domingo, 28 de enero de 2024

Fast Emulator For Shellcodes In Rust

I have developed a fast emulator for modern shellcodes, that perform huge loops of millions of instructions emulated for resolving API or for other stuff.

The emulator is in Rust and all the few dependencies as well, so the rust safety is good for emulating malware.  

There are shellcodes that can be emulated from the beginning to the end, but when this is not possible the tool has many features that can be used like a console, a memory tracing, register tracing, and so on.

https://github.com/sha0coder/scemu



In less than two seconds we have emulated 7 millions of instructions arriving to the recv. 

At this point we have some  IOC like  the ip:port where it's connecting and other details.

Lets see what happens after the recv() spawning a console at position: 7,012,204


target/release/scemu -f shellcodes/shikata.bin -vv -c 7012204



In the console, pressing "enter" several times to emulate  step into several steps and we arrive to a return instruction.


Let's see the stack in this moment:


The "ret" instruction is going to jump to the buffer read with recv() so is a kind of stager.

The option "-e" or "--endpoint" is not ready for now, but it will allow to proxy the calls to get the next  stage automatically, but for now we have the details to get the stage.


SCEMU also identify all the Linux  syscalls for 32bits shellcodes:



The encoder used in shellgen is also supported https://github.com/MarioVilas/shellgen

Let's check with cobalt-strike:


We can see where is connecting and which headers is using, so right now we can replicate the communications.



In verbose mode we could do several greps to see the calls and correlate with ghidra/ida/radare or  for example grep the branches to study the emulation flow.


target/release/scemu -f shellcodes/rshell_sgn.bin -vv | grep j


target/release/scemu -f shellcodes/rshell_sgn.bin -vv -c 44000 -l


The -l --loops options makes the emulation a bit slower but track the number of iterations.

Is possible to print all the registers in every step with  -r or --registers  but also is possible to track  specific register for example with --reg esi


target/release/scemu -f shellcodes/shikata.bin --reg esi 


In this case ESI register points to the API name, if we track EAX or ECX will see that are the counters of the loop. These shellcodes  contains a hard loop to locate the API names.

The flag -i or --inspect allow to monitor memory using expressions like "dword ptr [eax + 0xa]"

target/release/scemu -f shellcodes/shikata.bin -i 'dword ptr [esi]'

And more things to come...  find a demo below:

https://www.youtube.com/watch?v=qTYmMjW3DFs





Read more


  1. Pentest Tools Url Fuzzer
  2. Pentest Tools Alternative
  3. Android Hack Tools Github
  4. Best Hacking Tools 2020
  5. Tools For Hacker
  6. Github Hacking Tools
  7. Physical Pentest Tools
  8. Wifi Hacker Tools For Windows
  9. Hack And Tools
  10. Pentest Tools For Mac
  11. Hacking Tools Windows 10
  12. Pentest Tools Website
  13. Hack Tools Download
  14. Hack Website Online Tool
  15. Hacking Tools Online
  16. Hacker Tools Mac
  17. Pentest Tools Find Subdomains
  18. Hacking Tools 2019
  19. Hacker Tools 2019
  20. Pentest Tools Windows
  21. Hacker Tools Apk
  22. Best Pentesting Tools 2018
  23. Hacker Hardware Tools
  24. Hacking Tools For Windows 7
  25. Hacking Tools Github
  26. Hacker Tools Windows
  27. Hack Tools Download
  28. Growth Hacker Tools
  29. Android Hack Tools Github
  30. Hacking Tools Kit
  31. Hacking Tools Windows
  32. Hacking Tools For Windows
  33. Tools 4 Hack
  34. Hacking Tools Windows 10
  35. Pentest Tools Subdomain
  36. Hacks And Tools
  37. Tools Used For Hacking
  38. Hacking Tools For Pc
  39. Pentest Tools
  40. Hacks And Tools
  41. Hacker Tools Apk Download
  42. Hacking Tools 2019
  43. Pentest Tools List
  44. Hacker Tools Hardware
  45. Pentest Tools Find Subdomains
  46. Hacking Tools Free Download
  47. Pentest Tools Linux
  48. Computer Hacker
  49. Hacking Tools Windows 10
  50. Hacker Tools Software
  51. New Hacker Tools
  52. Pentest Tools Framework
  53. Pentest Tools Subdomain
  54. Hack Apps
  55. Hacker Hardware Tools
  56. Pentest Tools Github
  57. Hacking Tools For Games
  58. Hackers Toolbox
  59. Hacking Tools 2020
  60. Hacker Tool Kit
  61. Hacking Tools Free Download
  62. Hacking Tools Download
  63. Hacker Tools For Windows
  64. Hacker Tools Apk
  65. Install Pentest Tools Ubuntu
  66. Hacking Tools For Windows
  67. Hacking Tools For Games
  68. Hacker Tools For Pc
  69. Pentest Tools Linux
  70. Hacking Tools Pc
  71. Pentest Tools Github
  72. Hacking Tools For Windows
  73. Pentest Tools Website Vulnerability
  74. Hacking Tools Mac
  75. New Hack Tools
  76. Best Pentesting Tools 2018
  77. Pentest Tools Alternative
  78. Pentest Tools Url Fuzzer
  79. Hack Website Online Tool
  80. What Is Hacking Tools
  81. Hacker Tools Github
  82. Termux Hacking Tools 2019
  83. Hack Tools 2019
  84. Hacking App
  85. Hacker Tool Kit
  86. Hacker Tools List
  87. Pentest Tools For Mac
  88. Top Pentest Tools
  89. Hacking Apps
  90. Hacking Tools
  91. Hacker Tools Hardware
  92. Pentest Tools Open Source
  93. Hack Rom Tools
  94. New Hacker Tools
  95. Ethical Hacker Tools
  96. Hacker Hardware Tools
  97. Hack Tools For Pc
  98. Pentest Tools Port Scanner
  99. Pentest Tools Review
  100. Pentest Tools Framework
  101. Hacker Tools Hardware
  102. Hacker Tools Apk
  103. Best Pentesting Tools 2018
Publicado por en

No hay comentarios:

Publicar un comentario

Suscribirse a: Enviar comentarios (Atom)