Emulating Shellcodes - Chapter 2

 Lets check different  Cobalt Strike shellcodes and stages in the shellcodes emulator SCEMU.

This stages are fully emulated well and can get the IOC and the behavior of the shellcode.

But lets see another first stage big shellcode with c runtime embedded in a second stage.

In this case is loading tons of API using GetProcAddress at the beginning, then some encode/decode pointer and tls get/set values to store an address. And ends up crashing because is jumping an address that seems more code than address 0x9090f1eb.

Here there are two types of allocations:

Lets spawn a console on -c 3307548 and see if some of this allocations has the next stage.

The "m" command show all the memory maps but the "ma" show only the allocations done by the shellcode.

Dumping memory with "md" we see that there is data, and dissasembling this address with "d" we see the prolog of a function.

So we have second stage unpacked in alloc_e40064

With "mdd" we do a memory dump to disk we found the size in previous screenshot,  and we can do  some static reversing of stage2 in radare/ghidra/ida

In radare we can verify that the extracted is the next stage:

I usually do correlation between the emulation and ghidra, to understand the algorithms.

If wee look further we can realize that the emulator called a function on the stage2, we can see the change of code base address and  is calling the allocated buffer in 0x4f...

And this  stage2 perform several API calls let's check it in ghidra.

We can see in the emulator that enters in the IF block, and what are the (*DAT_...)() calls

Before a crash lets continue to the SEH pointer, in this case is the way, and the exception routine checks IsDebuggerPresent() which is not any debugger pressent for sure, so eax = 0;

So lets say yes and continue the emulation.

Both IsDebuggerPresent() and UnHandledExceptionFilter() can be used to detect a debugger, but the emulator return what has to return to not be detected. 

Nevertheless the shellcode detects something and terminates the process.

Lets trace the branches to understand the logic:

target/release/scemu -f shellcodes/unsuported_cs.bin -vv | egrep '(\*\*|j|cmp|test)'

Continuing the emulation it's setting the SEH  pointer to previous stage:

Lets see from the console where is pointing the SEH chain item:

to be continued ...

https://github.com/sha0coder/scemu

Related articles

1. Pentest Tools Tcp Port Scanner
2. Hacking Tools Windows
3. Hacker Tools For Mac
4. Hack Website Online Tool
5. Hacking Tools For Mac
6. Pentest Tools Online
7. Hacker Tools 2020
8. Tools Used For Hacking
9. Hack And Tools
10. Hacking Tools Kit
11. Hack Website Online Tool
12. Pentest Tools Tcp Port Scanner
13. Pentest Tools Free
14. Pentest Tools Website Vulnerability
15. Hack Tools Github
16. Hacking Tools 2019
17. Hacking Tools Github
18. Install Pentest Tools Ubuntu
19. Hacker Tools List
20. Tools Used For Hacking
21. Tools Used For Hacking
22. Hacking Tools Online
23. Nsa Hack Tools Download
24. Hack Tools Download
25. Pentest Tools Subdomain
26. Hacking Tools For Kali Linux
27. Termux Hacking Tools 2019
28. Pentest Tools Find Subdomains
29. Hacker Search Tools
30. World No 1 Hacker Software
31. Pentest Tools Tcp Port Scanner
32. Pentest Tools Website
33. Pentest Tools For Ubuntu
34. Pentest Recon Tools
35. Usb Pentest Tools
36. Hack Tools Online
37. What Are Hacking Tools
38. Bluetooth Hacking Tools Kali
39. Hak5 Tools
40. Hack Tools Mac
41. Hack Tools Online
42. Hacking Tools Online
43. Hacker Tools Windows
44. Hacker Tools Apk Download
45. Hacking Tools 2020
46. Pentest Recon Tools
47. Hacker Tools For Ios
48. Hacker Tools Linux
49. New Hack Tools
50. Hacks And Tools
51. Pentest Automation Tools
52. Hack Tools
53. Growth Hacker Tools
54. Hacking Apps
55. Pentest Tools Nmap
56. Pentest Tools For Android
57. Hacking Tools Github
58. Pentest Tools Windows
59. Pentest Tools Port Scanner
60. Pentest Tools Review
61. Hacker Tools For Pc
62. Physical Pentest Tools
63. Hack Tools
64. Pentest Recon Tools
65. Hack Website Online Tool
66. Termux Hacking Tools 2019
67. Hak5 Tools
68. Game Hacking
69. Usb Pentest Tools
70. Pentest Tools For Windows
71. Hack Tools Pc
72. Hack Tools For Pc
73. Pentest Tools Website
74. What Is Hacking Tools
75. Hack Tools For Mac
76. Hacker Tools For Pc
77. Android Hack Tools Github
78. World No 1 Hacker Software
79. Pentest Tools For Ubuntu
80. Pentest Tools Url Fuzzer
81. Best Pentesting Tools 2018
82. Hacking Tools For Pc
83. Pentest Tools List
84. Pentest Tools Free
85. Hacker Tools Mac
86. Blackhat Hacker Tools
87. Hacker Tools
88. Hacking Tools For Windows 7
89. Hacker Tools Github
90. Termux Hacking Tools 2019
91. Pentest Tools List
92. Hacking Tools Name
93. Hacking Apps
94. Bluetooth Hacking Tools Kali
95. Pentest Tools Review
96. Pentest Tools Windows
97. Pentest Tools Framework
98. Hacking Tools Usb
99. Game Hacking
100. Best Hacking Tools 2020
101. World No 1 Hacker Software
102. Hacking Tools Kit
103. How To Install Pentest Tools In Ubuntu
104. Hack Tools Online
105. Pentest Recon Tools
106. Github Hacking Tools
107. Top Pentest Tools
108. Hacker Search Tools
109. Hacker Tools For Ios
110. Hack Tools For Ubuntu
111. Hacker Tool Kit
112. Hacking Tools Windows
113. Hacker Tools
114. How To Install Pentest Tools In Ubuntu
115. Pentest Tools For Mac
116. Hacking Tools Download
117. Pentest Tools
118. Pentest Tools Windows
119. How To Install Pentest Tools In Ubuntu