Chapter Website: http://www.honeynet.org.cn
The Chinese Chapter was founded in 2008 based on Artemis research team in PKU and currently consists of the following people:
The Chinese Chapter consists of the following people:
* Jianwei Zhuge, Tsinghua
* Chengyu Song, Gatech
* Zhijie Chen, Berkeley
* Xinhui Han, PKU
* Yong Tang, NUDT
* Huilin Zhang, PKU
* Zhongjie Wang, PKU
* Lingfeng Sun, HuaweiSymantec
* Jian Jiang, Tsinghua
* Youzhi Bao, PKU
* Cong Zheng, PKU
The Chapter members are interested in research projects covering the following topics:
1. Low-interaction/high-interaction client honeypots
2. Distributed honeynet deployment, operation and data analysis
3. Automated malware collection and analysis systems
Christian Seifert (CPRO of The Honeynet Project) has just announced publication of our Know Your Tools series: Qebek - Conceal the Monitoring, authored by Chengyu Song and Jianwei Zhuge from the Chinese Chapter and Brian Hay from the Alaskan Chapter. The paper is based on Chengyu's hard work during the GSoC 2009, Brian Hay and me acted as his mentors for the Qebek GSoC Project. Congrats to Chengyu and Chinese Chapter.
The paper is available from http://honeynet.org/papers/KYT_qebek.
I've been working on the GSOC Project 14 in recent months. We are meant to start a new tool which can replay the collected exploit traces.
We know that during the process of exploit replay, there're many fields need to be changed in the original application messages. Some of them are platform independent, and the others are platform specific. Platform-independent variables are those changed each time we exploit, like timestamp, cookie, length, etc. And platform-specific variables are those changed only if the target system is changed, like target address, return address point to the shellcode.
The Honeynet Project是一个国际知名的开源信息安全研究团队，致力于提升Internet的安全。
I have finished almost all the coding stuff of Project #1, now you can try out the new PHoneyC with shellcode/heapspray detection here:
Please feel free to report any bug or suggestion on shellcode/heapspray detection to me.
As the console spy is almost finished, the next stage is mainly for network activities. Sebek Win32 version uses TDI hook to get this done. However, since getting driver object in virtualization layer is hard and TDI is TDI is on the path to deprecation, I need to find another way. The best solution seems to be hooking NtDeviceIoControlFile, the API Windows uses to do network related stuff and has been widely mentioned in malware behavior analysis papers. After some days of searching, I encounter a very useful resources today, a master thesis from TTAnalyze team:
The Honeynet Project Chinese Chapter Status Report (Period Apr 2007 to Dec 2008)
1. Changes in the structure of your organization.
All members of Chinese Chapter (i.e. The Artemis Project) are still from ERCIS, Institute of Computer Science and Technology, Peking University, China. Although we are seaking for contributors from other organizations.
The Honeynet Project is a leading international 501c3 non-profit security research organization, dedicated to investigating the latest attacks and developing open source security tools to improve Internet security. With Chapters around the world, our volunteers have contributed to fight again malware (such as Confickr), discovering new attacks and creating security tools used by businesses and government agencies all over the world.