Emulating Shellcodes - Chapter 2

 Lets check different  Cobalt Strike shellcodes and stages in the shellcodes emulator SCEMU.




This stages are fully emulated well and can get the IOC and the behavior of the shellcode.

But lets see another first stage big shellcode with c runtime embedded in a second stage.


In this case is loading tons of API using GetProcAddress at the beginning, then some encode/decode pointer and tls get/set values to store an address. And ends up crashing because is jumping an address that seems more code than address 0x9090f1eb.

Here there are two types of allocations:


Lets spawn a console on -c 3307548 and see if some of this allocations has the next stage.

The "m" command show all the memory maps but the "ma" show only the allocations done by the shellcode.



Dumping memory with "md" we see that there is data, and dissasembling this address with "d" we see the prolog of a function.

So we have second stage unpacked in alloc_e40064


With "mdd" we do a memory dump to disk we found the size in previous screenshot,  and we can do  some static reversing of stage2 in radare/ghidra/ida

In radare we can verify that the extracted is the next stage:


I usually do correlation between the emulation and ghidra, to understand the algorithms.

If wee look further we can realize that the emulator called a function on the stage2, we can see the change of code base address and  is calling the allocated buffer in 0x4f...



And this  stage2 perform several API calls let's check it in ghidra.


We can see in the emulator that enters in the IF block, and what are the (*DAT_...)() calls

Before a crash lets continue to the SEH pointer, in this case is the way, and the exception routine checks IsDebuggerPresent() which is not any debugger pressent for sure, so eax = 0;



So lets say yes and continue the emulation.


Both IsDebuggerPresent() and UnHandledExceptionFilter() can be used to detect a debugger, but the emulator return what has to return to not be detected. 

Nevertheless the shellcode detects something and terminates the process.

Lets trace the branches to understand the logic:


target/release/scemu -f shellcodes/unsuported_cs.bin -vv | egrep '(\*\*|j|cmp|test)'



Continuing the emulation it's setting the SEH  pointer to previous stage:


Lets see from the console where is pointing the SEH chain item:


to be continued ...


https://github.com/sha0coder/scemu






More information


  1. Github Hacking Tools
  2. Pentest Tools For Android
  3. Hacker Tools Online
  4. Hack Tools Download
  5. Hacking Tools For Mac
  6. How To Install Pentest Tools In Ubuntu
  7. Pentest Tools Online
  8. Pentest Tools Kali Linux
  9. What Are Hacking Tools
  10. Pentest Tools Bluekeep
  11. Hacker Tools Free
  12. Hack Tool Apk No Root
  13. Hacking Tools
  14. Hacking Tools And Software
  15. Pentest Tools
  16. Hacker Tools For Windows
  17. Android Hack Tools Github
  18. Pentest Tools Open Source
  19. New Hacker Tools
  20. Nsa Hack Tools Download
  21. Hacker Techniques Tools And Incident Handling
  22. Hack Tools Mac
  23. Hacking Tools Download
  24. Pentest Tools Open Source
  25. Hacker Tools For Pc
  26. Hack Tools
  27. Physical Pentest Tools
  28. Hack Tools For Games
  29. Hacking Tools For Kali Linux
  30. Nsa Hack Tools
  31. Hack Tools
  32. Hacker Tools
  33. Install Pentest Tools Ubuntu
  34. Hacking Tools For Windows Free Download
  35. What Are Hacking Tools
  36. Kik Hack Tools
  37. Black Hat Hacker Tools
  38. Hack Tools
  39. Hack Website Online Tool
  40. Tools Used For Hacking
  41. Hack Tools Download
  42. Hack Tools For Games
  43. What Is Hacking Tools
  44. Hacker Security Tools
  45. Pentest Tools Url Fuzzer
  46. Pentest Tools Android
  47. Pentest Tools Tcp Port Scanner
  48. Hacker Tools Online
  49. Hack Tools
  50. Hacker Tools Windows
  51. Hack App
  52. Hacker Tools For Pc
  53. Nsa Hacker Tools
  54. Tools 4 Hack
  55. Hacker Tools Free
  56. Hacking Tools
  57. Kik Hack Tools
  58. Free Pentest Tools For Windows
  59. Hacker Tools For Ios
  60. Pentest Recon Tools
  61. Physical Pentest Tools
  62. Hacking Tools Mac
  63. Pentest Tools Android
  64. Hacking Tools 2019
  65. Hack Tools 2019
  66. Pentest Tools Download
  67. Pentest Tools Apk
  68. Hacker Tools 2019
  69. Pentest Tools For Windows
  70. How To Hack
  71. Hack Website Online Tool
  72. Nsa Hacker Tools
  73. Termux Hacking Tools 2019
  74. Bluetooth Hacking Tools Kali
  75. Hacking Tools Pc
  76. Black Hat Hacker Tools
  77. Free Pentest Tools For Windows
  78. Nsa Hack Tools Download
  79. Nsa Hack Tools
  80. Nsa Hacker Tools
  81. Pentest Tools For Android
  82. Pentest Tools Website Vulnerability
  83. Hacking Tools 2020
  84. Hacking Tools Free Download
  85. Hacker Security Tools
  86. Hacking Tools Download
  87. Hack Tools Pc
  88. Hack Tools For Pc
  89. Pentest Tools Android
  90. Hacking Tools Windows 10
  91. Hacker Tools Apk Download
  92. Hack Tools For Pc
  93. Hacking Tools Name
  94. Github Hacking Tools
  95. Hacking Tools Software
  96. World No 1 Hacker Software
  97. Hacking Tools Mac
  98. Hacker Tools For Ios
  99. Hack Tool Apk No Root
  100. Tools For Hacker
  101. Install Pentest Tools Ubuntu
  102. Pentest Tools Windows
  103. Best Hacking Tools 2019
  104. Hacks And Tools
  105. Usb Pentest Tools
  106. Tools For Hacker
  107. Hacking Apps
  108. Pentest Tools Open Source
  109. Pentest Tools Nmap
  110. Pentest Tools Github
  111. Tools For Hacker
  112. Pentest Tools Download
  113. Termux Hacking Tools 2019
  114. Hacker Tools Online
  115. Hack Tools Online
  116. Pentest Tools Download
  117. Hack Tools Download
  118. Hacker Tools Windows
  119. Hacker Tools List
  120. Hack Website Online Tool
  121. Hacker Tools For Windows
  122. How To Make Hacking Tools
  123. Hacking Tools Download
  124. Hacking Tools Usb
  125. Hacking Tools Pc
  126. Pentest Tools List
  127. Hacking Tools Github
  128. Ethical Hacker Tools
  129. Hack Tools For Pc
  130. Pentest Tools
  131. How To Install Pentest Tools In Ubuntu
  132. Hack Tools Download
  133. Easy Hack Tools
  134. Hack Tools For Pc
  135. Hacking Tools For Windows Free Download
  136. Hacking Tools Github
  137. Hacking Tools Usb
  138. Hacking Tools Name
  139. Hacker Search Tools
  140. Bluetooth Hacking Tools Kali
  141. Hack Tools For Pc
  142. Hack App
  143. Hacker Tools Software
  144. Pentest Tools Download
  145. Hacking Tools For Windows
  146. Hacker Tools Linux
  147. Hacking Tools For Windows Free Download
  148. Hacker Tools For Mac
  149. Pentest Tools Find Subdomains
  150. New Hack Tools
Posted by dashmo FREESTUFF at 11:49 am  

0 comments:

Post a Comment

Request Item or Service

Subscribe to: Post Comments (Atom)
Powered by Blogger.