Shell Detect is the FREE tool to detect presence of Shell Code within a file or network stream. You can either provide raw binary file or network stream file as input to this tool.
These days attackers distribute malicious files which contains hidden exploit shell code. On opening such files, exploit shell code get executed silently, leading to complete compromise of your system . This is more dangerous when the exploit is 'Zero Day' as it will not be detected by traditional signature based Anti-virus solutions. In such cases ShellDetect may help you to identify presence of shell code (as long as it is in raw format) and help you to keep your system safe.
New version 1.1 provides support for detecting Unicode Shellcode. Now you can directly feed unicode shellcode without converting it to binary or raw form. For example, %u4141%u4242 can be used directly. It also includes minor changes to main handler (schandler) program.
We recommend running this tool in Virtual Environment (using VMWare, VirtualBox) as it may cause security issues on your system if the input file is malicious.
Currently ShellDetect tool is in experimentation stage and works on Windows XP (with SP2, SP3) only.
ShellDetect requires following components....
Python - Install latest version
Vmware/VirtualBox (optional)
You can provide input file as raw binary file or network stream data. Here are the possible examples.
Eg 1: Generate shellcode from Metasploit in "raw" format and save it in a file. Then feed that file as input to ShellDetect.py.
Eg 2: Send exploit to any server on FTP and capture the traffic using tcpdump/wireshark, save the traffic in binary format and then feed that file to ShellDetect.py
Alternatively you can also download the sample files (password: securityxploded) and play around with the tool.
We recommend running it in Virtual Environment (using VMWare, VirtualBox ) as it may cause security issues on your system if the input file is malicious.