〜 Wireshark + libemu for shellcode detection 〜

Tips

Main feature: shellcode detection on the tree view of the packet headers †

Wireshakr + libemu enables us to detect a shellcode within the packet selected on the tree view of packet headers by clicking "Detect a shellcode" on the context menu. When the shellocde is detected, the dialog box display the message "Detected a shellocde at the offset" and the offset value from the start of the byte code selected on the byte code view. After detection, the byte code view highlights the byte code of the shellcode.

• Stable release: wireshark-1.10.0+libemu.tar.bz2
  • Difference file: wireshark-1.10.0+libemu.diff
• Old Stable release: wireshark-1.8.3+libemu.tgz
  • Difference file: wireshark-1.8.3+libemu.diff
• Old Development release: wireshark-1.9.0+libemu.tar.bz2
  • Difference file: wireshark-1.9.0+libemu.diff

Requirements †

libemu 0.2.0

http://libemu.carnivore.it/

"Compile and build" status †

• Debian GNU/Linux Lenny: OK
• Debian GNU/Linux Squeeze 2009/12/04: OK
• Debian GNU/Linux Wheezy 2013/02/13: OK

Compile and build †

1. sudo aptitude install yacc bison libgtk2.0-dev libpcap0.8-dev
2. tar xvzf wireshark-1.8.3+libemu.tgz
3. cd wireshark-1.8.3+libemu
4. ./autogen.sh
5. ./configure --enable-emu --with-emu-include=/opt/libemu/include --with-emu-lib=/opt/libemu/lib
6. make

Usage †

1. Launch Wireshark

   $ ./wireshark

2. Capture network traffic
3. Select a packet on the packet list view
4. Select a packet header on the header tree view
   
5. Right-click the packet header and click "Detect a shellocde" on the context menu.
   
   • Detected a shellcode
     
   • Not found a shellcode