Research tool able to detect and mitigate evasion techniques used by malware in-the-wild

JuanLesPIN

IntelPin tool to detect and mitigate Windows malware evasion techniques.

This tool is a prototype developed for a research project whose paper is currently under submission. In order to comply with double-blind, also the name of the tool present in the paper has been opportunely anonymized.

Installation

To install this tool you will need to download first:

  • Visual Studio (also community edition is ok). Make sure to have C++ Windows development kit
  • Intel PIN 3.17 (you can download it from HERE)

Then simply follow those 5 steps:

  1. Extract the zip containing IntelPIN inside C:\ and rename it to "pin" so that you should have the pin executable at C:\pin\pin.exe

  2. Change directory to C:\pin\source\tools and clone the repo.

  3. Open the file C:\pin\source\tools\JuanLesPIN-Public\JuanLesPIN.sln with Visual Studio.

  4. Go to Project->Properties inside Visual Studio menu. Then inside "Configuration Properties" -> C/C++ -> Preprocessor -> "Preprocessor Definitions" , modify the value of the variable _WINDOWS_H_PATH to match your windows development kit version.

  5. Build the project in Release mode x86 (the tool has been developed to work mainly on 32 bit malware)

Usage

Now to instrument a malware with JuanLesPIN you can launch:

C:\pin\pin.exe -follow_execv -t C:\pin\source\tools\JuanLesPIN-Public\Release\JuanLesPIN.dll -timer 0 -report evasion-report -- <path to malware>
Owner
Lorenzo Maffia
Malware Analyst and CTF player in @ZenHackTeam
Lorenzo Maffia
Similar Resources

This repository contains the tools we used in our research on the Google Titan M chip

Titan M tools In this repository, we publish the tools we used in our research on the Google Titan M chip. We presented our results at Black Hat EU 21

Dec 5, 2022

Techniques based on named pipes for pool overflow exploitation targeting the most recent (and oldest) Windows versions

Table of Contents Table of Contents Introduction Named-Pipes Introduction Exploitation Spraying the non-paged pool Memory Disclosure/Arbitrary Read Co

Dec 16, 2022

This project aims to provide a framework and a solid implementation of different techniques

This project aims to provide a framework and a solid implementation of different techniques

This project aims to provide a framework and a solid implementation of different techniques for generating complete seamless procedural cities with interiors for all buildings.

Dec 27, 2022

Quick reference on command line tools and techniques

1. Introduction 1.1. Scope 1.2. Background 1.3. Purpose 1.4. Next steps 2. Basics 2.1. Common commands 2.2. Shortcuts 2.2.1. Navigation 2.2.2. Editing

Dec 7, 2022

An experimental dynamic malware unpacker based on Intel Pin and PE-sieve

Pin'n'Sieve A dynamic malware unpacker based on Intel Pin and PE-sieve (deploys PE-sieve scan on specific triggers). Caution: during the process the m

Dec 16, 2022

Skrull is a malware DRM, that prevents Automatic Sample Submission by AV/EDR and Signature Scanning from Kernel.

Skrull is a malware DRM, that prevents Automatic Sample Submission by AV/EDR and Signature Scanning from Kernel.

Skrull is a malware DRM, that prevents Automatic Sample Submission by AV/EDR and Signature Scanning from Kernel. It generates launchers that can run malware on the victim using the Process Ghosting technique. Also, launchers are totally anti-copy and naturally broken when got submitted.

Dec 10, 2022

Orca - Advanced Malware with multifeatures written in ASM/C/C++ , work on all windows versions ! (some features still under developing and not stable)

Orca - Advanced Malware with multifeatures written in ASM/C/C++ , work on all windows versions  !  (some features still under developing and not stable)

About Orca Orca is an Advanced Malware with multifeatures written in ASM/C/C++ features Run in Background (Hidden Mode) Records keystrokes and saves t

Dec 26, 2022

Hydrogen is a tiny GDI Malware, with some bytebeat music, many payloads and some shaders

Hydrogen is a tiny GDI Malware, with some bytebeat music, many payloads and some shaders

Hydrogen is a tiny GDI Malware, with some bytebeat music, many payloads and some shaders

Nov 12, 2022

Vaccine Monitor app implemented in C with system Programming techniques.Projects implemented as part of the course Syspro K24

System_Programming_Projects Vaccine Monitor app implemented in C with system Programming techniques.Projects implemented as part of the course Syspro

Dec 30, 2021
A recreation of the "Nobelium" malware based on Microsofts Malware analysis - Part 1: PDF2Pwn
A recreation of the

Nobelium PdfDownloadRunAesMalware A recreation of the "Nobelium" malware based on Microsofts Malware analysis - Part 1: PDF2Pwn 1. Download PDF file f

Nov 9, 2022
Repository Containing the Code associated with the Paper: "Learning High-Speed Flight in the Wild"
Repository Containing the Code associated with the Paper:

Learning High-Speed Flight in the Wild This repo contains the code associated with the paper Learning Agile Flight in the Wild. For more information,

Jan 3, 2023
A demonstration of various different techniques for implementing 'threaded code,' a technique used in Forth and in virtual machines like the JVM.

Threaded code is a technique used in the implementation of virtual machines (VMs). It avoids the overhead of calling subroutines repeatedly by 'thread

Nov 4, 2022
Thread Stack Spoofing - PoC for an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocation from scanners and analysts.
Thread Stack Spoofing - PoC for an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocation from scanners and analysts.

Thread Stack Spoofing PoC A PoC implementation for an advanced in-memory evasion technique that spoofs Thread Call Stack. This technique allows to byp

Jan 9, 2023
An advanced in-memory evasion technique fluctuating shellcode's memory protection between RW/NoAccess & RX and then encrypting/decrypting its contents
An advanced in-memory evasion technique fluctuating shellcode's memory protection between RW/NoAccess & RX and then encrypting/decrypting its contents

Shellcode Fluctuation PoC A PoC implementation for an another in-memory evasion technique that cyclically encrypts and decrypts shellcode's contents t

Dec 27, 2022
Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities.
Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities.

Cobalt Strike User-Defined Reflective Loader Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities. B

Jan 3, 2023
BokuLoader - Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities.
BokuLoader - Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities.

BokuLoader - Cobalt Strike Reflective Loader Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities. B

Dec 31, 2022
An embedded CAN bus sniffer which is able to monitor any of the vehicle internal CAN bus and perform some action by triggering new CAN messages.
An embedded CAN bus sniffer which is able to monitor any of the vehicle internal CAN bus and perform some action by triggering new CAN messages.

An embedded CAN bus sniffer which is able to monitor any of the vehicle internal CAN bus and perform some action by triggering new CAN messages. In this way certain vehicle functionality can be triggered by responding to custom steering wheel button events, or use the vehicle virtual cockpit to display OBD-PIDs values instead of relying on an external display to present new information to the user

Dec 28, 2022
A Simple tool to execute shellcode with the ability to detect mouse movement
A Simple tool to execute shellcode with the ability to detect mouse movement

Noobi A Simple tool to execute shellcode with the ability to detect mouse movement Features: Sandbox evasion through detecting mouse movement and chec

Nov 9, 2022
Doom port for InfOS - the University of Edinburgh Informatics research operating system used in the UG3 OS course
Doom port for InfOS - the University of Edinburgh Informatics research operating system used in the UG3 OS course

Doom on InfOS InfOS is the Informatics research operating system, designed specifically for the UG3 Operating Systems course. This project aims to por

Aug 20, 2022