PDA

View Full Version : TraceHook v0.0.2


j00ru vx tech blog
October 3rd, 2009, 19:25
Since I have recently managed to find some time and come back to TraceHook project development, I decided to mark the result of a-few-hour-long session with the next version number – 0.0.2. Until now, the application has been designed for my own purposes – it was written to handle particular problems and work under certain conditions, although I am slowly trying to implement additional options, that might turn out to be handy for wider public.

The main purpose and used techniques remain the same – it is still all about tracing and dumping process trees marked as malware (for which TraceHook was created in the first place). The engine itself is build with a kernel driver, responsible for handling the current process list in a safe manner,receiving and managing the notify signals, regarding events such as program creation/termination, as well as a majority of other available options.

The new version has been mainly enhanced with a new dump file format – Windows MiniDump. As opposed to a full raw memory dump, performed entirely in kernel-mode, the minidump file is written to from user-mode. Moving the dumping function to user area makes it possible to extend the project with more, safe functions implementing new file formats, depending on the user’s needs.

A complete package (EXE + sources): TraceHook.zip ("http://j00ru.vexillium.org/blog/04_10_09/TraceHook.zip") (50 kB)

Options:

Code:
-=*( TraceHook v0.0.2 by j00ru//vx )*=-
Usage: TraceHook.exe <target executable> [options]

Available options:
-pPATH****** Sets the dump destination directory to PATH.
The default dump path is C:\dump.

-iINTERVAL** Turns the counter mode on. Makes the application terminate
and automatically dump all the monitored processes after the
specified amount of time.
Note: The INTERVAL value is the number of seconds to wait till
dumping all processes.

-m********** Activates the MiniDump mode.
-h********** Displays this message.
– CHANGELOG –

Code:
2009-10-03: TraceHook v0.0.2
* Added dump path manipulation option.
* Added time interval option.
* Added additional dump file format - Windows MiniDump.
* Fixed a Denial of Service vulnerability described at http://j00ru.vexillium.org/?p=141#comment-69
* Fixed many other minor code issues
– TODO –

Code:
*** TraceHook v0.0.2 --> v0.0.3
- Move the dumping process entirely to user-mode, for easier development and safer execution
- Change the ProcessList structure to sth based on LIST_ENTRY (safer solution ?)
- Add more dump file formats, i.e. module-only dumps
- Add support for multiple malware process trees
- Create some kind of GUI, user-friendly interface
Downloading and testing the application is strongly advised (as well as sending bug reports) !



http://j00ru.vexillium.org/?p=175&lang=en