Author Topic: PMSWalker: Automatic Malicious Site Analysis Tool  (Read 4300 times)

0 Members and 1 Guest are viewing this topic.

August 09, 2011, 05:40:03 am
Read 4300 times

promised

  • Jr. Member

  • Offline
  • **

  • 21
http://code.google.com/p/pmswalker/downloads/list
PMSWalker is an automatic malicious site analysis tool using hook method suggested by http://www.toorcon.org/tcx/26_Chenette.pdf
sample.7z is some Exploit Kits for testing, PMSWalker can deal with them automaticly(Phoenix Exploit Kit should use Load From Moniker, for example "C:\Phoenix.htm")
Simple Introduction:
"Load From Moniker": load from the Url Edit Control(url)
"Load From Stream": load from the Stream Edit Control(html)
"Tree": the DOM Tree only with frames and scripts
"Catch": hooked calling function list
"Decode": Stream is Input, Result is Output
"Block": block pop-up
"Scan": using automatic analysis(if scan folder(contains scancl.exe and library(avira antivir cls)) is in the PMSWalker's folder, PMSWalker uses it to scan and the result is under [Scan Info] tag)
Abort: abort loading
Encode: decode JS/VBS.encode
Filter: delete what matches argument in Payload List
Find and Replace use http://msdn.microsoft.com/en-us/library/1400241x(v=vs.85).aspx
Insert: insert to Payload List
Log: generate Log
Shellocode: emulate shellcode, the second argument is step count. For %uXXXX, use Ucs2ToHex then use Shellocode
If you have problems, email me at huruifu@gmail.com