Flag: Tornado! Hurricane!

Blogs >> j00ru's Blog

Created: Sunday, August 30 2009 07:19.09 CDT  
Printer Friendly ...
TraceHook v0.0.1 release
Author: j00ru # Views: 3940

I have recently released a small project called TraceHook.
It is supposed to control the CreateProcess/TerminateProcess events and dump the desired processes if marked as malware, from kernel-mode.

There is still really much to do, but still I wanted to share the current piece of code - any comments are very welcome!

You can read more about it on my blog ;>


Blog Comments
djnemo Posted: Monday, August 31 2009 08:06.43 CDT
mybe its basic question but :-p
How to open .bin file ?

j00ru Posted: Monday, August 31 2009 13:57.13 CDT
@djnemo - Double click and select your favourite hex editor ;>
No, seriously, the memory dumping mechanism is currently as straightfoward as it's only possible - no internal file format is implemented by now.

The dump contents are simply all the readable memory pages written down to a file, without any further processing. My plans include adding an option like MiniDumpWriteDump, but the original idea was to produce raw, complete dumps to perform some "behavioral" analysis on - i.e. ripping suspicious image files present in the malware memory etc.



Add New Comment
Comment:









Active in Last 5 Minutes
waleedassar

There are 28,220 total registered users.


Recently Created Topics
Reverse Engineering ...
Jan/23
Career: DoD Agency I...
Jan/22
"Disappearing&q...
Jan/17
Career: Software Sec...
Jan/11
Where is the call st...
Jan/07
IDA Pro 6.1 Breakpoi...
Jan/01
How to create data s...
Dec/30
can i search all mod...
Dec/23
IDA symbol table exp...
Dec/20
An anti-attach trick
Dec/17


Recent Forum Posts
Reverse Engineering ...
NirIzr
"Disappearing&q...
NirIzr
Reverse Engineering ...
charlie
"Disappearing&q...
charlie
An anti-attach trick
Bass
An anti-attach trick
waleeda...
An anti-attach trick
Bass
An anti-attach trick
waleeda...
An anti-attach trick
Bass
Looking for value in...
NirIzr


Recent Blog Entries
waleedassar
Feb/06
OllyDbg v1.10 And Hardware ...

waleedassar
Jan/31
Yet Another Anti-Debug Trick

RolfRolles
Jan/22
Finding Bugs in VMs with a ...

waleedassar
Jan/13
An OllyDbg Bug Disables Sof...

waleedassar
Jan/01
Another OllyDbg Anti-Debug ...

More ...


Recent Blog Comments
NirIzr on:
Feb/05
Yet Another Anti-Debug Trick

trolotou on:
Feb/05
Doudoune Moncler -Pennies F...

waleedassar on:
Feb/01
Yet Another Anti-Debug Trick

NirIzr on:
Jan/31
Yet Another Anti-Debug Trick

jackchen on:
Jan/10
nike mercurial vapor iii

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit