Author Topic: PMSWalker: Automatic Malicious Site Analysis Tool  (Read 6498 times)

0 Members and 1 Guest are viewing this topic.

August 09, 2011, 05:40:03 am
Read 6498 times


  • Jr. Member

  • Offline
  • **

  • 21
PMSWalker is an automatic malicious site analysis tool using hook method suggested by
sample.7z is some Exploit Kits for testing, PMSWalker can deal with them automaticly(Phoenix Exploit Kit should use Load From Moniker, for example "C:\Phoenix.htm")
Simple Introduction:
"Load From Moniker": load from the Url Edit Control(url)
"Load From Stream": load from the Stream Edit Control(html)
"Tree": the DOM Tree only with frames and scripts
"Catch": hooked calling function list
"Decode": Stream is Input, Result is Output
"Block": block pop-up
"Scan": using automatic analysis(if scan folder(contains scancl.exe and library(avira antivir cls)) is in the PMSWalker's folder, PMSWalker uses it to scan and the result is under [Scan Info] tag)
Abort: abort loading
Encode: decode JS/VBS.encode
Filter: delete what matches argument in Payload List
Find and Replace use
Insert: insert to Payload List
Log: generate Log
Shellocode: emulate shellcode, the second argument is step count. For %uXXXX, use Ucs2ToHex then use Shellocode
If you have problems, email me at