light which monitors Events Tracing for Windows Threat Intelligence provider |
| etw_consumer | Deprecated; sanctum_ppl_runner implements all required features this was intended to solve. Leaving in for learning reasons / linked to my blog post |
Features
As a summary of features:
- Alt Syscalls for kernel-side interception of syscalls
- Events Tracing for Windows: Threat Intelligence telemetry subscription
- Uses Ghost Hunting to detect signs of malicious activity
- Detects tampering of NTDLL (thwarts common malware TTPs)
- Detects rootkit tampering in the kernel
- DLL injection of EDR (currently deprecated in favour of Alt Syscalls)
Use
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce
