This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Security Research and Development Framework"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
 +
=Main=
 +
 +
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
 +
 +
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 +
| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
 +
 +
==OWASP Security Reseach and Development Framework ==
 +
 
''Do you see writing a security tool in windows is hard?''
 
''Do you see writing a security tool in windows is hard?''
  
Line 6: Line 15:
  
 
''So, Security Research and Development Framework is for you.''
 
''So, Security Research and Development Framework is for you.''
 
 
  
 
= Abstract: =
 
= Abstract: =
Line 31: Line 38:
 
The SRDF is divided into 2 parts: User-Mode and Kernel-Mode. And we will describe each one in the next section.
 
The SRDF is divided into 2 parts: User-Mode and Kernel-Mode. And we will describe each one in the next section.
  
 +
'''SRDF is seeking contributors to help with the next releases . Contact [mailto:[email protected] Amr Thabet] for more info.
  
= The Features: =
+
'''We can help you create your own project based on SRDF .. just contact us from the email above
  
 +
==Licensing==
 +
SRDF is a free open source framework. It is licensed under the GPL v2
  
Before talking about SRDF Design and structure, I want to give you what you will gain from SRDF and what it could add to your project.
+
| valign="top"  style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
  
In User-Mode part, SRDF gives you many helpful tools
+
==The Features:==
  
=== The User Mode Features: ===
 
  
 +
Before talking about SRDF Design and structure, I want to give you what you will gain from SRDF and what it could add to your project.
 +
 +
===in Malware:===
  
 
•  Assembler and Disassembler
 
•  Assembler and Disassembler
Line 46: Line 58:
 
•  x86 Emulator
 
•  x86 Emulator
  
•  Debugger
+
•  x86 Debugger
  
•  PE Analyzer
+
•  PE Analyzer, ELF Analyzer, PDF Analyzer (still in progress), Android APK Analyzer
  
 
•  Process Analyzer (Loaded DLLs, Memory Maps … etc)
 
•  Process Analyzer (Loaded DLLs, Memory Maps … etc)
Line 54: Line 66:
 
•  MD5, SSDeep and Wildlist Scanner (YARA)
 
•  MD5, SSDeep and Wildlist Scanner (YARA)
  
•  API Hooker and Process Injection
+
•  API Hooker, IAT Hooking and Process Injection  
  
 
•  Backend Database, XML Serializer
 
•  Backend Database, XML Serializer
Line 60: Line 72:
 
•  And many more
 
•  And many more
  
In the Kernel-Mode part, it tries to make it easy to write your own filter device driver (not with WDF and callbacks) and gives an easy, object oriented (as much as we can) development framework with these features.
+
===in Network:===
  
=== The Kernel Mode Features: ===
+
•  Packet capturing using winpcap
  
 +
•  Pcap file analysis and packet analyzer
  
•  Object-oriented and easy to use development framework
+
•  detecting malformed packets and packet generator
  
•  Easy IRP dispatching mechanism
+
•  Session analysis and session separation
  
•  SSDT Hooker
+
•  Protocol Analysis like tcp, udp, icmp .. etc
  
•  Layered Devices Filtering
+
•  Application layer protocol analysis like http and dns
  
•  TDI Firewall
+
•  And many more
  
• File and Registry Manager
 
  
•  Kernel Mode easy to use internet sockets
+
and the project is totally object oriented, very expandable and well organized
  
•  Filesystem Filter
+
''' the project development still active and still expanding
  
 +
== Join Us: ==
  
Still the Kernel-Mode in progress and many features will be added in the near future.
+
''Do you get benefit from this framework and you need to give something back?''
  
Let’s now see the design:
+
''Do you want to add something to your CV?''
  
 +
''Do you want to meet smart developers and join a big community?''
  
= The User-Mode Part: =
+
''Do you want to learn new things?''
 
  
== The Design: ==
+
''Here is place join the development community, meet new smart people and have fun.''
 
 
[[File:SRDF-Design.png]]
 
 
 
=== Infrastructure: ===
 
 
 
This includes the essential elements of any development framework and it’s not related to security like: string, hash, list, serializer, database, registry manipulation, sockets and so on.
 
 
 
We decided to create this part rather than depending on any development framework to make this framework independent from any other development frameworks and to be portable on any development framework
 
 
 
==== Targets: ====
 
 
 
This is the beginning of the SRDF. This part is simply the Target from your security tool. What do you want to secure or secure from. And it includes Files (PE Files and others), Processes and Packets.
 
 
 
==== Libraries: ====
 
 
 
That’s the security tools that the SRDF support. And it’s divided into two namespaces: malware and network
 
 
 
Malware includes the assemblers and disassemblers, emulator, debugger, API Hooker, Yara Scanner (wildcard scanner) file recursive scanner and other tools
 
 
 
Network includes User-Mode capturing and Firewall
 
 
 
==== Core (The Application Interface): ====
 
 
 
The Core includes the Logging system and the back-end Database.
 
 
 
And also, it’s the Application Interface. Like cConsoleApp and you can inherit from it to create your own User-Interface.
 
 
 
We wish this part to be expanded to include more user interfaces and management systems
 
 
 
== The Infrastructure: ==
 
 
=== Elements: ===
 
 
It’s divided into three namespaces:
 
 
 
1. String: it contains the string class, encoded string, hash and list
 
 
 
2. Code: it contains the NativeCode class and StoredProcedure … and they represents the shellcode and the code that stored in database. Like a virus detection routines inside an Antivirus
 
 
 
3. XML: and it contains the XML Encoder and the Serializer.
 
 
 
=== Connections: ===
 
 
 
It’s divided into three namespaces:
 
 
 
1. Internet: and it contains the internet communication protocols like sockets, HTTP Sockets and so on.
 
 
 
2. IPC: and it contains the Inter-Process Communication protocol
 
 
 
3. User-Mode to Kernel-Mode Communication: and it contains the communication protocol to communicate to the kernel-mode part of the SRDF
 
 
 
=== Storage: ===
 
 
 
It’s divided into three namespaces:
 
 
 
1. Databases: and it contains the Database class and SQLiteDB and so on.
 
 
 
2. Files: and contains the File writing and logging classes
 
 
 
3. Registry: and it contains the registry read and write
 
 
 
 
 
== The Targets: ==
 
 
 
=== Files: ===
 
 
 
This namespace describes the File Formats of The Files that could contain malicious code like: Executable Files (PE and ELF) and Document Files (PDF, Docx …) and so on.
 
 
 
Until now it contains The PE Files parser
 
 
 
=== Process: ===
 
 
 
And it includes one class only named cProcess. And, this class describes a running process and parses its PEB and gives you the important information about the process and its memory map. And support injecting code and create a remote thread.
 
 
 
=== Packets: ===
 
 
 
And it includes classes that describe an internet packets captured on the wire or generated for an attack.
 
 
 
== Libraries: ==
 
 
 
It contains two namespaces:
 
 
 
=== Malware: ===
 
 
 
This namespace contains the scanning, Hooking and emulation libraries and contains Pokas Emulator wrapper class, Yara wrapper class (wildcard scanner), a debugger and contains a directory recursive scanner and other tools
 
 
 
And also, it contains the x86 assembler and disassembler (using Pokas Emulator Assembler) and allow to contain other assemblers and for other platforms.
 
 
 
=== Network: ===
 
 
 
This namespace should contain the User-Mode Packet capture and firewall. And should contain the Winpcap Packet capturing and firewall system.
 
It also should include Application Layer parsers for FTP, HTTP, IRC and all known protocols and include Pcap Reader and writer.
 
 
 
== The Core: ==
 
 
 
And the core includes the cApp class that contains the back-end database and logging and the User-Interface such as cConsoleApp
 
  
= The Kernel-Mode: =
+
| valign="top"  style="padding-left:25px;width:200px;" |
  
== The Kernel-Mode Goals: ==
+
== Source Code: ==
  
The Goals of the kernel-Mode development Framework are:
+
[https://github.com/AmrThabet/winSRDF Github]
  
1. Easy to create a Kernel-Mode security tool
+
[https://www.openhub.net/p/winSRDF Openhub]
  
2. Support OOP using the native device driver programming APIs
+
[http://www.security-framework.com Our Website]
  
3. Support detaching between  devices in IRPs
+
== Python SRDF (pySRDF)==
  
4. Easy to use files, registry and so on
+
it's an implementation for SRDF on python and very easy to use like this:
  
5. Create a User-Mode/Kernel-Mode communication protocol
+
>>from pySRDF import *
 +
>>dbg = Dbg("C:\\test.exe")
 +
>>dbg.SetBp(0x401000)
 +
>>dbg.Run()
  
6. Designed only for hooking and security tools.
+
OR Using the Emulator:
  
The Kernel-Mode SRDF is designed on native device driver programming APIs and independent from the WDF (windows drivers foundation).
+
>> emu = Emulator("C:\\test.exe")
 +
>> emu.SetBp("eip == 0x401000")
 +
>> emu.Run()
  
Now we will describe the design of Framework and then we will go through the IRP dispatching mechanism in the KM-SRDF
+
OR
  
 +
>> emu.SetBp("__isdirty(eip)") #which set bp on Execute on modified data
 +
>> emu.Run()
  
== The Design: ==
+
Find it at:
  
[[File:SRDF-Kernel-Design.png]]
+
[https://github.com/AmrThabet/pySRDF pySRDF Github]
  
'''Driver:''' It’s the core management system that dispatching the IRPs to the devices and manage the devices.
+
[https://github.com/AmrThabet/pySRDF/tree/master/Examples Examples]
  
'''Device:''' it represents a device object and it contains the IRP dispatching between the control device object and the filtering device objects and includes attaching and detaching from a devices chain and all necessary functions for a device object
+
|}
 +
= Roadmap: =
  
'''SSDT Device:''' this class is inherited from device class and it’s created for SSDT Hooking
+
=== 1. Antivirus: ===
 
 
'''Filter Device:''' this class created for attaching to a chain and filtering the inputs and the outputs of the IRPs
 
 
 
'''File Filter Device:''' this class is inherited from Filter Device and it’s created for filtering the File system I/O request packets (IRPs) or monitoring file operations
 
 
 
'''TDI Firewall:''' this class is inherited from Filter Device and it’s created for filtering the internet packets and connections and the processes that tries to connect to the internet
 
 
 
'''DKOM Device:''' this class created to provide a generic way to work with opaque structures in windows without worrying about windows version and subversion (under construction)
 
 
 
'''Process Device:''' this class provides a way to inject code or modify the memory of a process from the kernel-mode
 
 
 
'''File/Registry Managers:''' they are tools created to support writing files and working with registry easily without worrying about IRQL
 
 
 
'''Sockets:''' it’s an easy interface to connect to the internet using the TDI interface
 
 
 
 
 
 
 
== The IRP Dispatching: ==
 
 
[[File:SRDF-IRP-Dispatching.png]]
 
 
 
• The IRP dispatching begins from the entry.cpp and it dispatch the IRP to the Driver
 
 
 
• The driver checks the device object and dispatch the IRP to the related device
 
 
 
• The device sends the IRP to the User-Mode communication object to work with it as it’s sent to the control device object
 
 
 
• If it’s a FileFilter Device, the device dispatches the IRP based on the device object to the Attached Device Objects or to the control device object and the user-mode communication
 
 
 
 
 
= Source Code: =
 
 
 
 
http://code.google.com/p/srdf/
 
 
 
 
 
= Join Us: =
 
 
 
''Do you get benefit from this framework and you need to give something back?''
 
 
 
''Do you want to add something to your CV?''
 
 
 
''Do you want to meet smart developers and join a big community?''
 
 
 
''Do you want to learn new things?''
 
 
 
''Here is place … join the development community, meet new smart people and have fun.''
 
 
 
 
 
= Roadmap: =
 
 
 
 
== 1. Antivirus: ==
 
  
 
a. XRAY Tool
 
a. XRAY Tool
Line 280: Line 152:
 
c. Behavior-based Detection Tools.
 
c. Behavior-based Detection Tools.
  
d. More File Formats (PDF, apk, …)
+
d. More File Formats and improve what we have like (PDF, apk, …)
  
 
e. OpenSBI and other Virus Classification File Formats
 
e. OpenSBI and other Virus Classification File Formats
Line 292: Line 164:
 
g. Update System with Flexible Mechanism
 
g. Update System with Flexible Mechanism
  
== 2. Malware Analysis: ==
+
=== 2. Malware Analysis: ===
 
 
  
a. SSDT Hooking for (Processes, Files, Registry and Sockets System Calls)
+
a. Support idb (IDA Pro Database) to read it and use its analysis
  
 
b. API Hooking (for the same as above)
 
b. API Hooking (for the same as above)
Line 301: Line 172:
 
c. Improvement in Pokas Emulator, Assembler and Disassembler
 
c. Improvement in Pokas Emulator, Assembler and Disassembler
  
d. Packet Capturing Tool and Emulated IRC and HTTP Connection (Server emulate the replies to the malware and log the data)
+
d. Recursive Disassembler
 
 
e. Recursive Disassembler
 
 
 
f. More APIs Emulation in Pokas x86 Emulator
 
  
g. Support more Instructions (All FPU instructions, All general purpose instructions and support mmx and 3dnow)
+
e. More APIs Emulation in Pokas x86 Emulator
  
h. Support idb (IDA Pro Database) to read it and use its analysis
+
f. Support more Instructions (All FPU instructions, All general purpose instructions and support mmx and 3dnow)
  
  
== 3. Unpackers: ==
+
=== 3. Unpackers: ===
  
 
I’m aiming to create a database for all static unpacking codes for the mostly common unpackers and I hope it could be updated by the community
 
I’m aiming to create a database for all static unpacking codes for the mostly common unpackers and I hope it could be updated by the community
  
  
== 4. Integrations: ==
+
=== 4. Integrations: ===
  
 
a. Integration into IDA Pro Plugin Interface … and in (Debugger Menu)
 
a. Integration into IDA Pro Plugin Interface … and in (Debugger Menu)
Line 329: Line 196:
 
e. Python, Ruby, Delphi Header files and cTypes for SRDF.dll
 
e. Python, Ruby, Delphi Header files and cTypes for SRDF.dll
  
 +
=== 5. Network: ===
  
 +
a. Proxy Server and Emulated IRC and HTTP Connection (Server emulate the replies to the malware and log the data)
  
== 5. Network: ==
+
b. Improve the HTTP analyzer and file capturing
 
 
a. Support NDIS, kernel sockets and more new libraries
 
 
 
b. Process Analyzer in Kernel-Mode
 
 
 
c. Packet Capturing Library
 
 
 
d. More Debugging and Bug fixing
 
 
 
== 6. Others: ==
 
 
 
a. We need to build website.
 
 
 
b. We need activities for learning.
 
 
 
c. We need more documentations and tutorials
 
 
 
d. We need more helpful tools and applications based on SRDF
 
 
 
 
 
= Conclusion: =
 
 
 
This development framework will support the anti-malware technologies to grow and support implementing researches in the malware field more to withstand against the new attacks nowadays
 
  
The framework is based on community and we aim to create a big community for it. We didn’t finished the framework … we just begin
+
c. Add more protocols like SMTP and FTP
  
=Project About=
+
=== 6. Others: ===
{{:Projects/OWASP_Security_Research_and_Development_Framework}}
 
  
[[Category:OWASP Project]]
+
We need more helpful tools and applications based on SRDF

Revision as of 12:00, 20 August 2014

Main

OWASP Project Header.jpg

OWASP Security Reseach and Development Framework

Do you see writing a security tool in windows is hard?

Do you have a great idea but you can’t implement it?

Do you have a good malware analysis tool and you don’t need it to become a plugin in OllyDbg or IDA Pro?

So, Security Research and Development Framework is for you.

Abstract:

This is a free open source Development Framework created to support writing security tools and malware analysis tools. And to convert the security researches and ideas from the theoretical approach to the practical implementation.

This development framework created mainly to support the malware field to create malware analysis tools and anti-virus tools easily without reinventing the wheel and inspire the innovative minds to write their researches on this field and implement them using SRDF.


Introduction:

In the last several years, the malware black market grows widely. The statistics shows that the number of new viruses increased from 300,000 viruses to millions and millions nowadays.

The complexity of malware attacks also increased from small amateur viruses to stuxnet, duqu and flame.

The malware field is searching for new technologies and researches, searching for united community can withstand against these attacks. And that’s why SRDF

The SRDF is not and will not be developed by one person or a team. It will be developed by a big community tries to share their knowledge and tools inside this Framework

SRDF still not finished … and it will not be finished as it’s a community based framework developed by the contributors. We just begin the idea.

The SRDF is divided into 2 parts: User-Mode and Kernel-Mode. And we will describe each one in the next section.

SRDF is seeking contributors to help with the next releases . Contact Amr Thabet for more info.

We can help you create your own project based on SRDF .. just contact us from the email above

Licensing

SRDF is a free open source framework. It is licensed under the GPL v2

The Features:

Before talking about SRDF Design and structure, I want to give you what you will gain from SRDF and what it could add to your project.

in Malware:

• Assembler and Disassembler

• x86 Emulator

• x86 Debugger

• PE Analyzer, ELF Analyzer, PDF Analyzer (still in progress), Android APK Analyzer

• Process Analyzer (Loaded DLLs, Memory Maps … etc)

• MD5, SSDeep and Wildlist Scanner (YARA)

• API Hooker, IAT Hooking and Process Injection

• Backend Database, XML Serializer

• And many more

in Network:

• Packet capturing using winpcap

• Pcap file analysis and packet analyzer

• detecting malformed packets and packet generator

• Session analysis and session separation

• Protocol Analysis like tcp, udp, icmp .. etc

• Application layer protocol analysis like http and dns

• And many more


and the project is totally object oriented, very expandable and well organized

the project development still active and still expanding

Join Us:

Do you get benefit from this framework and you need to give something back?

Do you want to add something to your CV?

Do you want to meet smart developers and join a big community?

Do you want to learn new things?

Here is place … join the development community, meet new smart people and have fun.

Source Code:

Github

Openhub

Our Website

Python SRDF (pySRDF)

it's an implementation for SRDF on python and very easy to use like this:

>>from pySRDF import * >>dbg = Dbg("C:\\test.exe") >>dbg.SetBp(0x401000) >>dbg.Run()

OR Using the Emulator:

>> emu = Emulator("C:\\test.exe") >> emu.SetBp("eip == 0x401000") >> emu.Run()

OR

>> emu.SetBp("__isdirty(eip)") #which set bp on Execute on modified data >> emu.Run()

Find it at:

pySRDF Github

Examples

Roadmap:

1. Antivirus:

a. XRAY Tool

b. Heuristics Analysis

c. Behavior-based Detection Tools.

d. More File Formats and improve what we have like (PDF, apk, …)

e. OpenSBI and other Virus Classification File Formats

f. Sandboxing Mechanism.

i. Using API/ SSDT Hooking

ii. Emulation Based on Pokas Emulator.

g. Update System with Flexible Mechanism

2. Malware Analysis:

a. Support idb (IDA Pro Database) to read it and use its analysis

b. API Hooking (for the same as above)

c. Improvement in Pokas Emulator, Assembler and Disassembler

d. Recursive Disassembler

e. More APIs Emulation in Pokas x86 Emulator

f. Support more Instructions (All FPU instructions, All general purpose instructions and support mmx and 3dnow)


3. Unpackers:

I’m aiming to create a database for all static unpacking codes for the mostly common unpackers and I hope it could be updated by the community


4. Integrations:

a. Integration into IDA Pro Plugin Interface … and in (Debugger Menu)

b. OllyDbg Plugin Interface

c. Ollyscript Executer on cDebugger

d. Metasploit Integeration (in Meterpreter Post Exploitation

e. Python, Ruby, Delphi Header files and cTypes for SRDF.dll

5. Network:

a. Proxy Server and Emulated IRC and HTTP Connection (Server emulate the replies to the malware and log the data)

b. Improve the HTTP analyzer and file capturing

c. Add more protocols like SMTP and FTP

6. Others:

We need more helpful tools and applications based on SRDF

Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Security_Research_and_Development_Framework&oldid=180827"