Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Exploit Forensics

  • 07-10-2015 8:30am
    #1
    Registered Users, Registered Users 2 Posts: 5


    Does anyone know of a tool that could allow me to check if a file contains an exploit and get details of the exploit like where the exploit is, what the ROP chain is etc..?

    I know there are tools like virus total or sandboxes but I'm looking for something that will give me an exact answer including exploit information and something that wont be easy for exploits to bypass


Comments

  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    soberman wrote: »

    I know there are tools like virus total or sandboxes but I'm looking for something that will give me an exact answer including exploit information and something that wont be easy for exploits to bypass

    When you find this tool, don't tell anyone, patent it and then sell it. You'll be a millionaire over night.


  • Registered Users, Registered Users 2 Posts: 5 soberman


    why? What would it be so good for? I mean except for learning about exploits and dissecting files to find the exploit which is what I want to do:)


  • Registered Users, Registered Users 2 Posts: 1,835 ✭✭✭BoB_BoT


    soberman wrote: »
    why? What would it be so good for? I mean except for learning about exploits and dissecting files to find the exploit which is what I want to do:)

    Because you're asking for a tool that automatically does the job of anti-virus/security companies / bug finders that knows all the possible exploits available (without a reference). Not only would such a tool replace thousands of people that do the job of hunting exploits / bug finding, it would be so clever that it can determine what an exploit is.

    Maybe you phrased the question wrongly. What exactly are you trying to do?

    Are you looking for something like a debugger / a tool that will tell you if a file has a known virus/exploit worked into it and what it does when executed?


  • Registered Users, Registered Users 2 Posts: 5,112 ✭✭✭Blowfish


    soberman wrote: »
    Does anyone know of a tool that could allow me to check if a file contains an exploit and get details of the exploit like where the exploit is, what the ROP chain is etc..?

    I know there are tools like virus total or sandboxes but I'm looking for something that will give me an exact answer including exploit information and something that wont be easy for exploits to bypass
    Well technically a debugger does actually do all the things you want.

    If you are expecting to just hit a button and it spits out the exact details of an exploit and how it works though....well good luck with that.


  • Registered Users, Registered Users 2 Posts: 5 soberman


    BoB_BoT wrote: »
    Because you're asking for a tool that automatically does the job of anti-virus/security companies / bug finders that knows all the possible exploits available (without a reference). Not only would such a tool replace thousands of people that do the job of hunting exploits / bug finding, it would be so clever that it can determine what an exploit is.

    Maybe you phrased the question wrongly. What exactly are you trying to do?

    Are you looking for something like a debugger / a tool that will tell you if a file has a known virus/exploit worked into it and what it does when executed?

    Maybe I did phrase the question the wrong way.. I'm not looking for something that would find vulnerabilities in software like exploit hunters do. I'm looking for something that will tell me if an exploit (known or unknown) is embedded within a document and the details. Something along the lines of using debugging tools for windows with !exploitable but something that actually works and that can tell you if there's an exploit even if the exploit succeeded and not only in case of a crash.


    I'm not sure I understand why everyone thinks this is so important - I mean just to detect an exploit for protection someone can install something like FireEye or some other sandbox. What I'm looking for is more of a research tool. Which I guess just doesn't exist?


  • Advertisement
  • Closed Accounts Posts: 1,322 ✭✭✭dbit


    Don’t know of any such wonder app it would be an awesome one and a headache to keep up to date . For the nitty gritty of what a given app is up to for reg diffs I like to use some open source free apps like Regshot or installRite - running in isolated VM deploy the nasty and sit back and observe its actions - from the diffs you can then construct removal strings for reg and so on .


    Where I work now , we do a version of the fire eye sandbox only in our case its a VM not a physical box. The Zero day stuff will be nai on impossible to track with an exploit detection tool. In My world , our our SPN network has over 50 billion detection nodes that form our SPN (Smart protection network) - formed from opt out default installs (IE its on unless you turn it off) on AV desktop solutions and embedded in some home routers branded by the likes of Linksys and so on . Our detection network is vast and still the zero day will slip through based on patterns and so on .( Pattern tracking is very old-school and not that affective with today’s theatre of war) An exploitation scoring systems is a very tricky thing to handle also as in our solution its combined with malware pattern analysis and then onto the DD solution trend have to do the behavioural diagnostics like sleeps for C&C waits - C&C coms and so on - The solution you ask for does exist but not as a one stop shop or solution . Today’s attack surface really does call for multi tooled multi armed approach ?.


  • Registered Users, Registered Users 2 Posts: 5 soberman


    Wow. That's impressive. Sounds like a lot of work just to detect zero days and stealthy malware..

    I Guess it's no as easy as I thought :)


  • Registered Users, Registered Users 2 Posts: 5 soberman


    Wow. That's impressive. Sounds like a lot of work just to detect zero days and stealthy malware..

    I Guess it's no as easy as I thought :)

    So what process/tool do you use to detect the root cause of an exploit? Is it all proprietary and internal to your company?


  • Registered Users, Registered Users 2 Posts: 2,789 ✭✭✭wandererz


    I guess what you're looking for is something that takes a file/a document/a zip etc. analyzes it and then does similar to what is in the attached images.

    But if you had that, then you'd have your own malware analysis company.


  • Registered Users, Registered Users 2 Posts: 882 ✭✭✭moneymad


    soberman wrote: »
    Does anyone know of a tool that could allow me to check if a file contains an exploit and get details of the exploit like where the exploit is, what the ROP chain is etc..?

    I know there are tools like virus total or sandboxes but I'm looking for something that will give me an exact answer including exploit information and something that wont be easy for exploits to bypass

    http://resources.infosecinstitute.com/in-depth-seh-exploit-writing-tutorial-using-ollydbg/
    you might like this


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 367 ✭✭900913


    Anubis is a service for analyzing malware.

    Submit your Windows executable or Android APK and receive an analysis report telling you what it does. Alternatively, submit a suspicious URL and receive a report that shows you all the activities of the Internet Explorer process when visiting this URL.

    Link: https://anubis.iseclab.org/


  • Posts: 0 [Deleted User]


    soberman wrote: »
    So what process/tool do you use to detect the root cause of an exploit? Is it all proprietary and internal to your company?

    If you're really interested to learn then start here https://www.nostarch.com/malware

    Uses plenty of open source tools which I use daily and will help you understand the process/methodology behind what we do.


  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    wandererz wrote: »
    I guess what you're looking for is something that takes a file/a document/a zip etc. analyzes it and then does similar to what is in the attached images.

    But if you had that, then you'd have your own malware analysis company.

    Maybe look at cuckoo?


Advertisement