Dailydave mailing list archives
Re: iDEFENSE Labs Releases Malcode Analyst Pack
From: david () idefense com
Date: Wed, 8 Jun 2005 16:33:00 -0400 (EDT)
Cool - would David Zimmer be interested in explaining how SCLog works?
That would probably have saved me a lot of time last weekend while I tried to manually decompile a new version of rdbot... Sure, I have been developing a honeypot that can capture network exploits similar to mwcollect, and needed some tools to help analyze payloads. This is one of the creations that has come about along the way. If you are starting with a packet dump of an exploit, you will first have to extract out just the shellcode payload and save it to a separate file. This is the file that you will be feeding to sclog on the cmdline. there are 4 such sample shellcode payloads included in the sclog/bin folder to play with. (*.sc) When run, sclog will first load the file into memory, install a handful of detours style API hooks and then jmp buffer to send execution to the bytes it loaded from disk. As the shellcode runs and hits various API's, the hooks will spit out the captured info to console along with the relative buffer offset where ret will return to. You can also use /dump to have it dump the buffer to disk at teh first API call if the payload had an xor decoder in it. At anyrate the ret address displayed should line up to the offset in the disasm of the raw shellcode file. The types of things that are allowed are network communications, file writing etc. Certain api like WinExec, system, and createprocess are blocked by default unless you use the no safety net (/nonet) option. Network recv and send buffers are also dumped to console as they go so you can see what its sending /receiving (although might be to much console spam) LoadLibrary is monitored and will only allow known dlls to be loaded or else it will halt (unless /nonet) This is to prevent the case of shellcode writing a dll to disk and then using LoadLibrary to execute dllmain or having it try to call some other possibly dangerous function in an unhooked dll. You can also run it in /step mode where it asks for permission to run each hooked API before continuing.. There are still allot of API that are not hooked, I really only included the core ones that i have found i needed so far. The sandboxing effect of skipping certain API is minimal as we only hook a handful of commonly used API and are blind beyond that. This leaves the tools most proper place still to be on goat machines and VM lab environments and really an aide to manual analysis not a replacement. However within these constraints it has been pretty handy so far. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- iDEFENSE Labs Releases Malcode Analyst Pack Michael Sutton (Jun 08)
- Re: iDEFENSE Labs Releases Malcode Analyst Pack Dave Aitel (Jun 08)
- Re: iDEFENSE Labs Releases Malcode Analyst Pack Andrew R. Reiter (Jun 08)
- <Possible follow-ups>
- Re: iDEFENSE Labs Releases Malcode Analyst Pack david (Jun 08)
- Re: iDEFENSE Labs Releases Malcode Analyst Pack dicktheft (Jun 08)
- Re: iDEFENSE Labs Releases Malcode Analyst Pack Dave Aitel (Jun 08)