Scemu - X86 32Bits Emulator, For Securely Emulating Shellcodes - Hacking Land

x86 32bits emulator, for securely emulating shellcodes.

Features


rust safety, good for malware.
- All dependencies are in rust.
- zero unsafe{} blocks.
very fast emulation (much faster than unicorn)
- 3,000,000 instructions/second
- 100,000 instructions/second printing every instruction -vv.
powered by iced-x86 rust dissasembler awesome library.
iteration detector.
memory and register tracking.
colorized.
stop at specific moment and explore the state or modify it.
105 instructions implemented.
112 winapi implemented of 5 dlls.
all linux syscalls.
SEH chains.
vectored exception handler.
PEB, TEB structures.
memory allocator.
react with int3.
non debugged cpuid.
tests with known payloads:
- metasploit shellcodes.
- metasploit encoders.
- cobalt strike.
- shellgen.
- guloader (not totally for now, but arrive further than the debugger)

TODO

- more fpu- mmx- 64 bits- scripting?

Usage

emulator for Shellcodes 0.2.5 @sha0coder USAGE: scemu [FLAGS] [OPTIONS] FLAGS: -e, --endpoint perform communications with the endpoint, use tor or vpn! -h, --help Prints help information -l, --loops show loop interations, it is slow. -m, --memory trace all the memory accesses read and write. -n, --nocolors print without colors for redirectin to a file >out -r, --regs print the register values in every step. -V, --version Prints version information -v, --verbose -vv for view the assembly, -v only messages, without verbose only see the api calls and goes faster OPTIONS: -b, --base <ADDRESS> set base address for code -c, --console <NUMBER> select in which moment will spawn the console to inspect. -C, --console_addr <ADDRESS> spawn console on first eip = address -a, --entry <ADDRESS> entry point of the shellcode, by default starts from the beginning. -f, --filename <FILE> set the shellcode binary file. -i, --inspect <DIRECTION> monitor memory like: -i 'dword ptr [ebp + 0x24] -M, --maps <PATH> select the memory maps folder -R, --reg <REGISTER> trace a specific register in every step, value and content -s, --string <ADDRESS> monitor string on a specific address">

SCEMU 32bits emulator for Shellcodes 0.2.5@sha0coderUSAGE:    scemu [FLAGS] [OPTIONS]FLAGS:    -e, --endpoint    perform communications with the endpoint, use tor or vpn!    -h, --help        Prints help information    -l, --loops       show loop interations, it is slow.    -m, --memory      trace all the memory accesses read and write.    -n, --nocolors    print without colors for redirectin to a file >out    -r, --regs        print the register values in every step.    -V, --version     Prints version information    -v, --verbose     -vv for view the assembly, -v only messages, without verbose only see the api calls and goes                      fasterOPTIONS:    -b, --base <ADDRESS>            set base address for code    -c, --console <NUMBER>          select in which moment will    spawn the console to inspect.    -C, --console_addr <ADDRESS>    spawn console on first eip = address    -a, --entry <ADDRESS>           entry point of the shellcode, by default starts from the beginning.    -f, --filename <FILE>           set the shellcode binary file.    -i, --inspect <DIRECTION>       monitor memory like: -i 'dword ptr [ebp + 0x24]    -M, --maps <PATH>               select the memory maps folder    -R, --reg <REGISTER>            trace a specific register in every step, value and content    -s, --string <ADDRESS>          monitor string on a specific address

Some use cases

scemu emulates a simple shellcode detecting the execve() interrupt.

We select the line to stop and inspect the memory.

After emulating near 2 million instructions of GuLoader win32 in linux, faking cpuid's and other tricks in the way, arrives to a sigtrap to confuse debuggers.

Example of memory dump on the api loader.

There are several maps by default, and can be created more with apis like LoadLibraryA or manually from the console.

Emulating basic windows shellcode based on LdrLoadDLl() that prints a message:

The console allow to view an edit the current state of the cpu:

--- console ---=>h--- help ---q ...................... quitcls .................... clear screenh ...................... helps ...................... stackv ...................... varsr ...................... register show allr reg .................. show regrc ..................... register changef ...................... show all flagsfc ..................... clear all flagsfz ..................... toggle flag zerofs ..................... toggle flag signc ...................... continueba ..................... breakpoint on addressbi ..................... breakpoint on instruction numberbmr .................... breakpoint on read memorybmw .................... breakpoint on write memorybc ..................... clear breakpointn ...................... next instructioneip .................... change eippush ..............   ..... push dword to the stackpop .................... pop dword from stackfpu .................... fpu viewmd5 .................... check the md5 of a memory mapseh .................... view SEHveh .................... view vectored execption pointerm ...................... memory mapsma ..................... memory allocsmc ..................... memory create mapmn ..................... memory name of an addressml ..................... memory load file content to mapmr ..................... memory read, speficy ie: dword ptr [esi]mw ..................... memory read, speficy ie: dword ptr [esi]  and then: 1afmd ..................... memory dumpmrd .................... memory read dwordsmds .................... memory dump stringmdw .................... memory dump wide stringmdd .................... memory dump to diskmt ..................... memory testss ..................... search str   ingsb ..................... search bytessba .................... search bytes in all the mapsssa .................... search string in all the mapsll ..................... linked list walkd ...................... dissasembledt ..................... dump structureenter .................. step into

The cobalt strike api loader is the same that metasploit, emulating it:

Cobalt Strike API called:

Metasploit rshell API called:

Metasploit SGN encoder using few fpu to hide the polymorfism:

Metasploit shikata-ga-nai encoder that also starts with fpu:

Displaying PEB structure:

=>dtstructure=>pebaddress=>0x7ffdf000PEB {    reserved1: [        0x0,        0x0,    ],    being_debugged: 0x0,    reserved2: 0x0,    reserved3: [        0xffffffff,        0x400000,    ],    ldr: 0x77647880,    process_parameters: 0x2c1118,    reserved4: [        0x0,        0x2c0000,        0x77647380,    ],    alt_thunk_list_ptr: 0x0,    reserved5: 0x0,    reserved6: 0x6,    reserved7: 0x773cd568,    reserved8: 0x0,    alt_thunk_list_ptr_32: 0x0,    reserved9: [        0x0,...

Displaying PEB_LDR_DATA structure:

=>dtstructure=>PEB_LDR_DATAaddress=>0x77647880PebLdrData {    length: 0x30,    initializated: 0x1,    sshandle: 0x0,    in_load_order_module_list: ListEntry {        flink: 0x2c18b8,        blink: 0x2cff48,    },    in_memory_order_module_list: ListEntry {        flink: 0x2c18c0,        blink: 0x2cff50,    },    in_initialization_order_module_list: ListEntry {        flink: 0x2c1958,        blink: 0x2d00d0,    },    entry_in_progress: ListEntry {        flink: 0x0,        blink: 0x0,    },}=>

Displaying LDR_DATA_TABLE_ENTRY and first module name

=>dtstructure=>LDR_DATA_TABLE_ENTRYaddress=>0x2c18c0LdrDataTableEntry {    reserved1: [        0x2c1950,        0x77647894,    ],    in_memory_order_module_links: ListEntry {        flink: 0x0,        blink: 0x0,    },    reserved2: [        0x0,        0x400000,    ],    dll_base: 0x4014e0,    entry_point: 0x1d000,    reserved3: 0x40003e,    full_dll_name: 0x2c1716,    reserved4: [        0x0,        0x0,        0x0,        0x0,        0x0,        0x0,        0x0,        0x0,    ],    reserved5: [        0x17440012,        0x4000002c,        0xffff0000,    ],    checksum: 0x1d6cffff,    reserved6: 0xa640002c,    time_date_stamp: 0xcdf27764,}=>

A malware is hiding something in an exception

3307726 0x4f9673: push  ebp3307727 0x4f9674: push  edx3307728 0x4f9675: push  eax3307729 0x4f9676: push  ecx3307730 0x4f9677: push  ecx3307731 0x4f9678: push  4F96F4h3307732 0x4f967d: push  dword ptr fs:[0]Reading SEH 0x0-------3307733 0x4f9684: mov   eax,[51068Ch]--- console ---=>

Let's inspect exception structures:

--- console ---=>r esp        esp: 0x22de98=>dtstructure=>cppeh_recordaddress=>0x22de98CppEhRecord {    old_esp: 0x0,    exc_ptr: 0x4f96f4,    next: 0xfffffffe,    exception_handler: 0xfffffffe,    scope_table: PScopeTableEntry {        enclosing_level: 0x278,        filter_func: 0x51068c,        handler_func: 0x288,    },    try_level: 0x288,}=>

And here we have the error routine 0x4f96f4 and the filter 0x51068c

Download Scemu

Via: www.kitploit.com