GSoC Project #1 - Develop and Improve PhoneyC

PhoneyC is a low-interaction client honeypot designed to allow researcher to quickly and easily identify and analyze malicious websites and their malware. We hope to be adding DOM emulation and automated shellcode detection using LibEmu this summer, amongst other features, to help improve detection and performance.

Primary Mentor: Jose Nazario
Student: Zhijie Chen
Deliverables:
An improved phoneyc with shellcode detetection and analysis and mal-downloads submitting modules, which involves:
1.The integration and some extra API implementation of python-spidermonkey.
2.Wrap libemu into python.(python-libemu? :)~ )
3.Put all the above into python to detect shellcodes at certain time.
4.Shellcode dynamic analysis, esp. hooking the URLDownloadToFile and extract its arguments.
5.Gather those further mal-downloads through the nepenthes download module.
Timeline:
May 23rd: Complete the API-enhancement of python-spidermonkey, such as get all the variables in the javascript context and other JSDBG APIs in python (Better if we can interrupt it at the time of variable assignment or garbage collecting).
July 6th: Step 2 and 3 mentioned in the above.
August 10th: Step 4 and 5.

What's new on PHoneyC (4): Try it out!

Hi all:
       I have finished almost all the coding stuff of Project #1, now you can try out the new PHoneyC with shellcode/heapspray detection here:
 
http://code.google.com/p/phoneyc/source/browse/phoneyc#phoneyc/branches/phoneyc-honeyjs
 
        Please feel free to report any bug or suggestion on shellcode/heapspray detection to me.

What's new on phoneyc (3)--- Mid-term Evaluation

 

Mid-term Report on PHoneyC GSoC project 1

Info: See <https://www.honeynet.org/gsoc/project1> for
project details.
Author: Zhijie Chen (Joyan) <czj.pub@gmail.com>
Mentor: Jose Nazario
Description: Mid-term Report on PHoneyC GSoC project 1. This report
describes what I have done on the PHoneyC's libemu integration
for shellcode and heapspray detection during the first half of
the GSoC. Till now, the main ideas on this feature has been
fast-implemented (actually I mean poor coding style) and the
whole flow works well, with some code rewriting and performance
optimization needed in the future.
Syndicate content