OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Store Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Sunday, August 30 2009 07:19.09 CDT

Printer Friendly ...

TraceHook v0.0.1 release

Author: j00ru

# Views: 2592

I have recently released a small project called TraceHook.
It is supposed to control the CreateProcess/TerminateProcess events and dump the desired processes if marked as malware, from kernel-mode.

There is still really much to do, but still I wanted to share the current piece of code - any comments are very welcome!

You can read more about it on my blog ;>

Blog Comments

djnemo	Posted: Monday, August 31 2009 08:06.43 CDT
mybe its basic question but :-p How to open .bin file ?

j00ru

Posted: Monday, August 31 2009 13:57.13 CDT

@djnemo - Double click and select your favourite hex editor ;>
No, seriously, the memory dumping mechanism is currently as straightfoward as it's only possible - no internal file format is implemented by now.

The dump contents are simply all the readable memory pages written down to a file, without any further processing. My plans include adding an option like MiniDumpWriteDump, but the original idea was to produce raw, complete dumps to perform some "behavioral" analysis on - i.e. ripping suspicious image files present in the malware memory etc.

There are 16,646 total registered users.

Recently Created Topics
SSL keyfindert plugi...	Mar/15
ApiHooks.com down	Mar/15
how to crate a PATC...	Mar/10
wsnpoem audio.dll	Mar/09
suggestions - RE tra...	Mar/09
Requesting Suggestio...	Mar/06
Force enable debug p...	Mar/05
upgrading new image ...	Mar/03
upgrading new image ...	Mar/03
upgrading new image ...	Mar/03

Recent Forum Posts
suggestions - RE tra...	enm16
wsnpoem audio.dll	zhane
suggestions - RE tra...	Silkut
how to crate a PATC...	Silkut
suggestions - RE tra...	RolfRolles
wsnpoem audio.dll	debbie
Requesting Suggestio...	secursig
Requesting Suggestio...	phn1x
how to get executabl...	RabidCi...
how to get executabl...	RabidCi...

Recent Blog Entries
	RolfRolles	Mar/08
Compiler Optimizations for ...
	ReWolf	Mar/04
When memory management goes...
	thesprawler	Feb/20
log1949.txt -- Wondering ho...
	thesprawler	Feb/20
log1949.log -- created on C...
	thesprawler	Feb/17
Trying to reverse the firmw...
More ...

Recent Blog Comments
	Boken on:	Mar/12
Compiler Optimizations for ...
	wildinto on:	Mar/10
Compiler Optimizations for ...
	Orr on:	Mar/10
Compiler Optimizations for ...
	bughoho on:	Mar/09
Compiler Optimizations for ...
	cliffwolf on:	Mar/08
Compiler Optimizations for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit