Project 1 - Improve our high interaction client honeypot Capture-HPC

Primary mentor: Ian Welch (NZ)
Student: Youzhi Bao

Project Link:

http://code.google.com/p/axmock

Project Overview:

Capture-AxMock is a tool for monitoring the behaviour of ActiveX controls that are referenced from webpages, it can also be used to emulate the behaviour of ActiveX controls that are not currently installed.
It has been tested on Internet Explorer 7.
You need Visual Studio and Python to compile the source code. Also, you need to install pywin32 package in Python. It is recommended to use Visual Studio 2008 and Python 2.6 with pywin32 package, which is same as my developing environment.
For more information, please look up in Axmock Wiki. Have fun with it. :)
Installation: http://code.google.com/p/axmock/wiki/Installation
Emulation: http://code.google.com/p/axmock/wiki/Emulation

Project Plan:

  • May 7th - May 13rd: Take an overview of Capture-HPC. Install it and building up the developing environment.
  • May 14th - May 20th: Learn the Capture. Find the connect point to my extension and design the class diagram.
  • May 21st - May 31st: Sniffer coding, outputting the sniffer information after hooking.
  • June 1st - June 12nd: Distributor coding, IE can receive the function call from distributor.
  • June 13rd - July 3rd: Emulator coding, all requests from distributor will return a true value.
  • July 5th - July 15th: midterm evaluation.
  • July 16th - July 31th: building up component description file in emulator.
  • August 1st - August 14th: testing and document updating.
  • August 16th – August 26th : scrub code, improve documentation and finish the final evaluation.

Updates:

  1. Build up developing environment
  2. meeting with mentors
  3. Read the Capture source code
  4. Sniffer Accomplishment
  5. Emulator Accomplishment
  6. Emulation List Accomplishment

Done in May 23rd - May 29th

  1. Sketching up the entry point to extend Capture-HPC
  2. regular meetup with mentors

Plan in May 30th - June 5th

  1. Logging the ActiveX components activity(creation and some other methods)

Done in June 1st - June 6th
See here: https://honeynet.org/node/678
Plan in next week
Loading a sniffer's log.
Weekly report in June 7th - June 13rd
See here: https://honeynet.org/node/688
Midterm report
See here: https://honeynet.org/node/736
Next Week Plan: Fixing up the bugs
4th July - 11st July
Still cannot find the actual reason about the iClassFactory's hoooking
I will try to modify the hook map - add a new key into hook map - to see if this bug will happen still.
Find the paper about ActiveX controls' searching on Internet. This will be useful to build up the emulation list.
12nd July - 17th July
Done:
I am considering reconstruction. And I collect several malicious webpages that can test hooking.
To Do:
Reconstruct the program and go on fix up the bugs.
18th July - 24th July
Done:
Fixing up the bugs. Now Capture-HPC can hook the invocation correctly.
To Do:
I will first write a description about my design and implementation.
Next, to make the emulation list more convenient for improvement afterwards, I will bring in a new class into Capture to store COM components' classid and progid information.
25th July - 1st August
Done:

  1. Keep writing the document
  2. Accomplish the conversion module

To Do:

  1. Continue writing the document
  2. Writing the communication module, which is charging for send messages to server according to the format.

The structure for COM emulation is showed below:
[Capture-HPC] Design for COM components emulation

2nd August - 9th August
Done:

  1. Accomplish implementaion writing

To Do:

  1. Finishing some installation and using guide document
  2. Considering about the detecting implementation in emulator