ohio813 / ghost-usb-honeypot Goto Github PK
View Code? Open in Web Editor NEWAutomatically exported from code.google.com/p/ghost-usb-honeypot
License: GNU General Public License v3.0
Automatically exported from code.google.com/p/ghost-usb-honeypot
License: GNU General Public License v3.0
README Ghost is a honeypot for malware that uses USB storage devices for propagation. It is able to capture such malware without any further knowledge -- in particular, it doesn't need signatures or the like to accomplish its task. Detection is achieved by emulating a USB flash drive on Windows systems and observing the emulated device. The assumption is that on an infected machine the malware will eventually copy itself to the removable device. See http://code.google.com/p/ghost-usb-honeypot/ for more details.
Whenever a process writes data to the emulated device, the honeypot should
collect data about that process.
Original issue reported on code.google.com by sebastian.poeplau
on 12 Jun 2012 at 9:08
The information about writing processes that is collected in kernel mode must
be transmitted to user mode in order to be displayed in the UI.
Original issue reported on code.google.com by sebastian.poeplau
on 12 Jun 2012 at 9:10
The system sends our emulated device a variety of IOCTLs. We don't support all
of them - some more should be handled in order for the device to appear more
realistic.
Original issue reported on code.google.com by sebastian.poeplau
on 29 Jun 2012 at 9:07
When an image file is unmounted, we should compress it so that it consumes less
disk space. This is independent from file system-specific mechanisms like
sparse files.
Original issue reported on code.google.com by sebastian.poeplau
on 6 Jul 2012 at 12:38
Currently, the user-mode tool can choose the location of the image file. We
need some mechanism to avoid this - there should be a fixed location, so that
attackers can't overwrite arbitrary files.
Original issue reported on code.google.com by sebastian.poeplau
on 29 Jun 2012 at 9:08
Installing the drivers is a bit tedious at the moment. The controlling
user-mode library (see issue 9) should automatically install/update the driver
if necessary.
Original issue reported on code.google.com by sebastian.poeplau
on 2 Aug 2012 at 12:59
The NTFS file system supports sparse files. Making the images sparse should
save a lot of disk space.
Original issue reported on code.google.com by sebastian.poeplau
on 6 Jul 2012 at 12:34
Hallo
Bei mir funktionierte das mounten nicht !
Ich erhielt danach eine Datei gd9.img im Ordner.
Nach dem ändern der Zeile in gohst.cs
protected const int GhostDeviceID = 9;
in
protected const int GhostDeviceID = -1;
war das mounten korrekt.
MfG Roy
Original issue reported on code.google.com by [email protected]
on 25 Aug 2012 at 10:40
At the moment, the frontend itself manages the interaction with the kernel-mode
components. In order to support other uses of the kernel-mode part (such as
analysis within sandboxes, other frontends), we'll encapsulate the interaction
in a separate DLL.
Original issue reported on code.google.com by sebastian.poeplau
on 2 Aug 2012 at 12:53
The current command line frontend only offers basic functionality. We'll
develop a graphical application that allows to control the honeypot, change its
configuration and view results.
Original issue reported on code.google.com by sebastian.poeplau
on 2 Aug 2012 at 12:55
What steps will reproduce the problem?
1. Install Windows 7 x64
2. Launch the "Setup.exe" in admin
What is the expected output? What do you see instead?
It is expected to work. It can't install the bus. It is not said anywhere that
Windows x64 is not supported. I had to go look in source.
What version of the product are you using? On what operating system?
0.2 and 0.2.1 both output the same results.
Please provide any additional information below.
Good luck.
Original issue reported on code.google.com by [email protected]
on 15 Mar 2013 at 7:56
Add support for Windows 7 and, if possible without too much effort, also for
64-bit systems.
Original issue reported on code.google.com by sebastian.poeplau
on 12 Jun 2012 at 11:32
The driver's write function must be called within the context of the writing
process, because only then we're able to collect information about the writer.
However, write is sometimes called from a system worker thread (PID 4).
We need to find out why this happens and how to avoid it. Alternatively, we
might be able to find the writing process even in that situation.
Original issue reported on code.google.com by sebastian.poeplau
on 29 Jun 2012 at 9:11
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.