Author: David Zimmer <dzzie@yahoo.com>
Note:
The Malcode Analyst Pack was originally released through iDefense when I used
to work there. The are currently no longer making the package available for download,
so I have decided to pick up support for it and make it available again. Its new home
page can be found here:
Design Intent
-------------------------------------------------------------------
This install package contains a handful of small utility
type applications that have proven useful while analyzing
malicious code.
These are quick tools designed to meet specific needs while in
a malcode testing lab environment. Functionality is tailored
specifically to these ends, implementation may be crude at some
points but all have proven utility.
Package Contents
-------------------------------------------------------------------
This package includes:
| | • ShellExt | - explorer shell extensions |
| | • socketTool | - manual TCP Client for probing functionality. |
| | • MailPot | - mail server capture pot |
| | • fakeDNS | - spoofs dns responses to controlled ip's |
| | • sniff_hit | - HTTP, IRC, and DNS sniffer |
| | • sclog | - Shellcode research and analysis application |
| | • IDCDumpFix | - aids in quick RE of packed applications |
| | • Shellcode2Exe | - embeds multiple shellcode formats in exe husk |
| | • GdiProcs | - used to detect hidden processes |
| | • jsDecode | - IE based script decoder |
| | • finddll | - search processes for loaded dll |
| | • Virustotal | - bulk hash lookups or single file search from explorer right click menu. |
| | • LoadLib | - Load Dlls into memory from the command line. |
Dependencies:
-------------------------------------------------------------------
ShellExt.Strings uses the MS VbScript RegExp 1.0 that comes with IE5+.
ShellExt.HashFiles uses the MS Base Crypto Services
External dependencies also include mscomctl.ocx, mswinsck.ocx, richtx32.ocx,
vbDevKit.dll, and spSubclass.dll. All of these dependency files are included
in the installer package.
If you are running an early Win2k or Win98 machine, you may have to additionally
install the VB 6 Runtimes (1 mb)
ChangeLog:
-------------------------------------------------------------------
6.10.2005 - initial iDefense release
7.7.05
FakeDns - Added error handling in form_resize, crash when minimized bug
Sclog - ipfromlng() changed char* to unsigned char*, some ip's displayed as neg numbers
HashFiles - Added 2 new buttons, Display Unique, and Delete Duplicates.
7.16.05
sclog - now dynamically links to msvcrt so those hook dll (oops)
added /nohex and /anydll options, added SetUnhandledExceptionFilter
8.10.05
fakedns - now destroys/creates a fresh socket object for every response.
some dns clients seemed to need this reset to keep working after
1st response.
9.24.05
sniff_hit - added DNS sniffer, added right click menus to copy/clear ip lists
sclog - SetConsoleMode broke ctrl-c handler, now only used for step mode.
12.16.05
shellext - added Md5 File option to hash individual files.
12.28.05
mailpot - added textbox for user to define port & copy all menu item
1.02.06
added shellcode 2 exe to installer
added sclog video trainer
help files redone
01.09.06
mailpot - added 500 err msg for unsupported smtp cmds (Zori.c)
increased idle timeout to 8 seconds
implemented cmd recv buffer, waits till CR or LF before eval smtp cmd
changed method of adding items to listview, could act up on multiple fast sends
added form resize code so you can maximize
02.02.06
added GdiProcs.exe
mailpot - added support for RSET, VRFY, NOOP for new bagle (thanks Vinoo)
09.13.07
fixed md5 code which broke after some MS update :(
added jsDecode script
5.5.12
added virustotal.exe, and right click option for VirusTotal. supports bulk and single searchs
added compile time and bunch of right click options to Hash Files
added finddll.exe
reworked strings interface, progressbar, search all occurances, and rescan with new min string length
updated help file
added loadlib.exe
sniffhit now defaults to non-promiscious mode
|
