Tuesday, January 23, 2024

Fast Emulator For Shellcodes In Rust

I have developed a fast emulator for modern shellcodes, that perform huge loops of millions of instructions emulated for resolving API or for other stuff.

The emulator is in Rust and all the few dependencies as well, so the rust safety is good for emulating malware.  

There are shellcodes that can be emulated from the beginning to the end, but when this is not possible the tool has many features that can be used like a console, a memory tracing, register tracing, and so on.

https://github.com/sha0coder/scemu



In less than two seconds we have emulated 7 millions of instructions arriving to the recv. 

At this point we have some  IOC like  the ip:port where it's connecting and other details.

Lets see what happens after the recv() spawning a console at position: 7,012,204


target/release/scemu -f shellcodes/shikata.bin -vv -c 7012204



In the console, pressing "enter" several times to emulate  step into several steps and we arrive to a return instruction.


Let's see the stack in this moment:


The "ret" instruction is going to jump to the buffer read with recv() so is a kind of stager.

The option "-e" or "--endpoint" is not ready for now, but it will allow to proxy the calls to get the next  stage automatically, but for now we have the details to get the stage.


SCEMU also identify all the Linux  syscalls for 32bits shellcodes:



The encoder used in shellgen is also supported https://github.com/MarioVilas/shellgen

Let's check with cobalt-strike:


We can see where is connecting and which headers is using, so right now we can replicate the communications.



In verbose mode we could do several greps to see the calls and correlate with ghidra/ida/radare or  for example grep the branches to study the emulation flow.


target/release/scemu -f shellcodes/rshell_sgn.bin -vv | grep j


target/release/scemu -f shellcodes/rshell_sgn.bin -vv -c 44000 -l


The -l --loops options makes the emulation a bit slower but track the number of iterations.

Is possible to print all the registers in every step with  -r or --registers  but also is possible to track  specific register for example with --reg esi


target/release/scemu -f shellcodes/shikata.bin --reg esi 


In this case ESI register points to the API name, if we track EAX or ECX will see that are the counters of the loop. These shellcodes  contains a hard loop to locate the API names.

The flag -i or --inspect allow to monitor memory using expressions like "dword ptr [eax + 0xa]"

target/release/scemu -f shellcodes/shikata.bin -i 'dword ptr [esi]'

And more things to come...  find a demo below:

https://www.youtube.com/watch?v=qTYmMjW3DFs





Related news


  1. Blackhat Hacker Tools
  2. Hacks And Tools
  3. Pentest Tools Website
  4. Hack Website Online Tool
  5. Hacking Tools Mac
  6. Hacking Tools For Windows 7
  7. Hacker Tools Windows
  8. Hacking Tools Kit
  9. Hack Tools For Games
  10. Pentest Tools Url Fuzzer
  11. Pentest Tools Framework
  12. Bluetooth Hacking Tools Kali
  13. Hacking Tools 2019
  14. Hacking Tools For Pc
  15. What Is Hacking Tools
  16. What Are Hacking Tools
  17. Hacker Tools 2020
  18. Pentest Recon Tools
  19. Hacking Tools Mac
  20. Hack Tools For Mac
  21. Hacking Tools For Windows 7
  22. Hacker Tools List
  23. Hacking Tools For Kali Linux
  24. Hack Tools
  25. Pentest Automation Tools
  26. Hacker Tools Windows
  27. Hack Tools For Pc
  28. Pentest Tools Online
  29. Hacking Tools For Kali Linux
  30. Hacker Tools For Mac
  31. Best Pentesting Tools 2018
  32. Hacker Tools Mac
  33. Pentest Tools
  34. Hackers Toolbox
  35. Bluetooth Hacking Tools Kali
  36. Hak5 Tools
  37. Pentest Tools For Mac
  38. Hacks And Tools
  39. Physical Pentest Tools
  40. What Are Hacking Tools
  41. Hacking Tools
  42. Hacking Tools For Games
  43. Hacker Tools Free Download
  44. Hack Tools Github
  45. Pentest Tools Alternative
  46. Hack Tools Online
  47. Hacker Tools For Ios
  48. Hacker Tool Kit
  49. Pentest Box Tools Download
  50. Bluetooth Hacking Tools Kali
  51. Hak5 Tools
  52. Hacking Tools 2019
  53. Pentest Tools Review
  54. Pentest Tools Port Scanner
  55. Hacking Tools 2020
  56. Pentest Tools
  57. Install Pentest Tools Ubuntu
  58. Pentest Recon Tools
  59. Hacker Tools 2019
  60. Hacking Tools
  61. Hacker Tools Hardware
  62. Tools For Hacker
  63. Hacking Tools For Windows 7
  64. Github Hacking Tools
  65. Hack Tools 2019
  66. Hack Tools Online
  67. Hack Rom Tools
  68. Usb Pentest Tools
  69. Beginner Hacker Tools
  70. Hacking Apps
  71. Pentest Tools Url Fuzzer
  72. Hack Tools For Mac
  73. How To Hack
  74. Pentest Tools Online
  75. Hacking Tools For Windows 7
  76. Pentest Tools Subdomain
  77. Hacking Tools Download
  78. Hack Tools
  79. Hacker Tools Windows
  80. Pentest Tools Download
  81. Hacking Tools For Windows
  82. World No 1 Hacker Software
  83. Hacker Tools For Ios
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)