Advanced shellcode detection via debugging and intelligent function hooking.

Description:
Starts the execution of a x86 32 bit ONLY vulnerable program with optional command line parameters and hooks the API names read from a text file. When these API calls are hit, the program will constantly “run until return” and check the return address for shellcode-like characteristics.
Hooking a large number of commonly called functions will slow down execution and may cause a crash.

flyonshellcode

flyonshellcode

System Requirements
+ Minimum OS – Windows 7 x64 (Tested).
+ Should run on Windows 8/10.

Warnings
This program will RUN the supplied executable and malicious input file. USE ONLY IN MALWARE RESEARCH LABS.

Notes
This program can be anywhere from very stable to very unstable depending on which APIs are hooked. Avoid manually navigating the “File Open”, etc dialogs from within the program will help eliminate crashes due to large delays in execution.

Compiling & Dependencies:
1. Compiled & written initially using Visual Studio 2010 and have recently transitioned to Visual Studio 2015.
2. Compile the latest TitanEngine project (https://bitbucket.org/titanengineupdate/titanengine-update.) which is used as the debugging engine in this program.
3. Example: Place the binaries and “.lib” file into the “\TitanEngine\” folder and the dll into the same directory as the main .EXE
4 .Compile the latest scyllaHide project and place the dll and configuration file into the appropriate folder.
5. Example: Place the SycllaHide dll file into the “\Release\plugins\x86\” folder.

Download: 3.1.zip | 3.1.tar.gz
Source: https://github.com/Sec-Mini-Projects

Source: Security List Network™ @ November 30, 2016 at 12:43AM

0
Share