NDIS Intermediate Driver//
In this project, we give an overview of the automated blocking malicious code technique, an approach to computer security via malicious software analysis and automatic blocking software. We propose a technique for the Network Driver Interface Specification (NDIS) integrate together with a unified malicious software analysis platform. The NDIS model supports hybrid network transport NDIS drivers, called NDIS intermediate drivers. This driver lies between transport driver and NDIS driver. The advantage of using NDIS intermediate drivers is that it can see the entire network traffic taking place on a system as the drivers lie between protocol drivers and network drivers. By intercepting security-related properties from network traffic directly, this technique enables a principled, root cause based approach to computer security, offering novel and effective solutions.

Features:

1. Monitoring and scanning incoming network at port 80 with signature Flash Exploit Drive by download attack.

2. Create the logfile in C:\myndis.dat

3. Implemented the KMP pattern matching algorithm in detecting and blocking Flash Exploit

Sourcecode [Download]

Publication Syscan'10 HangZhou [Link]

IEEE paper [Link]

Note: The source code modified and extended the functions of Passthru source code provided by Microsoft Corporation.

By: lclee_vx

PAIMEI Installation for IDA Pro 6.1//
Paimei intentionally design with old version of IDA Pro and Python. It took me quite a while to figure out how to integrate Paimei with IDA 6.1 and Python 2.6. I'd better write it down.

1.  Install Microsoft Visual C++ 2008 Express Edition, which is required to compile the C code in MySQL-Python.

2.  Install the tools below:
     a. wxPython2.8-win32-unicode-2.8.11.0-py26.exe [Download]
     b. setuptools-0.6c11.win32-py2.6.exe [Download]
     c.  uDrawGraph-3.1.1-0-win32-en.exe [Download]
     d. gde-win.exe [Download] 

3.  Install Mysql for Python 2.6
     a. Install mysql-5.1.56-win32.msi [Download], following the instruction during instruction. For "setup type", choose
         custom, and select installation option: include "C Include Files / Lib Files"
     b. Unzip MySQL-python-1.2.3c1.tar.gz [Download], edited site.cfg, changed the MySQL version from 5.0 to 5.1. go to
         C:\Python26\Lib\distutils, edit msvc9compiler.py, search for ‘MANIFESTFILE’, you will find the following line
                  ld_args.append('/MANIFESTFILE:' + temp_manifest)
         Then append the following line after the above line,
                  ld_args.append('/MANIFEST')
     c. Then go back to run “setup.py build”, it will succeed. Finally, run "setup.py install"
         Test it in python
         >>> import MySQLdb

4.  Extract paimei.rar [Download] and put in C:\ directory

5.  edit file:
     -----------------

     pydbg\__init__.py

     add

     #patch for paimei
     #from _ctypes import Union, Structure, Array
     from _ctypes import Union, Array
     from _ctypes import Structure as _ctypesStructure
     from _ctypes import *

     class Structure(_ctypesStructure):
           def __init__(self,**arg):
                  super(_ctypesStructure,self).__init__(**arg)

     edit file:my_ctypes.py
     -----------------------------

     add

     class Structure(Structure):
     pass

     c_types = (Structure, c_char, c_byte, c_ubyte, c_short, c_ushort, c_int, c_uint, c_long, c_ulong, c_longlong, \
                      c_ulonglong, c_float, c_double, c_char_p, c_wchar_p, c_void_p)

     edit file: pydasm.pyd
     ------------------------

     use hex editor, search for text python24, change python24 to python26

6.  Run __install_requirements.py and  __setup_mysql.py

7.  you may run console/PAIMEIconsole.pyw now.

8.  To run the pida_dump.py to export pida file with IDA Pro, error message "AttributeError: 'module' object has no
     attribute 'get_current_instruction'" appear. To fixed the problem, download the instruction.py file [Download], and replace the
     file in pida/instruction.py.

By: Chan Lee Yee