Exploit Forensics

soberman

Does anyone know of a tool that could allow me to check if a file contains an exploit and get details of the exploit like where the exploit is, what the ROP chain is etc..?

I know there are tools like virus total or sandboxes but I'm looking for something that will give me an exact answer including exploit information and something that wont be easy for exploits to bypass

syklops

soberman wrote: »

I know there are tools like virus total or sandboxes but I'm looking for something that will give me an exact answer including exploit information and something that wont be easy for exploits to bypass

When you find this tool, don't tell anyone, patent it and then sell it. You'll be a millionaire over night.

soberman

why? What would it be so good for? I mean except for learning about exploits and dissecting files to find the exploit which is what I want to do:)

BoB_BoT

soberman wrote: »

why? What would it be so good for? I mean except for learning about exploits and dissecting files to find the exploit which is what I want to do:)

Because you're asking for a tool that automatically does the job of anti-virus/security companies / bug finders that knows all the possible exploits available (without a reference). Not only would such a tool replace thousands of people that do the job of hunting exploits / bug finding, it would be so clever that it can determine what an exploit is.

Maybe you phrased the question wrongly. What exactly are you trying to do?

Are you looking for something like a debugger / a tool that will tell you if a file has a known virus/exploit worked into it and what it does when executed?

Blowfish

soberman wrote: »

Does anyone know of a tool that could allow me to check if a file contains an exploit and get details of the exploit like where the exploit is, what the ROP chain is etc..?

I know there are tools like virus total or sandboxes but I'm looking for something that will give me an exact answer including exploit information and something that wont be easy for exploits to bypass

Well technically a debugger does actually do all the things you want.

If you are expecting to just hit a button and it spits out the exact details of an exploit and how it works though....well good luck with that.

soberman

BoB_BoT wrote: »

Because you're asking for a tool that automatically does the job of anti-virus/security companies / bug finders that knows all the possible exploits available (without a reference). Not only would such a tool replace thousands of people that do the job of hunting exploits / bug finding, it would be so clever that it can determine what an exploit is.

Maybe you phrased the question wrongly. What exactly are you trying to do?

Are you looking for something like a debugger / a tool that will tell you if a file has a known virus/exploit worked into it and what it does when executed?

Maybe I did phrase the question the wrong way.. I'm not looking for something that would find vulnerabilities in software like exploit hunters do. I'm looking for something that will tell me if an exploit (known or unknown) is embedded within a document and the details. Something along the lines of using debugging tools for windows with !exploitable but something that actually works and that can tell you if there's an exploit even if the exploit succeeded and not only in case of a crash.


I'm not sure I understand why everyone thinks this is so important - I mean just to detect an exploit for protection someone can install something like FireEye or some other sandbox. What I'm looking for is more of a research tool. Which I guess just doesn't exist?

dbit

Don’t know of any such wonder app it would be an awesome one and a headache to keep up to date . For the nitty gritty of what a given app is up to for reg diffs I like to use some open source free apps like Regshot or installRite - running in isolated VM deploy the nasty and sit back and observe its actions - from the diffs you can then construct removal strings for reg and so on .


Where I work now , we do a version of the fire eye sandbox only in our case its a VM not a physical box. The Zero day stuff will be nai on impossible to track with an exploit detection tool. In My world , our our SPN network has over 50 billion detection nodes that form our SPN (Smart protection network) - formed from opt out default installs (IE its on unless you turn it off) on AV desktop solutions and embedded in some home routers branded by the likes of Linksys and so on . Our detection network is vast and still the zero day will slip through based on patterns and so on .( Pattern tracking is very old-school and not that affective with today’s theatre of war) An exploitation scoring systems is a very tricky thing to handle also as in our solution its combined with malware pattern analysis and then onto the DD solution trend have to do the behavioural diagnostics like sleeps for C&C waits - C&C coms and so on - The solution you ask for does exist but not as a one stop shop or solution . Today’s attack surface really does call for multi tooled multi armed approach ?.

soberman

Wow. That's impressive. Sounds like a lot of work just to detect zero days and stealthy malware..

I Guess it's no as easy as I thought

soberman

Wow. That's impressive. Sounds like a lot of work just to detect zero days and stealthy malware..

I Guess it's no as easy as I thought

So what process/tool do you use to detect the root cause of an exploit? Is it all proprietary and internal to your company?

wandererz

I guess what you're looking for is something that takes a file/a document/a zip etc. analyzes it and then does similar to what is in the attached images.

But if you had that, then you'd have your own malware analysis company.

moneymad

soberman wrote: »

Does anyone know of a tool that could allow me to check if a file contains an exploit and get details of the exploit like where the exploit is, what the ROP chain is etc..?

I know there are tools like virus total or sandboxes but I'm looking for something that will give me an exact answer including exploit information and something that wont be easy for exploits to bypass

http://resources.infosecinstitute.com/in-depth-seh-exploit-writing-tutorial-using-ollydbg/
you might like this

900913

Anubis is a service for analyzing malware.

Submit your Windows executable or Android APK and receive an analysis report telling you what it does. Alternatively, submit a suspicious URL and receive a report that shows you all the activities of the Internet Explorer process when visiting this URL.

Link: https://anubis.iseclab.org/

soberman

soberman wrote: »

So what process/tool do you use to detect the root cause of an exploit? Is it all proprietary and internal to your company?

If you're really interested to learn then start here https://www.nostarch.com/malware

Uses plenty of open source tools which I use daily and will help you understand the process/methodology behind what we do.

syklops

wandererz wrote: »

I guess what you're looking for is something that takes a file/a document/a zip etc. analyzes it and then does similar to what is in the attached images.

But if you had that, then you'd have your own malware analysis company.

Maybe look at cuckoo?