Total Pageviews

Sunday, 28 January 2024

Fast Emulator For Shellcodes In Rust

I have developed a fast emulator for modern shellcodes, that perform huge loops of millions of instructions emulated for resolving API or for other stuff.

The emulator is in Rust and all the few dependencies as well, so the rust safety is good for emulating malware.  

There are shellcodes that can be emulated from the beginning to the end, but when this is not possible the tool has many features that can be used like a console, a memory tracing, register tracing, and so on.

https://github.com/sha0coder/scemu



In less than two seconds we have emulated 7 millions of instructions arriving to the recv. 

At this point we have some  IOC like  the ip:port where it's connecting and other details.

Lets see what happens after the recv() spawning a console at position: 7,012,204


target/release/scemu -f shellcodes/shikata.bin -vv -c 7012204



In the console, pressing "enter" several times to emulate  step into several steps and we arrive to a return instruction.


Let's see the stack in this moment:


The "ret" instruction is going to jump to the buffer read with recv() so is a kind of stager.

The option "-e" or "--endpoint" is not ready for now, but it will allow to proxy the calls to get the next  stage automatically, but for now we have the details to get the stage.


SCEMU also identify all the Linux  syscalls for 32bits shellcodes:



The encoder used in shellgen is also supported https://github.com/MarioVilas/shellgen

Let's check with cobalt-strike:


We can see where is connecting and which headers is using, so right now we can replicate the communications.



In verbose mode we could do several greps to see the calls and correlate with ghidra/ida/radare or  for example grep the branches to study the emulation flow.


target/release/scemu -f shellcodes/rshell_sgn.bin -vv | grep j


target/release/scemu -f shellcodes/rshell_sgn.bin -vv -c 44000 -l


The -l --loops options makes the emulation a bit slower but track the number of iterations.

Is possible to print all the registers in every step with  -r or --registers  but also is possible to track  specific register for example with --reg esi


target/release/scemu -f shellcodes/shikata.bin --reg esi 


In this case ESI register points to the API name, if we track EAX or ECX will see that are the counters of the loop. These shellcodes  contains a hard loop to locate the API names.

The flag -i or --inspect allow to monitor memory using expressions like "dword ptr [eax + 0xa]"

target/release/scemu -f shellcodes/shikata.bin -i 'dword ptr [esi]'

And more things to come...  find a demo below:

https://www.youtube.com/watch?v=qTYmMjW3DFs





Related links


  1. Pentest Tools For Windows
  2. Hacking Tools For Beginners
  3. Hacking Tools Online
  4. Hacking Tools Download
  5. Hack Tools 2019
  6. Hacking Tools For Windows
  7. Hacker Tools Apk
  8. Hacking Tools Github
  9. Hacking Tools For Games
  10. Hacks And Tools
  11. Hack Tool Apk No Root
  12. Hacker Tools Linux
  13. Hacking Tools For Beginners
  14. What Is Hacking Tools
  15. Hacker Security Tools
  16. Hacker Tools Software
  17. Easy Hack Tools
  18. Pentest Tools Open Source
  19. Hack Website Online Tool
  20. Pentest Tools Online
  21. Hacker Tools For Ios
  22. World No 1 Hacker Software
  23. Hack Tools For Windows
  24. Hack Tool Apk No Root
  25. Top Pentest Tools
  26. Hack Tools Mac
  27. Pentest Tools Url Fuzzer
  28. Hacker Tools Free Download
  29. Hack Tools
  30. Pentest Reporting Tools
  31. Hacking Tools Github
  32. Free Pentest Tools For Windows
  33. Best Pentesting Tools 2018
  34. Hacker Tools 2019
  35. Tools 4 Hack
  36. Pentest Tools Find Subdomains
  37. Hack Website Online Tool
  38. Hacking Tools For Windows
  39. World No 1 Hacker Software
  40. Hacking Apps
  41. Tools Used For Hacking
  42. Pentest Tools For Android
  43. Hack Tools Download
  44. Pentest Tools Subdomain
  45. Pentest Tools Subdomain
  46. Github Hacking Tools
  47. Hacker Tools Hardware
  48. Nsa Hacker Tools
  49. Hack Tools 2019
  50. Install Pentest Tools Ubuntu
  51. Hacker Tools 2019
  52. Pentest Tools Find Subdomains
  53. Pentest Tools Online
  54. Pentest Tools Free
  55. How To Hack
  56. Hack Tools For Pc
  57. Pentest Tools Subdomain
  58. Nsa Hack Tools Download
  59. Hack Tools Download
  60. Pentest Tools Url Fuzzer
  61. Hacking Tools For Mac
  62. Game Hacking
  63. Best Hacking Tools 2020
  64. Hacking Tools
  65. Pentest Tools For Windows
  66. Hacker Tools 2020
  67. Pentest Tools Subdomain
  68. Hacker Hardware Tools
  69. Pentest Tools Subdomain
  70. Ethical Hacker Tools
  71. Pentest Tools Url Fuzzer
  72. Pentest Tools Subdomain
  73. Pentest Tools For Mac
  74. Hacking App
  75. Hack Tool Apk No Root
  76. Hack Apps
  77. Hacking Tools 2020
  78. Pentest Tools Subdomain
  79. Pentest Tools Framework
  80. Hacker Tools Mac
  81. Hack Tools For Pc
  82. Kik Hack Tools
  83. Hacker Tools Linux
  84. Hacking Tools For Kali Linux
  85. Hacker Tools List
  86. Hack Apps
  87. Black Hat Hacker Tools
  88. Hacking Tools For Games
  89. Pentest Tools Url Fuzzer
  90. Hacking Tools For Windows
  91. Hacking Tools Windows
  92. Hacking Tools For Kali Linux
  93. Hacker Tools Linux
  94. Pentest Tools Nmap
  95. Hack And Tools
  96. Pentest Tools Download
  97. Hacker Tool Kit
  98. Hacker Security Tools
  99. Usb Pentest Tools
  100. Hacker Tool Kit
  101. Hacker Tools Free
  102. Hack Tools Online
  103. Hacker Security Tools
  104. Hacker Security Tools
  105. Hack Tools Mac
  106. Hacker Tools Apk
  107. Physical Pentest Tools
  108. Pentest Tools
  109. Hacker Tools For Ios
  110. Hack Rom Tools
  111. Hack Tools Github
  112. Hacker Tools Hardware
  113. Hacker Tools Windows
  114. Hacking Tools For Windows 7
  115. Hacker Tools Online
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)