Re: iDEFENSE Labs Releases Malcode Analyst Pack

[david () idefense com]

> Cool - would David Zimmer be interested in explaining how SCLog works?
That would probably have saved me a lot of time last weekend while I
tried to manually decompile a new version of rdbot...

Sure,

I have been developing a honeypot that can capture network exploits
similar to mwcollect, and  needed some tools to help analyze payloads.

This is one of the creations that has come about along the way.

If you are starting with a packet dump of an exploit, you will first have
to extract out just the shellcode payload and save it to a separate file.
This is the file that you will be feeding to sclog on the cmdline.

there are 4 such sample shellcode payloads included in the sclog/bin
folder to play with. (*.sc)

When run, sclog will first load the file into memory, install a handful of
detours style API hooks and then jmp buffer to send execution to the bytes
it loaded from disk.

As the shellcode runs and hits various API's, the hooks will spit out the
captured info to console along with the relative buffer offset where ret
will return to.

You can also use /dump to have it dump the buffer to disk at teh first API
call if the payload had an xor decoder in it. At anyrate the ret address
displayed should line up to the offset in the disasm of the raw shellcode
file.

The types of things that are allowed are network communications, file
writing etc.

Certain api like WinExec, system, and createprocess are blocked by default
unless you use the no safety net (/nonet) option.

Network recv and send buffers are also dumped to console as they go so you
can see what its sending /receiving (although might be to much console
spam)

LoadLibrary is monitored and will only allow known dlls to be loaded or
else it will halt (unless /nonet)

This is to prevent the case of shellcode writing a dll to disk and then
using LoadLibrary to execute dllmain or having it try to call some other
possibly dangerous function in an unhooked dll.

You can also run it in /step mode where it asks for permission to run each
hooked API before continuing..

There are still allot of API that are not hooked, I really only included
the core ones that i have found i needed so far.

The sandboxing effect of skipping certain API is minimal as we only hook a
handful of commonly used API and are blind beyond that.

This leaves the tools most proper place still to be on goat machines and
VM lab environments and really an aide to manual analysis not a
replacement.

However within these constraints it has been pretty handy so far.













_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave