- About us
- Code of Conduct
- Google SoC
- Recent posts
- Security Workshops
PhoneyC is a low-interaction client honeypot designed to allow researcher to quickly and easily identify and analyze malicious websites and their malware. We hope to be adding DOM emulation and automated shellcode detection using LibEmu this summer, amongst other features, to help improve detection and performance.Primary Mentor: Jose NazarioStudent: Geng WangDeliverables
Our final goal is to do all kinds of obfuscation perfectly, extract the suspicious part and leave it for further analyzation. This requires us to make our honeypot as closely to a real browser as possible while running scripts.
August 10th: Implement more detection scripts.
Our work mainly focuses on DOM simulation. I believe the following is the most important for deobfuscation, but we also do lot more so that our program can handle normal web pages. We will not list them here.
Our code can be found at:
1. DOM tree generation.
The code is like this:
def __call__(self, *arg): return unknown_obj()
def __getitem__(self, key): return unknown_obj()
def __getattr__(self, name): return unknown_obj()
The three methods are: __call__ for function calls (*arg means arg is the argument list), __getitem__ for the visit to members using '', such as a and 3 is the key, __getattr__ just like we mentioned, for any visit to members using '.'. So almost every kind of codes is legal to an object like this. For example:
There are of course more of them, but we only list which will bring
confusion to our code. Note that the current version is based on IE,
not FF, since its more vulnerable.
I don't know how to write HTML in this blog, so i hope i can make them clear without examples.
1. Both in IE and FF, we can use the ID of a DOM object to call it. But we cannot always use 'document.id' to call it. In FF, document.f (f is id of a form) is undefined, but in IE, document.i (i is id of an image) and some other DOMs is undefined.
It seems that there was some problems in this blog system, and i was busy with my final exam, so i haven't written blog a long time since the project starts.