05IRIS

 
Osiris is a toolkit for exploring windows executables. It takes a windows executable, loads it into an emulation space and constructs some datastructures a real process uses and starts execution. The execution makes use of fake DLLs that can be hooked and their behaviour monitored. This gives an ability to study behaviour of malware and any obfuscation mechanisms.
 
Download Osiris 0.1 
Usage
 
C:\>java -jar Desktop\osiris_0.1.jar  hello.exe
 
Notes
Currently only UPX unpacking has been implemented and tested
 
Extension
This is an example of how to extend functionality:
	Osiris osiris = new Osiris(new FileInputStream("foo.exe"), 100000);
	osiris.init(false);
	osiris.cpu.addBreakpoint(0x40694c);
	osiris.cpu.setDebug(true);
	osiris.accept(new OsirisVisitor()
	{
		public String stdout = "";
		public String files = "";
		public String urls = "";
		private Osiris o;

		public void visitWrite(String s)
		{
			stdout += s;
		}

		public void visitDownloadFile(String url)
		{
			urls += url + "\n";
		}

		public void visitFile(String file)
		{
			files += file + "\n";
		}

		public void visitRegistry(String name)
		{
			// TODO Auto-generated method stub	
		}

		public void visitSection(Section s, int eip)
		{
		}

		public void accept(Osiris o)
		{
			this.o = o;
		}

		public void handleException()
		{
			this.o.cpu.exit = true;
		}

		public void visitExec(Object object)
		{
		}
	});
	osiris.execute();