2012년 3월 3일 토요일

PMSWalker - Malicious Site Walker

홈페이지(Site) - http://code.google.com/p/pmswalker/

다운로드(Downlload) - http://pmswalker.googlecode.com/files/PMSWalker.7z

PMSWalker는 악성코드에 감염된 웹사이트를 분석하는데 도움을 주는 프로그램입니다. url란에 주소를 입력할때 'http://' 으로 시작해야합니다. 'scan' 버튼은 Avira command line scanner를 이용해 악성유무를 알수있습니다.avira에 관련된 파일은 pmswalker\ 에 scan 폴더를 생성후 넣어주면 됩니다. 악성코드 다운로드 경로는 Payload 창에 보여줍니다.

Simple Introduction:

"Load From Moniker": load from the Url Edit Control(url)
"Load From Stream": load from the Stream Edit Control(html)
"Tree": the DOM Tree only with frames and scripts
"Catch": hooked calling function list
"Decode": Stream is Input, Result is Output
"Block": block pop-up

"Scan": using automatic analysis(if scan folder(contains scancl.exe and library(avira antivir cls)) is in the PMSWalker's folder, PMSWalker uses it to scan and the result is under [Scan Info] tag)
Avira Command Line scanner download - http://www.avira.com/en/support-download-avira-antivir-command-line-scanner-scancl
avira vdf download - http://dl.antivir.de/package/fusebundle/win32/int/vdf_fusebundle.zip

"Abort": abort loading
"Encode": decode JS/VBS.encode
"Filter": delete what matches argument in Payload List
Find and Replace use http://msdn.microsoft.com/en-us/library/1400241x(v=vs.85).aspx
Insert: insert to Payload List
"Log": generate Log
"Shellocode": emulate shellcode, the second argument is step count. For %uXXXX, use Ucs2ToHex then use Shellocode
If you have problems, email me at huruifu@gmail.com


댓글 없음:

댓글 쓰기