Permalink
Browse files

misc tweaks

  • Loading branch information...
unknown
unknown committed May 6, 2011
1 parent 0577469 commit c15fd13c61622a2fbb36903d3ea12a5c99459a7d
View
@@ -40,7 +40,7 @@ HelpContextID="0"
CompatibleMode="0"
MajorVer=0
MinorVer=9
-RevisionVer=253
+RevisionVer=255
AutoIncrementVer=1
ServerSupportFiles=0
VersionCompanyName="sandsprite"
View
@@ -1,4 +1,4 @@
-Form1 = 39, 69, 954, 491, Z, -93, 7, 938, 615, C
+Form1 = 39, 69, 954, 491, , -93, 7, 938, 615, C
Module4 = 22, 22, 857, 436,
fso = 154, 154, 1069, 576,
clsCmnDlg = 132, 132, 1047, 554,
@@ -13,10 +13,10 @@ CFunc = 198, 198, 1113, 620, C
frmRefactor = 176, 176, 1091, 598, C, 0, 0, 784, 480, C
CInstruction = 154, 154, 1069, 576, C
CDisassembler = 132, 132, 1047, 554, C
-modEscapes = 110, 110, 1025, 532,
+modEscapes = 110, 110, 1025, 532, C
CSharpFilters = 88, 88, 1003, 510,
CApplyFilters = 66, 66, 981, 488,
frmManualFilters = 44, 44, 959, 466, , 32, 0, 850, 570, C
-frmScTest = 22, 22, 937, 444, , 100, 2, 911, 618, C
+frmScTest = 22, 22, 937, 444, Z, 100, 2, 911, 618, C
ucScint = 44, 44, 713, 466, , 176, 176, 913, 598, C
b64 = 110, 110, 901, 524,
View
@@ -1,12 +1,12 @@
VERSION 5.00
Begin VB.Form frmScTest
Caption = "scDbg - libemu Shellcode Logger Launch Interface"
- ClientHeight = 6900
+ ClientHeight = 7170
ClientLeft = 60
ClientTop = 345
ClientWidth = 10140
LinkTopic = "Form3"
- ScaleHeight = 6900
+ ScaleHeight = 7170
ScaleWidth = 10140
StartUpPosition = 2 'CenterScreen
Begin VB.TextBox Text1
@@ -24,20 +24,43 @@ Begin VB.Form frmScTest
MultiLine = -1 'True
ScrollBars = 2 'Vertical
TabIndex = 3
- Top = 1530
+ Top = 1845
Width = 9960
End
Begin VB.Frame Frame1
Caption = "Options"
- Height = 1455
+ Height = 1815
Left = 60
TabIndex = 0
Top = 0
Width = 10005
+ Begin VB.TextBox txtManualArgs
+ Height = 285
+ Left = 1800
+ TabIndex = 25
+ Top = 1080
+ Width = 5955
+ End
+ Begin VB.TextBox txtStartOffset
+ Height = 285
+ Left = 8055
+ TabIndex = 22
+ Text = "0"
+ Top = 180
+ Width = 675
+ End
+ Begin VB.CheckBox chkOffset
+ Caption = "Start Offset 0x"
+ Height = 255
+ Left = 6660
+ TabIndex = 23
+ Top = 195
+ Width = 1515
+ End
Begin VB.CommandButton cmdrowse
Caption = "..."
Height = 285
- Left = 6840
+ Left = 7830
TabIndex = 21
Top = 675
Width = 465
@@ -48,7 +71,7 @@ Begin VB.Form frmScTest
OLEDropMode = 1 'Manual
TabIndex = 20
Top = 675
- Width = 5685
+ Width = 6720
End
Begin VB.CheckBox chkfopen
Caption = "fopen"
@@ -117,9 +140,9 @@ Begin VB.Form frmScTest
Begin VB.CommandButton Command1
Caption = "Launch"
Height = 375
- Left = 8325
+ Left = 8370
TabIndex = 2
- Top = 990
+ Top = 1035
Width = 1575
End
Begin VB.CheckBox chkReport
@@ -130,6 +153,14 @@ Begin VB.Form frmScTest
Top = 180
Width = 1695
End
+ Begin VB.Label Label1
+ Caption = "Manual Arguments"
+ Height = 285
+ Left = 225
+ TabIndex = 24
+ Top = 1080
+ Width = 1410
+ End
Begin VB.Label Label6
Caption = "scdbg homepage"
BeginProperty Font
@@ -146,7 +177,7 @@ Begin VB.Form frmScTest
Index = 8
Left = 3480
TabIndex = 14
- Top = 1125
+ Top = 1440
Width = 1335
End
Begin VB.Label Label6
@@ -165,7 +196,7 @@ Begin VB.Form frmScTest
Index = 7
Left = 4860
TabIndex = 13
- Top = 1125
+ Top = 1440
Width = 675
End
Begin VB.Label Label6
@@ -182,9 +213,9 @@ Begin VB.Form frmScTest
ForeColor = &H00FF0000&
Height = 255
Index = 0
- Left = 8010
+ Left = 8190
TabIndex = 12
- Top = 180
+ Top = 1440
Width = 855
End
Begin VB.Label Label6
@@ -203,7 +234,7 @@ Begin VB.Form frmScTest
Index = 2
Left = 5580
TabIndex = 11
- Top = 1125
+ Top = 1440
Width = 1035
End
Begin VB.Label Label6
@@ -222,7 +253,7 @@ Begin VB.Form frmScTest
Index = 6
Left = 6660
TabIndex = 10
- Top = 1125
+ Top = 1440
Width = 375
End
Begin VB.Label Label6
@@ -241,7 +272,7 @@ Begin VB.Form frmScTest
Index = 4
Left = 1860
TabIndex = 6
- Top = 1125
+ Top = 1440
Width = 1455
End
Begin VB.Label Label6
@@ -260,7 +291,7 @@ Begin VB.Form frmScTest
Index = 3
Left = 240
TabIndex = 5
- Top = 1125
+ Top = 1440
Width = 1335
End
Begin VB.Label Label6
@@ -277,9 +308,9 @@ Begin VB.Form frmScTest
ForeColor = &H00FF0000&
Height = 255
Index = 5
- Left = 7200
+ Left = 7335
TabIndex = 4
- Top = 180
+ Top = 1440
Width = 735
End
End
@@ -457,6 +488,15 @@ Private Sub Command1_Click()
If chkDebugShell.Value = 1 Then cmdline = cmdline & " -vvv"
If chkFindSc.Value = 1 Then cmdline = cmdline & " -findsc"
If ChkMemMon.Value = 1 Then cmdline = cmdline & " -mdll"
+
+ If chkOffset.Value = 1 Then
+ If Not isHexNum(txtStartOffset) Then
+ MsgBox "Start offset is not a valid hex number: " & txtStartOffset, vbInformation
+ Exit Sub
+ End If
+ cmdline = cmdline & " -foff " & txtStartOffset
+ End If
+
If chkfopen.Value = 1 Then
If Not fso.FileExists(txtFopen.Text) Then
MsgBox "You must specify a valid file to open", vbInformation
@@ -465,7 +505,7 @@ Private Sub Command1_Click()
cmdline = cmdline & " -fopen " & GetShortName(txtFopen)
End If
- cmdline = cmdline & " -f sample.sc"
+ cmdline = cmdline & " -f sample.sc" & " " & txtManualArgs
cmdline = "cmd /k chdir /d " & libemu & "\ && " & cmdline
lastcmdline = cmdline
View
@@ -4,10 +4,10 @@ Begin VB.Form frmSclog
ClientHeight = 6825
ClientLeft = 60
ClientTop = 345
- ClientWidth = 11100
+ ClientWidth = 10680
LinkTopic = "Form3"
ScaleHeight = 6825
- ScaleWidth = 11100
+ ScaleWidth = 10680
StartUpPosition = 2 'CenterScreen
Begin VB.TextBox Text1
BeginProperty Font
@@ -482,7 +482,7 @@ Private Sub Command1_Click()
If chkAlloc.Value = 1 Then cmdline = cmdline & " /alloc"
If chkShowAddr.Value = 1 Then cmdline = cmdline & " /showadr"
If chkOffset.Value = 1 Then
- If Not isHex(txtStartOffset) Then
+ If Not isHexNum(txtStartOffset) Then
MsgBox "Start offset is not a valid hex number: " & txtStartOffset, vbInformation
Exit Sub
End If
@@ -626,3 +626,4 @@ Private Sub Label5_Click()
Clipboard.SetText last_cmdline
MsgBox "Last command line copied to clipboard: " & vbCrLf & vbCrLf & last_cmdline, vbInformation
End Sub
+
View
Binary file not shown.
View
@@ -337,6 +337,13 @@ Public Function isHex(v) As Boolean
Err.Clear
End Function
+Public Function isHexNum(v) As Boolean
+ On Error Resume Next
+ x = CLng("&h" & v)
+ If Err.Number = 0 Then isHexNum = True
+ Err.Clear
+End Function
+
Function ExtractFromParanthesisPageEncapsulation(Data)
On Error Resume Next
View
@@ -1,61 +0,0 @@
-
-sclog is a GPL shellcode analysis project available from iDefense.com
-as part of the Malcode Analyst Pack
- http://labs.idefense.com/software/malcode.php#more_malcode+analysis+pack
-
-A training video is available here:
- http://labs.idefense.com/files/labs/releases/sclog_trainer.wmv
-
-As well as its online help page:
- http://labs.idefense.com/files/labs/releases/previews/map/
-
-Initially sclog was developed to handle shellcode exploits
-captured from web pages or network captures.
-
-This copy is an experimental build that plays with some ideas
-on adapting it to handle more advanced shellcodes which are
-part of file format exploits.
-
-New options include:
-
- /fhand <file> opens file handle(s) the shellcode can search for
- /showadr Show return address for calls outside shellcode bufffer
- /log <file> Write all output to logfile
- /alloc
-
-The main one of interest is the /fhand option..this allows it to try to probe
-deeper into shellcodes which expect there to be an open file handle in memory
-to the original file that is triggering the exploit. The main way i have seen
-this done so far, is for the shellcode to call GetFileSize(x) over and over again
-as x is incremented scanning for open file handles.
-
-(Special care had to be taken not to spam the console during this operation)
-
-New hooks in this version include:
-
- ADDHOOK(GetFileSize)
- ADDHOOK(FindFirstFileA)
- ADDHOOK(VirtualAlloc)
- ADDHOOK(VirtualFree)
- ADDHOOK(GlobalAlloc)
- ADDHOOK(GlobalFree)
-
-The alloc and free hooks, will record allocations made from within the shellcode
-block. When the block is latter freed (or when the program exits) these allocations
-are then dumped to disk. This is to try to capture any stage 2 shellcode stage 1
-is trying to load from the parent file.
-
-Offsets shown in the output can be in one of 5 forms.
- if the hooked call is:
- a) called from teh shellcode buffer, the relative offset is shown (to line up with disasm of dump)
- b) called from a GlobalAlloc buffer, offset relative to Galloc buf shown (prefix GAlloc:)
- c) called from a virtualAlloc buffer, offset relative to Valloc buf shown (prefix VAlloc:)
- d) /showadr will show absolute addresses of ret addr for calls outside shellcode buffer
- e) if you see --- it means call was from outside shellcode buffer
-
-Currently it is still a bit messy in there as a jiggle things around. We are after all still
-experimenting with whats needed and how to do it.
-
-
-
-
View
@@ -28,6 +28,8 @@ License: hooker.c Copyright (C) 2005 David Zimmer <david@idefense.com, dzzie@yah
*/
+#pragma warning(disable: 4996)
+
#ifdef __cplusplus
#define unique extern "C"
#else
View
Binary file not shown.
View
Binary file not shown.
View
@@ -16,6 +16,7 @@
// along with this program; if not, write to the Free Software
// Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#pragma warning(disable: 4996)
#ifndef MAINPROG
#define unique extern
View
Binary file not shown.
View
Binary file not shown.
View
@@ -96,6 +96,33 @@ ALLOC_THUNK( LPVOID __stdcall Real_VirtualAllocEx( HANDLE a0, LPVOID a1, DWORD a
//ALLOC_THUNK( HANDLE __stdcall Real_FindFirstFileExA( LPCSTR a0, FINDEX_INFO_LEVELS a1, LPVOID a2, FINDEX_SEARCH_OPS a3, LPVOID a4, DWORD a5 ) );
//ALLOC_THUNK( BOOL __stdcall Real_IsDebuggerPresent( VOID ) );
+enum AntiSpamFx{
+ asAll = 0,
+ asWriteFile = 1,
+};
+
+bool AntiSpamSupress[50];
+
+void SetSupress(AntiSpamFx api){
+ AntiSpamSupress[api] = true;
+}
+
+void ReleaseSupress(AntiSpamFx api){
+ AntiSpamSupress[api] = false;
+}
+
+void ReleaseSupressExcept(AntiSpamFx api){
+ for(int i=0;i<50;i++){
+ if(i!=api) AntiSpamSupress[i] = false;
+ }
+}
+
+
+bool IsSupressed(AntiSpamFx api){
+ return AntiSpamSupress[api];
+}
+
+
char* ProcessFromPID(DWORD pid){ //must free() results

0 comments on commit c15fd13

Please sign in to comment.