Since I have recently managed to find some time and come back to TraceHook project development, I decided to mark the result of a-few-hour-long session with the next version number – 0.0.2. Until now, the application has been designed for my own purposes – it was written to handle particular problems and work under certain conditions, although I am slowly trying to implement additional options, that might turn out to be handy for wider public.
The main purpose and used techniques remain the same – it is still all about tracing and dumping process trees marked as malware (for which TraceHook was created in the first place). The engine itself is build with a kernel driver, responsible for handling the current process list in a safe manner,receiving and managing the notify signals, regarding events such as program creation/termination, as well as a majority of other available options.
The new version has been mainly enhanced with a new dump file format – Windows MiniDump. As opposed to a full raw memory dump, performed entirely in kernel-mode, the minidump file is written to from user-mode. Moving the dumping function to user area makes it possible to extend the project with more, safe functions implementing new file formats, depending on the user’s needs.
A complete package (EXE + sources): TraceHook.zip (50 kB)
-=*( TraceHook v0.0.2 by j00ru//vx )*=- Usage: TraceHook.exe <target executable> [options] Available options: -pPATH Sets the dump destination directory to PATH. The default dump path is C:\dump. -iINTERVAL Turns the counter mode on. Makes the application terminate and automatically dump all the monitored processes after the specified amount of time. Note: The INTERVAL value is the number of seconds to wait till dumping all processes. -m Activates the MiniDump mode. -h Displays this message.
– CHANGELOG –
2009-10-03: TraceHook v0.0.2 * Added dump path manipulation option. * Added time interval option. * Added additional dump file format - Windows MiniDump. * Fixed a Denial of Service vulnerability described at http://j00ru.vexillium.org/?p=141#comment-69 * Fixed many other minor code issues
– TODO –
*** TraceHook v0.0.2 --> v0.0.3 - Move the dumping process entirely to user-mode, for easier development and safer execution - Change the ProcessList structure to sth based on LIST_ENTRY (safer solution ?) - Add more dump file formats, i.e. module-only dumps - Add support for multiple malware process trees - Create some kind of GUI, user-friendly interface
Downloading and testing the application is strongly advised (as well as sending bug reports) !