Objectives About Us Sponsors News Past Events Contact Us
Login G-TEC CC Mirror Forums Links

 

 

SIG^2 Secure Code Study Project

Introduction

The aim of the Secure Code Study Project is to study and analyze malicious code like trojan horses, backdoors, viruses and rootkits that affect users. Users are encouraged to submit any malicious code that they find on their systems to facilitate this study. The objective is to understand how these code work so that appropriate measures can be taken to prevent their proliferation. Periodically, analysis results of some of the more interesting malicious code will be published on this website, so stay tuned for the results!

Publications

  1. Win2K/XP SDT Restore 0.2 (Proof-Of-Concept)

    Win32 Kernel Rootkits modify the behaviour of the system by Kernel Native API hooking. This technique is typically implemented by modifying the ServiceTable entries in the Service Descriptor Table (SDT). This allows kernel rootkits to hide files, processes, and to prevent process termination. This proof-of-concept tool demonstrates the possibility of defeating such rootkits by removing Kernel Native APIs hooks and restoring the SDT back to its original state.

  2. Win2K Kernel Hidden Process/Module Checker 0.1

    Win32 Kernel Rootkits hide running processes from users using techniques like Kernel Native API Hooking, or by directly unlinking the process's EPROCESS entry from ActiveProcessLinks. Such techniques are very effective in hiding processes, and are very difficult to detect with user-mode tools.

    This proof-of-concept tool demonstrates how hidden processes can be detected by directly traversing both the Kernel's ActiveProcessList and the Kernel scheduler's ETHREAD lists. This tool can also traverse the Kernel's PsLoadedModuleList to detect kernel modules/drivers that are hidden by hooking the ZwQuerySystemInformation native API.

  3. AntiHookExec Version 1.0 (Anti API Hooking Proof-Of-Concept)

    API hooking is a useful technique that can be used to monitor API calls used by Win32 programs. This allows understanding of the programs' functionalities based on the APIs that are called and their input parameters. However, API hooking is also used by rootkits and other malicious code to modify the behaviour of certain APIs to hide files, network ports, processes or services.

    This proof-of-concept code demonstrates how to overcome some of the user space API hooking techniques to execute a specified EXE that is free from API hooks. This program has been tested to work against HackDefender Version 1.0 rootkit for Windows.

  4. Dynamic Forking of Win32 EXE

    This Proof-Of-Concept (POC) code demonstrates the dynamic loading of a Win32 EXE into the memory space of a process that was created using the CreateProcess API with the CREATE_SUSPENDED parameter. This code also shows how to perform manual relocation of a Win32 EXE and how to unmap the original image of an EXE from its process space.

  5. ApiHookCheck Version 1.01 (API Hook Check)

    API hooking is a useful technique that can be used to monitor API calls used by Win32 programs. This allows understanding of the programs' functionalities based on the APIs that are called and their input parameters. However, API hooking is also used by rootkits and other malicious code to modify the behaviour of certain APIs to hide files, network ports, processes and services. This tool can help to detect the presence of system-wide API hooks that are implemented based on import/export table modifications and insertion of JMP instructions at the start of the real API.

  6. JSP Backdoor Reverse Shell Analysis

    Java Server Pages (JSP) is a very popular way to deploy web applications. Application servers that support JSP includes Apache Tomcat, WebLogic and iPlanet. In this report, we analyse a malicious JSP script that can be planted on a Java application server to give the attacker a reverse shell.

  7. HTML files in Local Computer Zone

    Users are normally aware of the risk associated with opening unknown EXE, COM, SCR or PIF files that might contain Trojan horses. However, users usually assume that HTML files will not cause any harm to their systems and are safe to open. In this report, we analyse a HTML file containing malicious VB script that extracts and executes a malicious EXE when opened in Local Computer Zone.

  8. Windows Key Logging and Counter-Measures

    Software based key loggers are a serious threat to security and privary as they can be used to monitor user's actions by capturing and storing their key strokes. This can be used for malicious purposes such as capturing of user names, passwords and credit card numbers. There are several anti-keylogging software that attempts to prevent such key loggers from capturing key strokes. In this paper, we examine common techniques of implementing key loggers and suggest ways of mitigating this threat.

 

 

Contacts

For further enquries or to submit malicious code for our analysis, simply email them to us. If you have analyzed some malicous code, and would like to publish your results here, you are also welcome to send your report to the following email address.

Overall-in-charge: Tan Chew Keong


Updated: 11/3/2004
webmaster@security.org.sg