Skip to content

Regala/zeusimmunity

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
zeus_plugin.py
zeus_plugin.py
 
 

Repository files navigation

##Zeus Immunity

While doing research on Zeus malware and its MiTB attacks, I came across with the need to retrieve from a sample it's targets.

While there is work to retrieve from a sample it's configuration (CNC server, RC4 key, registry keys) I didn't find any that retrieved the webinjects part from a sample.

The plugin leaverages how Zeus does the MiTB:

  • It hooks wininet.dll functions for iexplore (or nspr4.dll for firefox)
  • The way it hooks is to insert a JMP instruction at the beginning of a hooked function (e.g. HttpSendRequestA)

By taking the jump, we start search the memory for instructions that resemble decryption / decoding routines. By setting a breakpoint at the end of those routines, we should be able to retrieve the targets URL and the injection to perform.

Tested on:

About

Imunity plugin to search for Zeus webinjects

Resources

Readme

License

GPL-2.0 license
Activity

Stars

2 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages