iDefense Labs Software Releases

SysAnalyzer

Fri, 19 Jan 2007 05:00:00 UTC

Author: David Zimmer
Size: 1.9mb
MD5: B75F17199AB6EB781595758C51413EF3

SysAnalyzer is an automated malcode run time analysis application that monitors various aspects of system and process states.

SysAnalyzer was designed to enable analysts to quickly build a comprehensive report as to the actions a binary takes on a system.

Updated 1/19/07: added known file db

SysAnalyzer can automatically monitor and compare:

Running Processes
Open Ports
Loaded Drivers
Injected Libraries
Key Registry Changes
APIs called by a target process
File Modifications
HTTP, IRC, and DNS traffic

SysAnalyzer also comes with a ProcessAnalyzer tool which can perform the following tasks:

Create a memory dump of target process
parse memory dump for strings
parse strings output for exe, reg, and url references
scan memory dump for known exploit signatures

Full GPL source for SysAnalyzer is included in the installation package:
Overview | Video Tour

FileFuzz

Wed, 15 Nov 2006 05:00:00 UTC

Author: Michael Sutton
Size: ~469k
MD5: ac44339e856f04e116dde59389583ba9

Updated 11/15/06: Recompiled under Microsoft .NET 2.0

FileFuzz is a graphical Windows based file format fuzzing tool. FileFuzz was designed to automate the launching of applications and detection of exceptions caused by fuzzed file formats.

Malcode Analysis Pack

Mon, 13 Nov 2006 05:00:00 UTC

Author: David Zimmer
Size: ~2mb
MD5: 20B5A8F02EC56DDBC230CC1FFEF67D88
Update Summary:
Fixed md5 bug, added jsDecode
Added GdiProcs.exe, mailpot added RSET command, fixed sniffing restart bug

The Malcode Analyst Pack contains a series of utilities that were found to be necessary tools while doing rapid malcode analysis.

Included in this package are:

• ShellExt	- 4 explorer shell extensions
• socketTool	- manual TCP Client for probing functionality.
• MailPot	- mail server capture pot
• fakeDNS	- spoofs dns responses to controlled ip's
• sniff_hit	- HTTP, IRC, and DNS sniffer
• sclog	- Shellcode research and analysis application
• IDCDumpFix	- aids in quick RE of packed applications
• Shellcode2Exe	- embeds multiple shellcode formats in exe husk
• GdiProcs	- detect hidden processes

For screen shots and tool descriptions please refer to the MAP overview document below:
Sclog Trainer | MAP Overview

iDbg

Tue, 12 Sep 2006 05:00:00 UTC

Author: David Zimmer
Size: ~900k
MD5: F8D603E836FEFF8771BE6B9BADEEDCBC

iDBG is a Debugger Library packaged as an ActiveX Control which can be easily used from any COM aware language. Designed for the quick development of testing applications that require built in debugging or tracing functionality. iDbg is Open source and released under GPL license.

Sample code provided for VB6, PHP5, and C#.

OllyDbg Heap Vis

Fri, 11 Aug 2006 05:00:00 UTC

Author: Pedram Amini
Size: ~323k
MD5: 03ACBB54380246CABA057841E8268840
Update Summary: Fixed bug that was causing the plug-in to hang

You may have noticed the ghosted "Heap" option under the "View" menu in OllyDBG. The feature is available only under Windows 95 based OSes and is supposed to display a list of allocated memory blocks. The Olly Heap Vis plug-in was written to provide this functionality and more on all modern Windows OSes such as Windows 2000, XP and 2003. The OllyDbg Heap Vis plug-in exposes the following functionality:

View Heaps
Search Heaps
Jump to Heap Chunk
Create Heap Visualization

More information, screenshots and source code are available in the bundled archive:
Screenshots: List | Visualize

Comraider

Fri, 11 Aug 2006 05:00:00 UTC

Author: David Zimmer
Size: 2.2mb
MD5: DB7D4E560B07F9CB2A3E5E9A98CBADCB

COMRaider is a tool designed to fuzz COM Object Interfaces.

COMRaider includes:

capability to easily enumerate safe for scripting objects
ability to scan for COM objects by path, filename, or guid
integrated type library viewer
integrated debugger to monitor exceptions, close windows,log api
external vbs script allows you to easily edit fuzzer permutations
built in webserver to test exploits on the fly
Enumerate and view controls with killbit set
distributed auditing mode to allow entire teams to work together
ability to upload crash files to central server for group analysis
automation tools allowing you to easily fuzz multiple libraries, individual classes, or specific functions.

Help File | Video Tour

PunkUI

Wed, 02 Aug 2006 05:00:00 UTC

Author: Greg MacManus, Mike Sutton
Size: 900k
MD5: 7C44967D47F3EA66DFCC2C4092E83AB6

PUNKui is a simple utility designed to automate the theory behind Punk Ode. Specifically, it is a Windows GUI which will take common image formats (JPG, PNG & BMP) and convert them into PNG files comprised entirely of a NOP sled and embedded shellcode.

JPExPoc

Wed, 02 Aug 2006 05:00:00 UTC

Author: Greg MacManus
Size: 12k
MD5: D52AF543C05C4DBEC7A98A2DB0D8CD4D

JPExPoC demonstrates embedding shellcode in JPEG image files, exploiting degenerate cases of DCT encoding to prevent information loss in the process. It consists of a few small C programs and a shellscript to bind them together. This package was tested and developed under the Cygwin environment.

IDA Function Analyzer

Thu, 06 Jul 2006 05:00:00 UTC

Author: Pedram Amini
Size: ~22k
MD5: a0b40085fca1c9f3d2d1c12c14725c71
Update Summary: Added gml_export() routine for generating GML graphs.

Written as a C.. class, Function Analyzer was originally developed to provide an abstracted layer over "chunked" functions frequently found in Microsoft optimize compiled binaries. As of IDA v4.7 this functionality is built into the SDK. However, Function Analyzer can be used to construct plug-ins compatible across older versions and provides abstracted next_ea()/prev_ea() routines for stepping through an internal "unchunked" instruction list. The abstraction layer also exposes the following function-level information: basic block enumeration (nodes, edges), call count, MD5 hash, CRC, customizable GDL (Wingraph) and GML graph generation.

HookExplorer

Thu, 16 Mar 2006 05:00:00 UTC

Author: David Zimmer
Size: 245kb
MD5: 2BB04344700CAF643472255F3C4DAFBF

HookExplorer is a small utility designed to scan a target process and identify any user land hooks that may be installed by unknown code.

Detects IAT and detours style hooks, and allows the user to define an 'ignore list' to help cut through results.
Help File | Screenshot

IDAStruct

Wed, 11 Jan 2006 05:00:00 UTC

Author: Richard Johnson
Size: 209 KB
MD5: F2112F6ED4309AEEC1AE80F394B55325

idastruct - ida structure recognition plugin

idastruct is an ida plugin which aims to assist reverse engineers in identifying high-level objects and structures in binary code.

idastruct utilizes the excellent x86 emulator plugin 'ida-x86emu' by Chris Eagle and Jermey Cooper as a basis for evaluating operand values and determining references within tracked boundaries.

This results in automated creation of IDA structures, enumeration or member references, and renaming of disassembly offsets to symbolic names corresponding to the newly created structures and members in the IDA database.

Codis

Wed, 11 Jan 2006 05:00:00 UTC

Author: Richard Johnson
Size: 80kb
MD5: A7C9DFB633CCBFB0EC1536700EF169BB

Codis is a console-based disassembler written for the purpose of demonstrating the basic logic of a disassembler engine.

This software was released as example code accompanying the information provided in the Toorcon 7 presentation titled 'Disassembler Internals'.

Codis is written in C and will compile for Linux or Win32 Cygwin environments.

Screenshot | Readme

IDACompare

Fri, 16 Dec 2005 05:00:00 UTC

Author: David Zimmer David Zimmer
Size: 1.2Mb
MD5: 552C2888770D5E489139DDFD6C8B064E

IDACompare is a plugin designed to compare and match up equivalent functions across two IDA databases. IDACompare was primarily designed for analyzing changes across malcode variants, it should also find good use when conducting patch analysis.

Once function matches have been made, names can be ported across disassemblies, or sequentially renamed in both.

Project also implements a signature scanner, letting you build your own listing of known functions.

Overview | Video Tour

Multipot

Wed, 17 Aug 2005 05:00:00 UTC

Author: David Zimmer
Size: ~1.7mb
MD5: 275282740BD58E9658848B1FBDF0FD71
Update Summary: Added 2 PNP Shellcode Handlers

Multipot is a emulation based honeypot designed to capture malicious code which spreads through various exploits across the net. Design specifications for this project mandated that the captures be done in such a way so that the host machine would require only minimal supervision and would not itself risk getting infected. Multipot was designed to emulate exploitable services to safely collect malicious code.

Who would use MultiPot and why?

• ISP's to monitor their networks.
• Corporate security personnel to be warned of infections.
• Security researchers to build statistics of Internet health.
• Virus researchers to collect new samples of malware in the wild.
• Hobbyists and students to learn more about Internet security.

More information and source code is available in the bundled install file:
Online Help file | Screenshot

notSPIKEfile

Thu, 28 Jul 2005 05:00:00 UTC

Author: Adam Greene
Size: ~79k
MD5: 8198bd8a3d5b18b5aa36335ab8cd3ec2

notSPIKEfile is a linux based file format fuzzing tool. It was designed to automate the executing the launching of applications and detection of exceptions caused by fuzzed file formats.

SPIKEfile

Thu, 28 Jul 2005 05:00:00 UTC

Author: Adam Greene
Size: ~104k
MD5: c57a794dbfb7c950abb0047b13bb8b5e

SPIKEfile is a Linux based file format fuzzing tool, based on SPIKE 2.9. It was designed to automate the executing the launching of applications and detection of exceptions caused by fuzzed file formats.

OllyDbg Breakpoint Manager

Wed, 13 Jul 2005 05:00:00 UTC

Author: Pedram Amini
Size: ~160k
MD5: 94cb360d064b6ca76f5e06c0a7149b20
Update Summary: Bug fix in automatic breakpoint list loading.

OllyDBG has excellent breakpoint manipulation capabilities and can store breakpoint information across debugging sessions for the main module being debugged. However, there are some limitations to the available functionality which this plug-in attempts to address. The OllyDbg Breakpoint (BP) Manager plug-in was written to provide three main functions- breakpoint exporting, breakpoint importing and automatic breakpoint loading. Offsets are used in place of absolute addresses to support setting and restoring breakpoints on modules that move around in memory. More information, examples and source code are available in the bundled archive.

We encourage users to submit useful breakpoint sets they have created with OllyDbg Breakpoint Manager to us for credit and inclusion in future releases and on the release web site.

Process Stalker

Wed, 13 Jul 2005 05:00:00 UTC

Author: Pedram Amini
Size: ~960k
MD5: 0621cfa79dc899eabbe671b924844cb1
Update Summary: Couple of bug fixes, see CHANGELOG.txt for details.

Process Stalking is a term coined to describe the combined process of run-time profiling, state mapping and tracing. Consisting of a series of tools and scripts the goal of a successful stalk is to provide the reverse engineer with an intuitive visual interface to filtered, meaningful, run-time block-level trace data.

The Process Stalker suite is broken into three main components; an IDA Pro plug-in, a stand alone tracing tool and a series of Python scripts for instrumenting intermediary and GML graph files. The generated GML graph definitions were designed for usage with a freely available interactive graph visualization tool.

Data instrumentation is accomplished through a series of Python utilities built on top of a fully documented custom API. Binaries, source code and in-depth documentation are available in the bundled archive. Relevant slideshows from Process Stalker presentations are available on the speaking engagements page. Binaries, source code and in-depth documentation are available in the bundled archive. The usage manual and Python API docs are also available online.

Screenshots: Trace Graph Close-up

dltrace

Thu, 28 Apr 2005 05:00:00 UTC

Author: Richard Johnson
Size: ~200k
MD5: ceb8465b010a871ffe5685d003eabaaa
Update Summary: Fixed missing library path (/lib/tls).

dltrace is a dynamic library call tracer which attempts to remain portable to all x86 platforms that support ELF binaries and expose a debugging interface via procfs or the ptrace() system call. The shared library call tracing is done at a level which allows calls to all symbols exported by loaded libraries to be traced. In addition, dltrace does not rely on rtld symbols to retrieve library and symbol information and is capable of determing function arguments dynamically via run-time disassembly.

IDA pGRAPH

Tue, 05 Apr 2005 05:00:00 UTC

Author: Pedram Amini
Size: ~70k
MD5: e4086cfbe1b501f4ca0bd2473d272c07
Update Summary: Ported to IDA 4.8

Built on top of the IDA Function Analyzer, pGRAPH (Pedram's Grapher), provides an interface to generate more detailed and user defined control-flow graphs using the bundled Wingraph package. Extended features include: support for "chunked" functions, instruction level coloring, edge customization (manhattan vs splines), layout algorithm and more.

Screenshots: Options | Sample

IDA Sync

Tue, 05 Apr 2005 05:00:00 UTC

Author: Pedram Amini
Size: ~225k
MD5: 19ddfa0ab42939e1aa83f81688c7a261
Update Summary: Ported to IDA 4.8

IDA Sync was written to allow multiple analysts to synchronize their reverse engineering efforts with IDA Pro in real time. Users connect to a central server through the ida_sync plugin. Once connected, all comments and name changes made with the registered hot keys are immediately transmitted to all other users working on the same project. The central server stores a copy of all changes as well, allowing new analysts to jump on the project and immediately receive up to date information.

Included in the source release is a C.. class providing IDA Pro plugin developers with an abstracted asynchronous IPC interface.

IDA RPC Enumerator

Mon, 07 Mar 2005 05:00:00 UTC

Author: Pedram Amini
Size: ~8k
MD5: 731fa609c8a61e202c76af9c737e9ef9

This IDC script will scan through an IDA database locating and marking the relevant RPC server data structures. It will then enumerate the dispatch routines from the DispatchTable. The script outputs the addresses of the discovered structs / functions and was designed to automate the otherwise tedious manual process of locating RPC routines to audit.

Attack Vector Test Platform

Tue, 15 Feb 2005 05:00:00 UTC

Author: Peter Silberman
Author: Richard Johnson
Size: ~15k
MD5:fc8808cf5d7dbd1a2472f8322fa4c59f

The Attack Vector Test Platform was written over the course of research for the paper and presentation titled "A Comparison Buffer Overflow Prevention Implementations & Weaknesses" which was presented at the 2004 Black Hat and Defcon computer security conferences. The test platform allows for assessing the effectiveness of combinations of attack buffer placement and execution control vectors against various buffer overflow prevention software technologies.