jueves, 1 de junio de 2023

Emulating Shellcodes - Chapter 2

 Lets check different  Cobalt Strike shellcodes and stages in the shellcodes emulator SCEMU.




This stages are fully emulated well and can get the IOC and the behavior of the shellcode.

But lets see another first stage big shellcode with c runtime embedded in a second stage.


In this case is loading tons of API using GetProcAddress at the beginning, then some encode/decode pointer and tls get/set values to store an address. And ends up crashing because is jumping an address that seems more code than address 0x9090f1eb.

Here there are two types of allocations:


Lets spawn a console on -c 3307548 and see if some of this allocations has the next stage.

The "m" command show all the memory maps but the "ma" show only the allocations done by the shellcode.



Dumping memory with "md" we see that there is data, and dissasembling this address with "d" we see the prolog of a function.

So we have second stage unpacked in alloc_e40064


With "mdd" we do a memory dump to disk we found the size in previous screenshot,  and we can do  some static reversing of stage2 in radare/ghidra/ida

In radare we can verify that the extracted is the next stage:


I usually do correlation between the emulation and ghidra, to understand the algorithms.

If wee look further we can realize that the emulator called a function on the stage2, we can see the change of code base address and  is calling the allocated buffer in 0x4f...



And this  stage2 perform several API calls let's check it in ghidra.


We can see in the emulator that enters in the IF block, and what are the (*DAT_...)() calls

Before a crash lets continue to the SEH pointer, in this case is the way, and the exception routine checks IsDebuggerPresent() which is not any debugger pressent for sure, so eax = 0;



So lets say yes and continue the emulation.


Both IsDebuggerPresent() and UnHandledExceptionFilter() can be used to detect a debugger, but the emulator return what has to return to not be detected. 

Nevertheless the shellcode detects something and terminates the process.

Lets trace the branches to understand the logic:


target/release/scemu -f shellcodes/unsuported_cs.bin -vv | egrep '(\*\*|j|cmp|test)'



Continuing the emulation it's setting the SEH  pointer to previous stage:


Lets see from the console where is pointing the SEH chain item:


to be continued ...


https://github.com/sha0coder/scemu






Read more
  1. Hacker Tools 2020
  2. Hacking Tools Usb
  3. Hacking Tools Online
  4. Android Hack Tools Github
  5. Hack Tools For Windows
  6. Hacking Tools For Windows 7
  7. Pentest Tools For Mac
  8. Hacker Tools Online
  9. Hacking Tools Name
  10. Hacking Tools Download
  11. Pentest Tools Website
  12. Nsa Hack Tools Download
  13. Hack Tools Mac
  14. Pentest Tools Github
  15. Pentest Tools Android
  16. Hacking Tools For Beginners
  17. Android Hack Tools Github
  18. How To Hack
  19. Best Pentesting Tools 2018
  20. Pentest Recon Tools
  21. Pentest Tools Bluekeep
  22. Hacker Tools Apk Download
  23. Hacking Tools 2020
  24. How To Hack
  25. Hacker Tools For Windows
  26. Pentest Tools Nmap
  27. Hacking Tools For Pc
  28. Hacking Tools Windows
  29. Hacker Tools Online
  30. Best Hacking Tools 2019
  31. Wifi Hacker Tools For Windows
  32. Nsa Hack Tools Download
  33. Hacking Tools For Kali Linux
  34. Hacker Tools Apk Download
  35. Hack Tools For Pc
  36. Hackrf Tools
  37. Growth Hacker Tools
  38. Hacking Tools For Kali Linux
  39. Usb Pentest Tools
  40. Best Pentesting Tools 2018
  41. Pentest Tools Tcp Port Scanner
  42. Hacker Tools Free
  43. Hackers Toolbox
  44. Hacks And Tools
  45. Hacking Tools Github
  46. Hacker Tools Hardware
  47. Hacking Tools For Beginners
  48. How To Hack
  49. Nsa Hack Tools Download
  50. Free Pentest Tools For Windows
  51. Hacker Tools Linux
  52. Hacking Tools For Beginners
  53. Tools 4 Hack
  54. Hacker Tools Apk Download
  55. Pentest Tools Free
  56. Pentest Tools Kali Linux
  57. Hacker Tools 2019
  58. Hacking Tools Kit
  59. Hacking Tools For Games
  60. Hacking Tools For Kali Linux
  61. How To Install Pentest Tools In Ubuntu
  62. Hacking Tools For Mac
  63. Hacking Tools Free Download
  64. Tools For Hacker
  65. Pentest Box Tools Download
  66. Hacking Tools For Pc
  67. Hacking Tools Hardware
  68. Hacking Tools For Windows 7
  69. Hack App
  70. Ethical Hacker Tools
  71. Hacking Tools Usb
  72. Ethical Hacker Tools
  73. Hacking Tools For Windows Free Download
  74. Ethical Hacker Tools
  75. Hacker Hardware Tools
  76. Hacking Tools Usb
  77. Hacking Tools For Games
  78. Hacking Tools For Mac
  79. Pentest Tools Download
  80. Hacker Tools Windows
  81. Hack Tools For Ubuntu
  82. Install Pentest Tools Ubuntu
  83. Physical Pentest Tools
  84. Pentest Tools Nmap
  85. Hacker Tools For Ios
  86. New Hacker Tools
  87. Pentest Tools Apk
  88. Pentest Tools Online
  89. Hacker Techniques Tools And Incident Handling
  90. Hacker Tools 2019
  91. Hack Tools
  92. Pentest Automation Tools
  93. Hacker Techniques Tools And Incident Handling
  94. Hacking Tools Usb
  95. Best Hacking Tools 2020
  96. Pentest Tools Open Source
  97. Hack Tools Download
  98. Blackhat Hacker Tools
  99. Pentest Tools Free
  100. Easy Hack Tools
  101. Hacking Tools For Windows
  102. Hacker Tools 2019
  103. Hack Tools For Mac
  104. Hack Tools For Pc
  105. Game Hacking
  106. Hacking Tools For Pc
  107. Hacking Tools Mac
  108. Bluetooth Hacking Tools Kali
  109. Hack Tools For Windows
  110. Hack Tools For Games
  111. Hack Tools For Mac
  112. Pentest Tools List
  113. Hacking Tools 2019
  114. Hacking Tools Windows 10
  115. Termux Hacking Tools 2019
  116. Hackers Toolbox
  117. Hacker Tools
  118. Hacking Tools And Software
  119. Hack Tools For Pc
  120. Hacker Tools Online
  121. Hack Website Online Tool
  122. Pentest Tools Online
  123. What Are Hacking Tools
  124. Pentest Tools For Mac

No hay comentarios: