PhoneyC is a low-interaction client honeypot designed to allow researcher to quickly and easily identify and analyze malicious websites and their malware. We hope to be adding DOM emulation and automated shellcode detection using LibEmu this summer, amongst other features, to help improve detection and performance.
Primary Mentor: Jose Nazario
Student: Zhijie Chen
An improved phoneyc with shellcode detetection and analysis and mal-downloads submitting modules, which involves:
1.The integration and some extra API implementation of python-spidermonkey.
2.Wrap libemu into python.(python-libemu? :)~ )
3.Put all the above into python to detect shellcodes at certain time.
4.Shellcode dynamic analysis, esp. hooking the URLDownloadToFile and extract its arguments.
5.Gather those further mal-downloads through the nepenthes download module.
July 6th: Step 2 and 3 mentioned in the above.
August 10th: Step 4 and 5.
I have finished almost all the coding stuff of Project #1, now you can try out the new PHoneyC with shellcode/heapspray detection here:
Please feel free to report any bug or suggestion on shellcode/heapspray detection to me.
|Info:||See <https://www.honeynet.org/gsoc/project1> for
|Author:||Zhijie Chen (Joyan) <email@example.com>|
|Description:||Mid-term Report on PHoneyC GSoC project 1. This report
describes what I have done on the PHoneyC's libemu integration
for shellcode and heapspray detection during the first half of
the GSoC. Till now, the main ideas on this feature has been
fast-implemented (actually I mean poor coding style) and the
whole flow works well, with some code rewriting and performance
optimization needed in the future.