Thug is a Python low-interaction honeyclient based on an hybrid static/dynamic analysis approach.
Thug provides a DOM implementation which is (almost) compliant with W3C DOM Core, HTML, Events, Views and Style specifications (Level 1, 2 and partially 3). [1]
Thug makes use of the Google V8 Javascript engine [2] wrapped through PyV8 [3] in order to analyze malicious Javascript code and of the Libemu library [4] wrapped through Pylibemu [5] in order to detect and emulate shellcodes.
Currently 8 Internet Explorer (Windows XP, Windows 2000, Windows 7), 6 Chrome (Windows XP, Windows 7, MacOS X, Android 4.0.3, Linux), 3 Firefox (Windows XP, Windows 7, Linux) and 3 Safari (Windows XP, Windows 7, MacOS X) personalities are emulated and about 90 vulnerability modules (ActiveX controls, core browser functionalities, browser plugins) are provided.
Footnotes
| [1] | W3C DOM Specifications |
| [2] | Google V8 is Google’s open source JavaScript engine. V8 is written in C++ and is used in Google Chrome, the open source browser from Google. V8 implements ECMAScript as specified in ECMA-262, 3rd edition, and runs on Windows XP and Vista, Mac OS X 10.5 (Leopard), and Linux systems that use IA-32 or ARM processors. V8 can run standalone, or can be embedded into any C++ application. |
| [3] | PyV8 is a Python wrapper for the Google V8 engine. PyV8 acts as a bridge between the Python and JavaScript objects and supports the Google V8 engine in Python scripts. |
| [4] | Libemu is a small library written in C offering basic x86 emulation and shellcode detection using GetPC heuristics. It is designed to be used within network intrusion/prevention detections and honeypots. |
| [5] | Pylibemu is a Libemu Cython wrapper |