To learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned.


HoneyViz demo is out for your viewing pleasure

We've set up a demonstration site for HoneyViz (Project #3) at

Read more »

APKInspector BETA Release & Demo Video

As the deadline of GSOC has passed, I would like to announce the APKinspector Beta1.0. APKinspector is a tool to help Android application analysts and reverse engineers to analyze the compiled Android packages and their corresponding codes. You can review the Alpha version report and the page of this project to know more about it.

Click the picture below to watch a full demonstration video of APKInspector:

APKInspector Demo Video

Chinese viewers may view the demo at:

Based on the Alpha release, APKinspector has added some features as follows: Read more »

AxMock is released for your review

We build up a project in google code, you can browse AxMock by the link

AxMock is a detection tool for malicious webpage attacking ActiveX controls. It runs in Internet Explorer 7 and the formal version.

It is tested in Visual Studio 2008 and Python 2.6 with pywin32 package, though I believe that you can also compile it in later version.

For more using information, please check out Wiki in my project google code page. Read more »

Webviz is out for your reviews

While the "pencil down" date is approaching, i would like to announce the latest situation at Webviz project. From the last time till time, there have been some changes at the visualization:

* The size of the visualization increased
* A better map is located as base map
* Mesh working principle is changed from country based to IP based. The returning database results are grouped by IP.
* Legends are detailed
* For a better distributed results, an IP set that is collected for a long period is also added to the database.

The latest result is as below:

Webviz Preview Read more »

Implementation: the whole hooking and some modules

The whole implementation is mainly consisted of 4 modules: central controller, emulator, dummy control and list. Central controller is a dynamic link library written in C++. Emulator and dummy control are COM components written in python and registered into registry by win32com.server.register.UseCommandLine. List is a text file in a certain format to read and modify. Read more »

cHook - The new CuckooBox Hooking Engine

Cuckoo Sandbox is a malware analysis system capable to outline the
behavior of a malware during its execution.
In order to generate such results, Cuckoo performs hooking of a number
of selected Windows functions, intercept their calls and after storing
the relevant informations and eventually performing additional actions,
returns the exection to the original code.

Until now it made use of latest Microsoft Detours Express. Part of the
work of this Google Summer of Code was to implement a custom hooking
engine to completely replace the old one. Read more »

Forensic Challenge 9 - "Mobile Malware"

I am pleased to announce the next forensic challenge: Forensic Challenge 9 - "Mobile Malware".

The challenge has been created by by Franck Guenichot from French Chapter, Mahmud Ab Rahman and Ahmad Azizan Idris from Malaysia Chapter and Matt Erasmus from South Africa Chapter.

Submission deadline is September 4th and we will be announcing winners around the third week of September. We have a few small prizes for the top three submissions.

Have fun!

Angelo Dell'Aera
The Honeynet Project

Forensic Challenge 8 - Submission deadline passed

the submission deadline for the Forensic Challenge 8 – “Malware Reverse Engineering” - put up by Guido Landi and Angelo Dell'Aera from the Sysenter Chapter - has passed. We have received 6 submissions and will be announcing results on Wed, Aug 31th 2011. The top three submissions will be awarded little prizes.

For your information a new Forensic Challenge will start in a few hours. This time you will be asked to dive into the mobile malware world. Stay tuned!

Angelo Dell'Aera
The Honeynet Project

APKinspector : the alpha release of project 6.

The GUI tool for static analysis of Android malware is ready for an alpha release. For more details regarding this project, check here.

In the alpha release, the following features have been finished.

(1) Show the CFG (control flow graph) for a given method

(2) Show the smali codes for a given method.

(3) Show the Java codes for a given java file.

(4) Show the betecodes for a given method.

(5) Show all strings, methods and classes.

(6) Show the APK's related information.

(7) Drag and zoom in/out the CFG. Read more »

DroidBox: alpha release

The Android application sandbox is now ready for an alpha release. Details on how to get DroidBox running are available at the project webpage.

At the moment, the following actions are logged during runtime:

  • File read and write operations
  • Cryptography API activity
  • Opened network connections
  • Outgoing network traffic
  • Information leaks through the following sinks: network, file, sms
  • Attempts to send SMS
  • Phone calls that have been made
Syndicate content