Author: David Zimmer
Size: 1.9mb
MD5: B75F17199AB6EB781595758C51413EF3

SysAnalyzer is an automated malcode run time analysis application that monitors various aspects of system and process states.

SysAnalyzer was designed to enable analysts to quickly build a comprehensive report as to the actions a binary takes on a system.

Updated 1/19/07: added known file db

SysAnalyzer can automatically monitor and compare:

• Running Processes
• Open Ports
• Loaded Drivers
• Injected Libraries
• Key Registry Changes
• APIs called by a target process
• File Modifications
• HTTP, IRC, and DNS traffic

SysAnalyzer also comes with a ProcessAnalyzer tool which can perform the following tasks:

• Create a memory dump of target process
• parse memory dump for strings
• parse strings output for exe, reg, and url references
• scan memory dump for known exploit signatures

Full GPL source for SysAnalyzer is included in the installation package:
Overview  |   Video Tour

Download  |  License 

Author: David Zimmer
Size: ~2mb
MD5: 20B5A8F02EC56DDBC230CC1FFEF67D88
Update Summary:
Fixed md5 bug, added jsDecode
Added GdiProcs.exe, mailpot added RSET command, fixed sniffing restart bug

The Malcode Analyst Pack contains a series of utilities that were found to be necessary tools while doing rapid malcode analysis.

Included in this package are:

• ShellExt	- 4 explorer shell extensions
• socketTool	- manual TCP Client for probing functionality.
• MailPot	- mail server capture pot
• fakeDNS	- spoofs dns responses to controlled ip's
• sniff_hit	- HTTP, IRC, and DNS sniffer
• sclog	- Shellcode research and analysis application
• IDCDumpFix	- aids in quick RE of packed applications
• Shellcode2Exe	- embeds multiple shellcode formats in exe husk
• GdiProcs	- detect hidden processes

For screen shots and tool descriptions please refer to the MAP overview document below:
Sclog Trainer  |   MAP Overview

Download  |  License 

Author: David Zimmer
Size: 245kb
MD5: 2BB04344700CAF643472255F3C4DAFBF

HookExplorer is a small utility designed to scan a target process and identify any user land hooks that may be installed by unknown code.

Detects IAT and detours style hooks, and allows the user to define an 'ignore list' to help cut through results.
Help File  |   Screenshot

Download  |  License 

Author: David Zimmer
Size: ~1.7mb
MD5: 275282740BD58E9658848B1FBDF0FD71
Update Summary: Added 2 PNP Shellcode Handlers

Multipot is a emulation based honeypot designed to capture malicious code which spreads through various exploits across the net. Design specifications for this project mandated that the captures be done in such a way so that the host machine would require only minimal supervision and would not itself risk getting infected. Multipot was designed to emulate exploitable services to safely collect malicious code.

Who would use MultiPot and why?

• ISP's to monitor their networks.
• Corporate security personnel to be warned of infections.
• Security researchers to build statistics of Internet health.
• Virus researchers to collect new samples of malware in the wild.
• Hobbyists and students to learn more about Internet security.

More information and source code is available in the bundled install file:
Online Help file  |   Screenshot

Download  |  License