To learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned.


Export Address Table Filtering (EMET v2)

I'll tell you the truth: Export Address Table Filtering, the feature of the upcoming release of EMET, "designed to break nearly all shell code in use today", intrigued me a bit. Read more »

PHoneyC DOM Emulation – Browser Personality

A new improvement in PHoneyC DOM emulation code was committed in SVN r1624. The idea is to better emulate the DOM behaviour depending on the selected browser personality. Let's take a look at the code starting from the personalities definition in

39 UserAgents = [
40     (1,
41      "Internet Explorer 6.0 (Windows 2000)",
42      "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)",
43      "Mozilla",
44      "Microsoft Internet Explorer",
Read more »


The Discoverer module (see zhongjie's blog entry) has been completed.
It consists of 2 programs, the Format Discovery and Pre-Replay processing.
Format Discovery is pretty much what i've blogged about in my earlier post.
Since that entry, I've completed the to-do tasks:

1) have a function to summarise all output for this program.

2) solve a memory leak problem in this program.

3) match replay packet to format, and if length segment changes (eg: due to shellcode change), then length field needs to change.

4) from replay ip, find IP tokens and change it. Read more »

TraceExploit: Replaying method dissection

I've been working on the GSOC Project 14 in recent months. We are meant to start a new tool which can replay the collected exploit traces.

We know that during the process of exploit replay, there're many fields need to be changed in the original application messages. Some of them are platform independent, and the others are platform specific. Platform-independent variables are those changed each time we exploit, like timestamp, cookie, length, etc. And platform-specific variables are those changed only if the target system is changed, like target address, return address point to the shellcode. Read more »

Another great step forward

“Dionaea is meant to be a Nepenthes successor, embedding Python as scripting language, using libemu to detect shellcodes, supporting IPv6 and TLS” (taken from Dionaea homepage). Besides being the most interesting project for trapping malware exploiting vulnerabilities, Dionaea supports a really cool feature which allows it to log to XMPP services as described here. TIP now exploits this feature receiving and storing such logs (really thanks to Markus Koetter for his help and support). Read more »

PHoneyC DOM Emulation - Window

A few weeks ago I started reviewing the PHoneyC DOM emulation code and realized it was turning to be hard to maintain and debug due to a huge amount of undocumented (and sometimes awful) hacks. For this reason I decided it was time to patch (and sometimes rewrite from scratch) such code. These posts will describe how the new DOM emulation code will work. The patch is not available right now since I'm testing the code but plans exists to commit it in the PHoneyC SVN in the next days. Read more »


The first part to the format discovery is 90% completed.
The program is now able to tokenize the sample packets and sort them to clusters according to token pattern.
The structure for a token looks like this:

// definition of a node for initial tokenization
struct sToken {
struct inferProperty* sProperty;
struct inferSemantic* sSemantic;
struct formatDistinguisher* sFD;
struct sToken* next;

struct inferProperty {
char szType[4]; //"s-c/c-s" / "bin" / "txt"
unsigned char* pValue; //value of token. Will include

null and unicode, if there is Read more »

The winners of the 4th Forensic Challenge 2010 VoIP are ...

The 4th Forensic Challenge on VoIP has come to an end. We had a total of 21 submissions with several submissions from Chinese speakers which has been made possible by Julia, Jianwei and Roland from the Chinese speaking chapters.

The winners of the 4th Forensic Challenge 2010 VoIP are:

  1. Franck Guenichot (France)
  2. Fabio Panigatti (Italy)
  3. Shaun Zinck (USA)

We have posted their submissions onto the challenge web site so you can see what top notch submissions they provided. Franck, Fabio and Shaun will be awarded with small book prizes. Congratulations!

Thanks to all who participated in the challenge in particular Ben Reardon from the Australian and Sjur Eivind Usken from Norwegian Chapter who made this challenge possible. Read more »

Forensic Challenge 2010/4 - VoIP - 4 days left!

Folks, the submission deadline for our Forensic Challenge 4 - VoIP is quickly approaching. The deadline is this Wednesday and so you have another 4 days to submit your solution.

The challenge is quite different than our previous challenges. It was provided by Ben Reardon from the Australian and Sjur Eivind Usken from Norwegian Chapter - and takes you into the realm of voice communication on the Internet. Thanks to our Chinese speaking chapters, it is also available in simplified Chinese and traditional Chinese. Read more »

The Honeynet Project 鑑識分析挑戰中文版啟航

The Honeynet Project 是一個國際知名的開源資訊安全研究團隊,致力於提升Internet的安全。 Read more »

Syndicate content