Created by: Sec-Mini-Projects (2015) under the MIT License - See "LICENSE" for Details.
Starts the execution of a x86 32 bit ONLY vulnerable program with optional command line parameters and hooks the API names read from a text file. When these API calls are hit, the program will constantly "run until return" and check the return address for shellcode-like characteristics.
Minimum OS - Windows 7 x64 (Tested).
Should run on Windows 8/10. If there any issues, please contact me.
This program will RUN the supplied executable and malicious input file. USE ONLY IN MALWARE RESEARCH LABS.
This program's generally stable. Please report any issues.
Usage: Program.exe with:
--program[-p]
--working_dir[-w]
--api_list[-a]
--cmd_line[-c] (Optional)
--addr_exclude[-e] <address exclude file> (Optional)
--debug_mode[-d] - Enables debug mode (Optional)
kernel32.dll,CreateFileA
kernel32.dll,WriteFile
....
mso.dll,0x2222
mso.dll,0x3333
....
The second paramter is the last two bytes of the address to be whitelisted. This is a hacky solution to avoid ASLR issues, there is a way to solve this issue. This option may be required if a program executes legitimate code from RWX memory. Add the library name and last two bytes of the address which calls into the RWX allocated memory.
Compiled & written initially using Visual Studio 2010 and have recently transitioned to Visual Studio 2015.
Compile the latest TitanEngine project (https://bitbucket.org/titanengineupdate/titanengine-update.) which is used as the debugging engine in this program.
Example: Place the binaries and ".lib" file into the "\TitanEngine" folder and the dll into the same directory as the main .EXE
Compile the latest scyllaHide project and place the dll and configuration file into the appropriate folder.
Example: Place the SycllaHide dll file into the "\Release\plugins\x86" folder.