Argos 0.7 for Qemu 1.1.0 released (runs Windows 7)


Apologies for the long delay. We never got 'round to putting Argos version 0.7 online (the one that supports Windows 7). We now did it, but it has not been tested very rigorously, so use at your own risk. The current status can be described as: it works for us! The tarball is available from the downloads page.

Argos for new version of Qemu (supports Windows 7)


Most taint analysis systems to date work with older versions of Qemu (0.9.x). This works fine for older versions of Windows like XP, but it prevents you from running, say, Windows 7 or later. The problem is that newer versions of Qemu, which do support Windows 7, are radically different 'under the hood'. We finally ported Argos to the latest version of Qemu and are now able to run W7. The only thing we are still working on is a network driver for W7 (NE2000 is no longer supported by W7). As soon as we have this done, we will release this new version of Argos.

Argos 0.5.0 released: shellcode extraction and client-side honeypot


And finally, we released the new 0.5.0 version with shellcode extraction and support for running as a client-side honeypot (using the same infrastructure as the Shelia client-side honeypot). The shellcode extractor keeps an attack running after an attack is detected, and extracts the NOP sled, unpacker(s), and real shellcode.

Argos shellcode extractor released


While there have not been many releases recently, we have been working quite hard on cool new features for Argos. We have just been incredibly slow in making them public. In the near future we will start adding them here. For now I have made the shellcode extractor available. I hope you find it useful.

The Argos shellcode extractor is a new version of Argos that does not stop the attack immediately. Rather it keeps it running in order to detect the shellcode---and separate it from nop sleds and unpacker(s). To confine the shellcode, you can specify exactly what API calls it is allowed to make by means of a white list. Everything else is still prohibited and will stop the execution. As an aside, the new version is also usable as a very accurate, but fairly slow client-side honeypot.

Client argos library v0.1.4 released


Client argos library v0.1.4 contains an updates to the carlog utility that enables the user to print the contents of an arbitrary memory block from an Argos csi log.

Argos critical fix


Argos v0.4.2-1 fixes a critical error that caused a crash if the control socket was not used.

New packages released


Argos v0.4.2 released
This release of Argos is fixing problems with the control socket. Threading is not used any more. Instead Qemu's async. IO mechanisms are used.
Another modification allows one to let tainted data execute, by supplying the '-no-fsc' option at run time. This of course disables the injection of forensics shellcode.
Also, this version makes whitelists optional. The user needs to enable whitelist support when configuring Argos, as well as at runtime.

This is an early release of versions of Qemu and Argos that allow you to record the execution of a VM running within our modified Qemu emulator, and replay the exact same execution using Argos.
This code has not been extensively tested, and currently does not support graphical output, and IO-APIC.

Prospector is a flavour of Argos that performs more aggressive data tracking for more comprehensive signature generation.
Please consult the research paper, and included documentation files for more information.

New Argos web site


Our website got a new look. You will also notice that we added a "Use Cases" page, which lists the security frameworks that are currently using Argos.

Argos 0.4.1 released


The new version of Argos (0.4.1) contains bug fixes related with taint tracking. It is recommended to update to the latest version of Argos, since it solves issues with reported false positives. Checking the CALL instruction for tainted operands, has also been re-enabled, since it seems it does not cause problems with windows systems anymore. The use of a whitelist is not necessary as well, since the false positives reported by 2.6.* linux kernels are also solved. Finally, crashes reported with windows 2000 guest systems, seem to be also solved. If any of the users discovers false positives, after these changes please notify the developers immediately.

Argos version 0.4.0 released


Finally, the long awaited port to QEMU 0.9.* series is here. Argos v0.4.0 is based upon QEMU v0.9.1.Additional changes, besides the port, include a double taintness check before executing a part of code to ensure attackers' injected code is always detected at the moment it is first executed. The check is performed whenever a TB is scheduled to be executed, as well as within the translated code whenever EIP is modified. This is to cover TB chaining performed by QEMU to speed up emulation. In the future we might consider disabling chaining, if a single check offers a significant performance gain.

Improved argos network logs conversion utility


A new argos-utils package has been released, containing the utility netlog2pcap, which converts an argos network log to a pcap log without using Ethereal's text2pcap. The older raw2pcap is also included, with a small bug fix. Thanks are going to Tillmann Werner.

New logs processing library


Version 0.1.3 of the logs processing library has been released. Contains large file support for Linux, as well as a bug fix for cargos_lib_csi_mbnext().