Since I have recently managed to find some time and come back to TraceHook project development, I decided to mark the result of a-few-hour-long session with the next version number – 0.0.2. Until now, the application has been designed for my own purposes – it was written to handle particular problems and work under certain conditions, although I am slowly trying to implement additional options, that might turn out to be handy for wider public.
The main purpose and used techniques remain the same – it is still all about tracing and dumping process trees marked as malware (for which TraceHook was created in the first place). The engine itself is build with a kernel driver, responsible for handling the current process list in a safe manner,receiving and managing the notify signals, regarding events such as program creation/termination, as well as a majority of other available options.
The new version has been mainly enhanced with a new dump file format – Windows MiniDump. As opposed to a full raw memory dump, performed entirely in kernel-mode, the minidump file is written to from user-mode. Moving the dumping function to user area makes it possible to extend the project with more, safe functions implementing new file formats, depending on the user’s needs.
A complete package (EXE + sources): TraceHook_v0.0.2.zip (50 kB)
Options:
-=*( TraceHook v0.0.2 by j00ru//vx )*=-
Usage: TraceHook.exe <target executable> [options]
Available options:
-pPATH Sets the dump destination directory to PATH.
The default dump path is C:\dump.
-iINTERVAL Turns the counter mode on. Makes the application terminate
and automatically dump all the monitored processes after the
specified amount of time.
Note: The INTERVAL value is the number of seconds to wait till
dumping all processes.
-m Activates the MiniDump mode.
-h Displays this message.
— CHANGELOG —
2009-10-03: TraceHook v0.0.2 * Added dump path manipulation option. * Added time interval option. * Added additional dump file format - Windows MiniDump. * Fixed a Denial of Service vulnerability described at https://j00ru.vexillium.org/?p=141#comment-69 * Fixed many other minor code issues
— TODO —
*** TraceHook v0.0.2 --> v0.0.3 - Move the dumping process entirely to user-mode, for easier development and safer execution - Change the ProcessList structure to sth based on LIST_ENTRY (safer solution ?) - Add more dump file formats, i.e. module-only dumps - Add support for multiple malware process trees - Create some kind of GUI, user-friendly interface
Downloading and testing the application is strongly advised (as well as sending bug reports)!
Nice one j00ru :)
MiniDump will be pretty useful for windbg.
Ciekawe ;)
Jedna funkcja jest zrodlem malych wycieków pamieci ;p