Emulating Shellcodes - Chapter 2

 Lets check different  Cobalt Strike shellcodes and stages in the shellcodes emulator SCEMU.

This stages are fully emulated well and can get the IOC and the behavior of the shellcode.

But lets see another first stage big shellcode with c runtime embedded in a second stage.

In this case is loading tons of API using GetProcAddress at the beginning, then some encode/decode pointer and tls get/set values to store an address. And ends up crashing because is jumping an address that seems more code than address 0x9090f1eb.

Here there are two types of allocations:

Lets spawn a console on -c 3307548 and see if some of this allocations has the next stage.

The "m" command show all the memory maps but the "ma" show only the allocations done by the shellcode.

Dumping memory with "md" we see that there is data, and dissasembling this address with "d" we see the prolog of a function.

So we have second stage unpacked in alloc_e40064

With "mdd" we do a memory dump to disk we found the size in previous screenshot,  and we can do  some static reversing of stage2 in radare/ghidra/ida

In radare we can verify that the extracted is the next stage:

I usually do correlation between the emulation and ghidra, to understand the algorithms.

If wee look further we can realize that the emulator called a function on the stage2, we can see the change of code base address and  is calling the allocated buffer in 0x4f...

And this  stage2 perform several API calls let's check it in ghidra.

We can see in the emulator that enters in the IF block, and what are the (*DAT_...)() calls

Before a crash lets continue to the SEH pointer, in this case is the way, and the exception routine checks IsDebuggerPresent() which is not any debugger pressent for sure, so eax = 0;

So lets say yes and continue the emulation.

Both IsDebuggerPresent() and UnHandledExceptionFilter() can be used to detect a debugger, but the emulator return what has to return to not be detected. 

Nevertheless the shellcode detects something and terminates the process.

Lets trace the branches to understand the logic:

target/release/scemu -f shellcodes/unsuported_cs.bin -vv | egrep '(\*\*|j|cmp|test)'

Continuing the emulation it's setting the SEH  pointer to previous stage:

Lets see from the console where is pointing the SEH chain item:

to be continued ...

https://github.com/sha0coder/scemu

Related articles

1. Pentest Tools Github
2. Hacking Tools Free Download
3. Hacker Tools Apk Download
4. Pentest Recon Tools
5. Hacker Tools Online
6. Hacker Tools For Ios
7. Hacker Tools Free
8. Hacking Tools For Games
9. Hacker Tools Apk
10. Hacking Tools Software
11. Pentest Tools Kali Linux
12. Hacking Tools Kit
13. Pentest Tools For Mac
14. Tools Used For Hacking
15. Hacker Tools Mac
16. Hacking Tools Github
17. Nsa Hack Tools Download
18. Hack Tools Pc
19. Pentest Tools Alternative
20. Hacking Tools Free Download
21. Hack Tools For Pc
22. Pentest Tools Url Fuzzer
23. Bluetooth Hacking Tools Kali
24. Termux Hacking Tools 2019
25. Hacker Tools Windows
26. Hacker Tools 2020
27. Hacker Tools For Ios
28. Nsa Hack Tools Download
29. Free Pentest Tools For Windows
30. Hacker Tools Mac
31. Hack Tools Download
32. Hacking Tools For Games
33. Hacker Tools For Ios
34. Hacker Security Tools
35. Black Hat Hacker Tools
36. Hacking Apps
37. Hacker Tools For Ios
38. Hacking Tools For Games
39. What Is Hacking Tools
40. Pentest Tools Kali Linux
41. Pentest Tools Url Fuzzer
42. Hacker Tools 2020
43. Hack Tools Mac
44. How To Install Pentest Tools In Ubuntu
45. Pentest Tools Free
46. Black Hat Hacker Tools
47. Hack Tools Github
48. Hacker Tools Free
49. Pentest Recon Tools
50. Hacking Tools For Pc
51. Best Pentesting Tools 2018
52. Pentest Tools Framework
53. Hacker Tools Mac
54. Hacker Tools List
55. Hacker
56. Hacking Tools Online
57. Hacking Tools Download
58. Hack Tools For Windows
59. Hack Tools For Ubuntu
60. Pentest Tools For Windows
61. Pentest Tools Windows
62. Hack Tools Pc
63. Growth Hacker Tools
64. How To Hack
65. Hack Tools For Ubuntu
66. Pentest Tools Url Fuzzer
67. Termux Hacking Tools 2019
68. Hacking Tools
69. Hacker Tools For Windows
70. Hackrf Tools
71. Hacking Tools Mac
72. Hack Tools For Pc
73. Pentest Tools
74. Hack Tools Online
75. Hack Tools For Windows
76. Physical Pentest Tools
77. Pentest Tools Github
78. How To Install Pentest Tools In Ubuntu
79. Pentest Box Tools Download
80. Hacking Tools Pc
81. Underground Hacker Sites
82. Hacking Tools And Software
83. Hack Tools Github
84. Pentest Automation Tools
85. Black Hat Hacker Tools
86. Hacker Tools 2020
87. Hacking Tools Free Download
88. Hacker Tools Online
89. Pentest Tools For Windows
90. Hacker Tools Hardware
91. How To Hack
92. Pentest Box Tools Download
93. Pentest Tools Subdomain
94. Hacking Tools Online
95. Computer Hacker
96. Hacker Tools For Pc
97. Hacker Techniques Tools And Incident Handling
98. Pentest Tools Find Subdomains
99. Hacking Tools Usb
100. Ethical Hacker Tools
101. Bluetooth Hacking Tools Kali
102. Hacker Tools List
103. Hacker Tools For Mac
104. Wifi Hacker Tools For Windows
105. Hacking Apps
106. Hacking Tools
107. Hak5 Tools
108. Wifi Hacker Tools For Windows
109. How To Hack
110. Hacker Tools Github
111. Hack Tools For Mac
112. Hacking Tools For Games
113. Hack App
114. Hacker Tools Software
115. Bluetooth Hacking Tools Kali
116. Hacker Tools Apk Download
117. Pentest Tools Android
118. What Is Hacking Tools
119. Hack Tools Download
120. Hack Tools For Pc
121. Hacking Tools Online
122. Hack Tools
123. Hack Tools For Games
124. Hack Tools 2019
125. Hacking Tools For Beginners
126. Hacking Tools Kit
127. Termux Hacking Tools 2019
128. How To Hack
129. Hacker Tools Mac
130. Hacker Techniques Tools And Incident Handling
131. Install Pentest Tools Ubuntu
132. Pentest Tools Bluekeep
133. Kik Hack Tools
134. Nsa Hacker Tools
135. Hacking Tools For Kali Linux
136. Tools For Hacker
137. Hacking Tools Github