Introduction

Note: The Malcode Analyst Pack was originally released through iDefense. They are no longer making the package available for download, so I have picked up support for it and continue to make it available. Its current home is sandsprite.com.

Design intent

This install package contains a handful of small utility-type applications that have proven useful while analyzing malicious code.

These are quick tools designed to meet specific needs in a malcode testing lab environment. Functionality is tailored specifically to those ends — implementation may be crude at some points, but all have proven utility.

Package contents

Tool	Purpose
ShellExt	Explorer right-click context-menu suite (hashing, strings, VT, PE inspection)
SocketTool	Manual TCP client for probing functionality
MailPot	Mail server capture pot
fakeDNS	Spoofs DNS responses to controlled IPs
sniff_hit	HTTP, IRC, and DNS sniffer
sclog	Shellcode research and analysis application
IDCDumpFix	Aids in quick RE of packed applications
Shellcode2Exe	Embeds multiple shellcode formats in an exe husk
GdiProcs	Detects hidden processes via the GDI shared handle table
jsDecode	IE-based script decoder
finddll	Search processes for a loaded DLL
VirusTotal helper	Bulk hash lookups or single-file VT search from Explorer's right-click menu
LoadLib	Load DLLs into memory from the command line
procwatch	Watches for process creation/termination
dirwatch	Watches for file creation/modification, optionally auto-saving copies

Tool

Purpose

ShellExt

Explorer right-click context-menu suite (hashing, strings, VT, PE inspection)

SocketTool

Manual TCP client for probing functionality

MailPot

Mail server capture pot

fakeDNS

Spoofs DNS responses to controlled IPs

sniff_hit

HTTP, IRC, and DNS sniffer

sclog

Shellcode research and analysis application

IDCDumpFix

Aids in quick RE of packed applications

Shellcode2Exe

Embeds multiple shellcode formats in an exe husk

GdiProcs

Detects hidden processes via the GDI shared handle table

jsDecode

IE-based script decoder

finddll

Search processes for a loaded DLL

VirusTotal helper

Bulk hash lookups or single-file VT search from Explorer's right-click menu

LoadLib

Load DLLs into memory from the command line

procwatch

Watches for process creation/termination

dirwatch

Watches for file creation/modification, optionally auto-saving copies

Dependencies

ShellExt.Strings uses the MS VBScript RegExp 1.0 that ships with IE5+. ShellExt.HashFiles uses the MS Base Crypto Services.

External dependencies also include mscomctl.ocx, mswinsck.ocx, richtx32.ocx, vbDevKit.dll, and spSubclass.dll. All of these are included in the installer package.

If you are running an early Win2k or Win98 machine, you may also need to install the VB 6 Runtimes (1 MB).

Changelog

2005

6.10.2005 — initial iDefense release.

7.7.05 — FakeDns: error handling in form_resize, fixes a crash when minimized. sclog: ipfromlng() changed char* to unsigned char* (some IPs were displayed as negative numbers). HashFiles: added Display Unique and Delete Duplicates buttons.

7.16.05 — sclog: now dynamically links to msvcrt so the hook DLL works (oops). Added /nohex and /anydll options. Added SetUnhandledExceptionFilter.

8.10.05 — fakedns: now destroys/creates a fresh socket object for every response. Some DNS clients seemed to need this reset to keep working after the first response.

9.24.05 — sniff_hit: added DNS sniffer; added right-click menus to copy/clear IP lists. sclog: SetConsoleMode broke the Ctrl-C handler, now only used for step mode.

12.16.05 — shellext: added Md5 File option to hash individual files.

12.28.05 — mailpot: added textbox for user-defined port; added Copy All menu item.

2006

1.02.06 — added Shellcode2Exe to installer; added sclog video trainer; help files redone.

1.09.06 — mailpot: added 500-error message for unsupported SMTP commands (Zori.c); increased idle timeout to 8 seconds; implemented command receive buffer (waits for CR or LF before evaluating SMTP command); changed listview-add method (could act up on multiple fast sends); added form-resize support.

2.02.06 — added GdiProcs.exe. mailpot: added support for RSET, VRFY, NOOP for new bagle (thanks Vinoo).

2007

9.13.07 — fixed MD5 code (broke after a Microsoft update). Added jsDecode.

2012

5.5.12 — added virustotal.exe and the right-click VT option (bulk and single search). Added compile time and a bunch of right-click options to Hash Files. Added finddll.exe. Reworked Strings (progress bar, search-all-occurrences, rescan with new minimum length). Updated help file. Added loadlib.exe. sniff_hit now defaults to non-promiscuous mode.