The filters are written on C and C++ packed into an icap server or webservices, for systems scripting we choosed python and for the web interface PHP5 + JQuery integrated into a customized MVC framework from scratch. We also have developed an SMTP proxy and a Microsoft Windows client to cover more leak vectors.

Analyzing ssl

Malware detection

Drainware Dynamic Interface preview

Modules configuration

General configuration

Importing groups from Active Directory

Configuration Wizard

Network Segment isolation

Releasing isolated segment

Network routes configuration

Webfilter reporting

DLP Configuration

Cuckoo Sandbox started as a Google Summer of Code project in 2010 within The Honeynet Project.
It was designed and developed by Claudio “nex” Guarnieri, who still mantains it and coordinates all efforts from joined contributors.

If you need compile mongodb 2.0.1 as shared library,you have to make some modifications in the code. We needed so we are sharing with you the patch

http://pastebin.com/ZxKwjeNi

• PDF files – samples/sample-pdf.file
• Packet Captures – samples/sample-http-exploit.pcap
• HTML files
• JavaScript files
• SWF files

Get the sourcecode

svn checkout http://jsunpack-n.googlecode.com/svn/trunk/ jsunpack-n-read-only

Users can upload files, or enter script contents and URLs to decode. If you choose to install jsunpack-n on your own system, you can run it with the following command to fetch and decode a URL:

$ ./jsunpackn.py -u URL

Optionally, you can specify the -a option, which fetches further decoded URLs or paths. If you wish to decode a local file instead, you can simply run:

$ ./jsunpackn.py samples/sample-pdf.file

Other samples of malicious files exist within the samples directory.

One common problem running jsunpack-n is when there is no output. This means that there are no signature matches but it could mean that the file was decoded. You have the choice to use -v (verbose) or -V (veryverbose) to get more information in case jsunpack-n outputs nothing.

libemu supports:

• Executing x86 instructions
  • Reading x86 binary code
  • Register emulation
  • Basic FPU emulation
• Shellcode execution
  • Shellcode detection
    • Using GetPC heuristics
    • Static analysis
    • Binary backwardstraversal
  • Win32 API hooking

With libemu one can:

• Detect shellcodes
• Execute the shellcodes
• Profile shellcode behaviour

Obtaining libemu via Git

git clone git://git.carnivore.it/libemu.git

Example Programs

cpurun

cpurun is a small utility allowing to write code to the emulations memory and executing the code written, basics.
Download:
View Code
Download Code

emunids

emunids is a small intrusion detection system using libnids for tcp stream reassembly and libemu to detect shellcodes in streams. Due too libnids bad performance it does not scale on links (much) faster than 2MBit/s, but it is still a good example howto use libemu.

Download:
View Code
Download Code

sctest

sctest is part of the libemu testsuite and very usefull when testing new features. Even though the code is historically tainted it may be a usefull source for those who want to setup shellcode emulation allowing win32 api calls and offering hooks on these calls. sctest is not the best example, the code is nerved by the logic for graphing the callflow, but for now it has to work.
Location:
View Code

Example Use Cases

Metasploit linux/x86/shell_bind_tcp

This is a linux shellcode, provided by the Metasploit Framework. The payload was constructed using

./msfpayload linux/x86/shell_bind_tcp r | \
./msfencode -a x86 -e x86/shikata_ga_nai -t raw

Hacking libemu

Win32 API Hooks

Hooking calls to (supported) windows dll’s is very easy.
Look at sctest within the examples section to see how the user_hook_ExitThread is implemented and gets installed.

Adding Support For More DLLs

Currently libemu uses a static approach which DLLs can be loaded, as they are hardcoded within the Win32 environment.
To support a new DLL, you have to have a copy of the DKK, load the DLL into process memory in Windows, and dump the required sections. Then, these required sections have be written to memory in libemu once the DLL gets loaded. If you want to support a different DLL, contact us, we will add support for the DLL and extend this guide to allow others supporting their DLLs too.

Didier Stevens has modified version of SpiderMonkey Mozilla’s C implementation of JavaScript, with some extra functions to help with malware analysis.

Additional functionality:

• document.write
• eval(arg) writes arg to a file
• window.navigate

Didier has adapted the SpiderMonkey source code to include the document object. Not that my method is better than Verenini’s, I just wanted to play with SpiderMonkey. An upcoming “Virus Lab” post will explain how I use this adapted SpiderMonkey, but for now I want to explain how I proceeded to modify SpiderMonkey.

If you’re not familiar with the SpiderMonkey source-code, were do you start? I want to implement a document object with a write method. Is there something similar in JavsScript? Take a look at the Math object.

js
js>Math
[object Math]

The Math object has several methods, like sin:
js> Math.sin(3.1415926/2)
0.9999999999999997

document does not exist:
js> document
2: ReferenceError: document is not defined

The trick is to add a document object that has the same behaviour as the Math object (i.e. same members), and if this works, we adapt the document object by removing all Math members and adding a write method.

Greping for Math in the source code reveals that the object is defined in jsmath.c and jsmath.h. This is good, the Math object is defined in it’s own source files. So we will make our own source files for document based on Math: copy jsmath.[ch] to jsdocument.[ch]. Then edit jsdocument.[ch] and replace Math with document (there are some execeptions, like math.h).

Then we add jsdocument.[ch] to the makefile.
Greping for jsmath.h reveals that it’s included in jsapi.c. A quick search for
Math in jsapi.c reveals this code:

js_InitMathClass(cx, obj) &&
{js_InitMathClass, ATOM_OFFSET(Math)},

We add our own code:

js_InitDocumentClass(cx, obj) &&
{js_InitDocumentClass, ATOM_OFFSET(Document)},

Now when we build, we’ll get an error because we use a Document ATOM that we didn’t define. A bit of searching in the source code shows that atoms are defined in jsatom.[ch]. We search for Math and add extra code for Document.
And now the build succeeds!

js
js> document
[object document]
js> document.sin(3.1415926/2)
0.9999999999999997

Now we have to remove all members and add our own write method, but this is for another post, where I’ll publish my modified spidermonkey (it’s GPLed).

Reversing with the commented source code is not so difficult as reversing binaries, especially the patching process. If you want to add a new feature, look for an existing similar feature and do an “intelligent” copy-paste of the source code.

Download source code:

js-1.7.0-mod.tar.gz (https)

MD5: A64B079FAEFD6BA23CAC3FCC7EF41AC7

SHA-256: 74DD063F13647505ABB11FA3D1A5D44DA35A3F73F18FE973F93FBA5E349B8BA9
js-1.5-mod-0.3.tar.gz (https)

MD5: 59D7C7F67903A00AFC97C9BEDD7E1F54

SHA256: B1B51F3FD357635AD6BE90D183416DAA7783972F9BAF15E36B0A5B9BF748A570

collectEmailInfo is an undocument Adobe Acrobat JavaScript method with a vulnerability (fixed in Adobe Acrobat Reader 8.1.2). Didier’s Spidermonkey version helps to extract the shell code.

pdf-parser.py

This tool will parse a PDF document to identify the fundamental elements used in the analyzed file. It will not render a PDF document. The code of the parser is quick-and-dirty, I’m not recommending this as text book case for PDF parsers, but it gets the job done.

Download:

pdf-parser_V0_3_7.zip (https)

MD5: BDC0E5A82EB6D7C287E7360D8901023D

SHA256: C83D39F8938A00A3EB2BDE3134EFAF3A2BE11E72C2C8A92841D4E1E82366D7E1

make-pdf tools
make-pdf-javascript.py allows one to create a simple PDF document with embedded JavaScript that will execute upon opening of the PDF document. It’s essentially glue-code for the mPDF.py module which contains a class with methods to create headers, indirect objects, stream objects, trailers and XREFs.

If you execute it without options, it will generate a PDF document with JavaScript to display a message box (calling app.alert).

To provide your own JavaScript, use option –javascript for a script on the command line, or –javascriptfile for a script contained in a file.

Download:

make-pdf_V0_1_1.zip (https)

MD5: 9AF2E343B78553021C989E8E22355531

SHA256: C604679ABEB0469C1463159E02E74F12487B2755A6096B416A8F4F638DEB8AA9

pdfid.py
This tool is not a PDF parser, but it will scan a file to look for certain PDF keywords, allowing you to identify PDF documents that contain (for example) JavaScript or execute an action when opened. PDFiD will also handle name obfuscation.

Download:

pdfid_v0_0_11.zip (https)

MD5: 99BFA4916EC5E005953E3D9D8AD96C83

SHA256: C831569C8139D5CA5709600B987C929716FE58B1DD6B65F18EC84473A83B4075

PDFTemplate.bt
This is a 010 Editor template for the PDF file format.
It’s particularly useful for malformed PDF files, like this example with PDFUnknown structures:

Is a GPL plugin based on Akismet and using our FREE API. Our API will check each comment is written in your WordPress Blog and will determine with our intelligent content filter engine if that comment is allowed for your website.

Install

1. Download plugin and unzip.
2. Upload the plugin file to your WordPress plugins directory inside of wp-content.
3. Activate it from the plugins menu inside of WordPress.
4. Forget that undesirable comments was ever a problem.

Download Drainware comments filter (drainware.comments.filter.zip)