logo   Downloads About Contact

Automated Exploit-Crawling

If you want to perform some kind of active Internet measurements with commonly used operating systems and applications opening potential toxic web content you might need some automated scripting that performs the processing and logging.

In this post I gonna give you a basic and abstract how to setup automated exploit-crawling. Use it as a starting point to develop your own scripts (or stand alone application) that is able to perform application calls and logging.

To perform the processing of potential toxic web content I assume that you use a virtualized (or DeepFreeze protected) Windows 7 (32bit or 64bit) with Internet Explorer 9, all patches and security updates installed. To track what happens on your machine I recommed that you have installed some analyzing/tracking software that is able to track, block and log the execution of executable modules. You might use AppLocker if you know how to extract its logging results. Beyond AppLocker there are still other solutions, e.g. Bit9 Parity Suite, CoreTrace Bouncer, Lumension Application Control or kautilya to name a few.

If you do not want spend too much money I recommend to use ProcessExplorer by Sysinternals or another monitoring tool provided at their web site. The same here: Make sure that you are able to log your system's behaviour into easy to process scheme (e.g. csv fomat).

If you have set all the things up its time for some action. All you need is a list of web sites (domains) you want to open and process against your forensics machine. Use this list and the following script to walk through them and log what happens while you open a site.

The following script opens a file containing domain names. For each domain it

Function OpenDomain(strDomain)

Const SW_NORMAL = 1
strComputer = "."
strCommand = "C:\Program Files (x86)\Internet Explorer\iexplore.exe " & strDomain
Set objWMIService = GetObject("winmgmts:" _
	& "{impersonationLevel=impersonate}!\\" _
	& strComputer & "\root\cimv2")

' Configure the Notepad process to show a window
Set objStartup = objWMIService.Get("Win32_ProcessStartup")
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = SW_NORMAL

' Create process
Set objProcess = objWMIService.Get("Win32_Process")
intReturn = objProcess.Create _
	(strCommand, Null, objConfig, intProcessID)
If intReturn = 0 Then
' wait some time
' I also recommend to do some mouse movements and Sendkeys, because
' there is malware checking for mouse movements and keystrokes (such crap
' will quit if there are no such events)

End If

' Set SeDebugLevel to terminate process
Set objLoc = createobject("wbemscripting.swbemlocator")
objLoc.Security_.privileges.addasstring "sedebugprivilege", true

' Lookup the new notepad process and terminate it...
Set colProcessList = objWMIService.ExecQuery _
	("SELECT * FROM Win32_Process WHERE ProcessId = '" & intProcessID & "'")
For Each objProcess in colProcessList

End Function

Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objTextFile = objFSO.OpenTextFile("domains.txt")

Do Until objTextFile.AtEndOfStream
		strLine = objTextFile.Readline
		' ## log domain and reset your system behaviour logging
		' ## call domain with Internet Explorer
		OpenDomain strLine
		' ## Save system behaviour logging

You can use and adjust the following code. It is also possible to open the web sites with other web browsers or to open potential toxic PDFs for example. All you need is a list of domains or URLs to open and your logging backend that tracks what is going on while you have opened such content. A very simple approach is to use Sysinternal's ProcessExplorer to do such logging.