• Request Info

Open Source Projects

CoreLabs IT Security Research: Open Source Security Projects


At Core Security Technologies, we develop information security solutions to help meet the real-world security needs of our customers. In the spirit of creating an open developer and user community, we are pleased to share with you, free of charge, several of the tools we have developed. We hope that these technologies will be helpful for you, as they are for the thousands of organizations worldwide that are already using them.

    • Pcapy
      Python extension module for network packet capture

 

  • Impacket
    Python classes for providing access to network packets
  • InlineEgg
    Python classes for easily writing exploit payloads
  • MSyslog
    A UNIX subsystem for secure centralization and storage of log files
  • Uhooker
    A tool to intercept and manipulate execution of programs

     

  • Core Force
    CORE FORCE®is the first community oriented security solution for personal computers. CORE FORCE is free and provides a comprehensive endpoint security solution for Windows 2000 and Windows XP systems.

     

  • Core Grasp
    An instrumented PHP interpreter which uses dynamic fine-grained taint analysis to prevent injection vulnerabilities.

     

  • Exomind
    Exomind is an experimental Python console and programmatic framework for developing open-source intelligence modules and ideas, centered on social networks services, search engines and instant messaging.

     

  • HeapDraw
    HeapDraw/HeapTracer is a tool to visualize the evolution of the heap during the life of an application. We internally use this tool when writing exploits for heap corruption vulnerabilities.

     

  • Pass-The-Hash Toolkit
    The Pass-The-Hash Toolkit contains utilities to manipulate the Windows Logon Sessions mantained by the LSA (Local Security Authority) component.

     

  • SDT Cleaner
    SDT Cleaner is a tool that intends to clean the SSDT (system service descriptor table) from hooks.

     

  • gFuzz
    This is our web-application instrumented fuzzer prototype, which profits from GRASP's accuracy and a grammatical analysis over queries to detect SQL-injection attacks with a significantly small false-positive rate.

     

  • iPhoneDbg Toolkit
    A set of tools to delve into iPhone Binary Reversing.

     

  • Turbodiff
    A binary diffing tool developed as an IDA plugin.

 

Pcapy

Pcapy is a Python extension module that interfaces with the libpcap packet capture library. Pcapy enables python scripts to capture packets on the network. Pcapy is highly effective when used in conjunction with a packet-handling package such as Impacket, which is a collection of Python classes for providing access to network packets.

Click here for more information and you will be taken to our open source software site, which will open in another window.

----------------------------------------------------------

Impacket

Impacket is a collection of Python classes focused on providing access to network packets. Impacket allows Python developers to craft and decode network packets in a simple and consistent manner. It includes support for low-level protocols such as IP, UDP and TCP, as well as higher-level protocols such as NMB and SMB. Impacket is highly effective when used in conjunction with a packet capture utility or package such as Pcapy. Packets can be constructed from scratch, as well as parsed from raw data. Furthermore, the object oriented API makes it simple to work with deep protocol hierarchies.

Click here for more information and you will be taken to our open source software site, which will open in another window.

----------------------------------------------------------

InlineEgg

InlineEgg is a Python module that provides the user with a toolbox of classes for writing small assembly programs. It's goal is to simplify to process of creating and maintaining small assembly programs, including but not limited to shellcode, the payload of an exploit program, often called the "egg".

Click here for more information and you will be taken to our open source software site, which will open in another window.

----------------------------------------------------------

MSyslog

MSyslog is a logging subsystem for UNIX operating systems. It replaces the traditional UNIX logging daemon, syslogd, with an improved version that provides capabilities for log centralization, preservation of log integrity, and storage on a myriad of popular database engines. MSyslog, which stands for Modular Syslog, has a very flexible architecture that allows the administrator to configure it to receive log data from several input sources such as TCP and UDP network connections, UNIX named pipes and plain text files. Log data storage is available through multiple output options including plaintext files, MySQL and PostgreSQL database engines. Log relaying can be performed over TCP sessions or the traditional UDP-based syslog protocol. MSyslog also supports filters that perform cryptographic integrity checks and filtering by regular expressions. MSyslog runs on a variety of UNIX and Linux operating systems.

Click here for more information and you will be taken to our open source software site, which will open in another window.

----------------------------------------------------------

Uhooker

The Universal Hooker is a tool to intercept execution of programs. It enables the user to intercept calls to API calls inside DLLs, and also arbitrary addresses within the executable file in memory. Why is it 'Universal'? There are different ways of hooking functions in a program, for example, it can be done by setting software breakpoints (int 3h), hardware breakpoints (cpu regs), or overwriting the prologue of a function to jump to a 'stub', etc. All the methods mentioned required above, specially the latter, require the programmer of the code creating the hook to have certain knowledge of the function it is intercepting. If the code is written in a programming language like C/C++, the code will normally need to be recompiled for every function one wants to intercept, etc. The Universal Hooker tries to create very simple abstractions that allow a user of the tool to write hooks for different API and non-API functions using an interpreted language (python), without the need to compile anything, and with the possibility of changing the code that gets executed whent the hooked function is called in run-time. The Universal Hooker builds on the idea that the function handling the hook is the one with the knowledge about the parameters type of the function it is handling. The Universal Hooker only knows the number of parameters of the function, and obtains them from the stack (all DWORDS). The hook handler is the one that will interpret those DWORDS as the types received by the function. The hook handlers are written in python, what eliminates the need for recompiling the handlers when a modification is required. And also, the hook handlers (executed by the server) are reloaded from disk every time a hook handler is called, this means that one can change the behavior of the hook handler without the need to recompile the code, or having to restart the application being analyzed.

Click here for more information and you will be taken to our open source software site, which will open in another window.

 

----------------------------------------------------------

Core Force

CORE FORCE® is the first community oriented security solution for personal computers. CORE FORCE is free and provides a comprehensive endpoint security solution for Windows 2000 and Windows XP systems.

The security framework provided by CORE FORCE is leveraged by a community of security experts that share their security configurations for a growing list of programs. These security profiles can be downloaded by any user of CORE FORCE from the community Web site and they're also completely open so that they can be peer-reviewed to minimize security hazards. The community approach to endpoint security also allows end-users who are not security experts to work in a secure environment.

CORE FORCE can be used to:

  • Protect your computer from compromises by worms, virus and email-borne malware
  • Prevent your computer from being used as a staging point to amplify attacks and compromise others
  • Prevent exploitation of known bugs in the operating system and applications running on your computer
  • Prevent exploitation of unknown bugs (0-day) in the operating system and applications running on your computer
  • Detect and prevent execution of adware, spyware, trojan horses and other malware on you computer

CORE FORCE provides inbound and outbound stateful packet filtering for TCP/IP protocols using a Windows port of OpenBSD's PF firewall, granular file system and registry access control and programs' integrity validation. These capabilities can be configured and enforced system-wide or on a per-application basis for specific programs such as email readers, Web browsers, media players, messaging software, etc.

Click here for more information and you will be taken to our open source software site, which will open in another window.

 

----------------------------------------------------------

Core Grasp

CORE GRASP is a modification of the PHP interpreter developed by CoreLabs. Current GRASP version (for php 5.2.3) protects against SQL-injection attacks. This tool was released under Apache 2.0 license and can be downloaded.

Click here for more information and you will be taken to our open source software site, which will open in another window.

 

----------------------------------------------------------

Core Wisdom

CORE WISDOM is a suite of tools designed for the secure auditing of information systems. It centralizes and guarantees the integrity of system logs and significantly improves the auditing of security information systems by processing and representing the information in unique graphical ways.

In order to provide the most comprehensive monitoring of system events and to ensure the highest level of information resource availability, CORE WISDOM both coordinates and archives historical log data for forensic analysis, and displays all events in real-time, allowing high availability of information resources. The suite centralizes logging and reporting needs in such a way as to improve the potential of the most powerful tool: the mind. The idea behind this behind this being to have the user to choose what information he wants to visualize, present him with some standard visualization screens, and allow him to navigate through these visualizations checking alarming data.

Versions 1.0 and 1.8 are for prototypes developed in Squeak Samlltalk (plus some additional APIs). These versions date from 2001 and 2002, respectively and they are no longer maintained. If you have any questions mail us at corelabs-info@coresecurity.com

Click here for more information and you will be taken to our open source software site, which will open in another window.

[User Guide] 

 

----------------------------------------------------------

Exomind

Exomind is an experimental Python console and programmatic framework for building decorated graphs and developing open-source intelligence modules and ideas, centered on social network services, search engines and instant messaging.

The tool is available HERE. Check the other examples inside the package!

 

----------------------------------------------------------

HeapDraw

HeapDraw was originally created as a postmortem analisys tool, to see how the heap evolved during the life of a process. The idea is that although we may be used to textual output, like that of ltrace or a malloc/free hooking library, it's much better to see it graphically (in fact I used to make drawings by hand until I realized "WTF am I doing? I have a computer to do it for me!").

HeapTracer is the new name, after it became a runtime analisys tool.

In the image you can see an example. It's the heap of ping. The 4 spikes correspond to the 4 packets sent. Before the first spike you can see the initialization, and after the last, the evolution of the heap for the final phase.

In this release you can find four different versions of HeapDraw/HeapTracer, all including full sourcecode:

  • Windows postmortem native version.
  • Linux postmortem native version.
  • IDA plugin, for doing runtime analisys (only Windows version for Windows appliations)
  • An unfinished python version.

If you are an IDA fan, and like developing for it, you may find interesting the IDA Plugin version, as it's a relatively complex example of an IDA debugging plugin which opens an OpenGL window to make drawings.

Click here for more information and you will be taken to our open source software site, which will open in another window.

 

----------------------------------------------------------

Pass-The-Hash Toolkit

The Pass-The-Hash Toolkit contains utilities to manipulate the Windows Logon Sessions mantained by the LSA (Local Security Authority) component. These tools allow you to list the current logon sessions with its corresponding NTLM credentials (e.g.: users remotely logged in thru Remote Desktop/Terminal Services), and also change in runtime the current username, domain name, and NTLM hashes (YES, PASS-THE-HASH on Windows!).

Click here for more information and you will be taken to our open source software site, which will open in another window.

 

----------------------------------------------------------

SDT Cleaner

SDT Cleaner is a tool that intends to clean the SSDT (system service descriptor table) from hooks.

  • The SDT Cleaner allows you to clean hooks installed by Anti-Virus and Firewalls.
  • This little tool (in this first release) tries to collect info from your current kernel and then switches to kernel land and if there are any hooks in SSDT, this tool will replace them with the original entries.

Click here for more information and you will be taken to our open source software site, which will open in another window.

----------------------------------------------------------

gFuzz

Gfuzz is a web application fuzzing environment which combines fine-grained taint analysis on the server-side (using CORE Grasp) with grammar-based analysis. This allows to perform fuzzing tests and accurately detect attacks feeding the grammar analyzer with the executed SQL queries (on the server side) together with security taint marks for each query.

On the GUI the tester has for each executed SQL query (on the server side):

  • The text of the executed query, with controlled characters hightlighted.
  • Fuzz vector which triggered the query:
    • Attack string submitted.
    • Input point (form input / get parameter) where attack string was submitted.
    • File and line inside the file (remote) where the SQL query was executed.
  • CORE GRASP analysis of the security level of the query.
  • Grammar-based analysis of the security level of the query.

This prototype aids the security tester in the task of determining which alerts raised by the fuzzer are real attacks and for the queries which do not comprise an attack, it allows the tester to reformulate the attack vectors in order to exploit SQL-injection vulnerabilities.

Click here for more information and you will be taken to our open source software site, which will open in another window.

[Source Code]

 

----------------------------------------------------------

iPhoneDbg Toolkit

This set of tools will enable you to delve into iPhone Binary Reversing.

  • The iPhone Debugger allows you to debug running or newly-created native processes inside iPhone.
  • The Library Loader Patcher will allow to debug iPhone libraries.
  • You can also build a tunnel from your PC to your iPhone through USB.

Click here for more information and you will be taken to our open source software site, which will open in another window.


----------------------------------------------------------

Turbodiff

Turbodiff is a binary diffing tool developed as an IDA plugin. It discovers and analyzes differences between the functions of two binaries.

Click here for more information and you will be taken to our open source software site, which will open in another window.

Next Steps

Request Info

SHARE