Projects/OWASP Security Research and Development Framework/Roadmap
In the last several years, the malware black market grows widely. The statistics shows that the number of new viruses increased from 300,000 viruses to millions and millions nowadays.
The complexity of malware attacks also increased from small amateur viruses to stuxnet, duqu and flame.
The malware field is searching for new technologies and researches, searching for united community can withstand against these attacks. And that’s why SRDF
The SRDF is not and will not be developed by one person or a team. It will be developed by a big community tries to share their knowledge and tools inside this Framework
SRDF still not finished … and it will not be finished as it’s a community based framework developed by the contributors. We just begin the idea.
The SRDF is divided into 2 parts: User-Mode and Kernel-Mode. And we will describe each one in the next section.
Before talking about SRDF Design and structure, I want to give you what you will gain from SRDF and what it could add to your project.
In User-Mode part, SRDF gives you many helpful tools … and they are:
• Assembler and Disassembler • x86 Emulator • Debugger • PE Analyzer • Process Analyzer (Loaded DLLs, Memory Maps … etc) • MD5, SSDeep and Wildlist Scanner (YARA) • API Hooker and Process Injection • Backend Database, XML Serializer • And many more In the Kernel-Mode part, it tries to make it easy to write your own filter device driver (not with WDF and callbacks) and gives an easy, object oriented (as much as we can) development framework with these features:
• Object-oriented and easy to use development framework • Easy IRP dispatching mechanism • SSDT Hooker • Layered Devices Filtering • TDI Firewall • File and Registry Manager • Kernel Mode easy to use internet sockets • Filesystem Filter
Still the Kernel-Mode in progress and many features will be added in the near future.
Do you get benefit from this framework and you need to give something back? Do you want to add something to your CV? Do you want to meet smart developers and join a big community? Do you want to learn new things?
Here is place … join the development community, meet new smart people and have fun.
To do list:
Here ... what we wish to finish in the next 12 months ... still the 6 months plan didn't finished (will be cut from the 12 months plan).
a. XRAY Tool b. Heuristics Analysis c. Behavior-based Detection Tools. d. More File Formats (PDF, apk, …) e. OpenSBI and other Virus Classification File Formats f. Sandboxing Mechanism. i. Using API/ SSDT Hooking ii. Emulation Based on Pokas Emulator. g. Update System with Flexible Mechanism
2. Malware Analysis:
a. SSDT Hooking for (Processes, Files, Registry and Sockets System Calls) b. API Hooking (for the same as above) c. Improvement in Pokas Emulator, Assembler and Disassembler d. Packet Capturing Tool and Emulated IRC and HTTP Connection (Server emulate the replies to the malware and log the data) e. Recursive Disassembler f. More APIs Emulation in Pokas x86 Emulator g. Support more Instructions (All FPU instructions, All general purpose instructions and support mmx and 3dnow) h. Support idb (IDA Pro Database) to read it and use its analysis
I’m aiming to create a database for all static unpacking codes for the mostly common unpackers and I hope it could be updated by the community
a. Integration into IDA Pro Plugin Interface … and in (Debugger Menu) b. OllyDbg Plugin Interface c. Ollyscript Executer on cDebugger d. Metasploit Integeration (in Meterpreter Post Exploitation e. Python, Ruby, Delphi Header files and cTypes for SRDF.dll
a. Support NDIS, kernel sockets and more new libraries b. Process Analyzer in Kernel-Mode c. Packet Capturing Library d. More Debugging and Bug fixing
a. We need to build website. b. We need activities for learning. c. We need more documentations and tutorials d. We need more helpful tools and applications based on SRDF