https://github.com/rvermeulen/argos

Advertised honeypot with operating system wide dynamic taint tracking
https://github.com/rvermeulen/argos

Last synced: about 1 month ago
JSON representation

Advertised honeypot with operating system wide dynamic taint tracking

• Host: GitHub
• URL: https://github.com/rvermeulen/argos
• Owner: rvermeulen
• Created: 2011-03-18T18:56:34.000Z (over 13 years ago)
• Default Branch: master
• Last Pushed: 2011-03-22T12:23:52.000Z (over 13 years ago)
• Last Synced: 2024-08-04T23:09:50.388Z (4 months ago)
• Language: C
• Homepage: http://www.few.vu.nl/argos
• Size: 6.8 MB
• Stars: 7
• Watchers: 1
• Forks: 6
• Open Issues: 1
• Metadata Files:
  • Readme: README

Awesome Lists containing this project

• awesome-honeypot - **4**星

README

        
Argos is an advertised honeypot using dynamic taint analysis to detect and

analysis control flow attacks.

For more info on Argos you can visit http://www.few.vu.nl/argos

In this extension I have implemented payload analysis functionality that

detects the execution of a payload and captures run-time information for 

further analysis as part of my master thesis.

The run-time information captured includes the execution trace, the memory

references, the CPU state, and optionally the stage of the instructions.

A stage references the number of unpacking that has occurred.

Every byte of the captured execution trace initially starts with stage zero and

every time the payload writes a byte to memory that bytes has a stage equal to

the stage of the read byte plus one.

The stage can be used to detect the various parts of the payload.

Instructions with stage zero belong to the NOP-sled and first unpacker,

instructions with a stage greater than zero but smaller than the maximum stage

in the execution trace belong to various unpackers, and the instructions with

the greatest stage belong to the shell-code.

For more information on the implementation see my thesis and slides in the doc

directory.