Argos includes some advanced forensics to extract information about the application that was attacked. These involve the injection of some assembly code (shellcode) that executes some code in the address space of the attacked process to extract its process identifier (PID).
The extracted PID, along with the random identifier assigned to the alert and previously generated logs are transmitted over TCP to an application listening within the guest OS on TCP port 8721.
To use the information extracted by the shellcode, we have written a small Perl script that can be run at start up and listens on port 8721. The data collected are used to query the operating system about the process that was attacked. For example, in Windows XP and Linux netstat returns the name of the process that corresponds to the given PID and the currently active connections. For Windows 2000, another tool is needed because of limitations of the default netstat utility (http://www.diamondcs.com.au/openports/).
The collected information is transmitted outside Argos to the IP defined with the perl script. By default the script attempts to connect to 172.20.0.1:15000. Anyone, interesting to collect the above information should write a listener to log the information.
| RID: [random alert identifier] PID: [process identifier] |
| OS: [OS name] |
| UDP PORTS: |
| [list of listening UDP ports] |
| TCP PORTS: |
| [list of listening TCP ports] |