Saturday, June 3, 2023

Emulating Shellcodes - Chapter 2

 Lets check different  Cobalt Strike shellcodes and stages in the shellcodes emulator SCEMU.




This stages are fully emulated well and can get the IOC and the behavior of the shellcode.

But lets see another first stage big shellcode with c runtime embedded in a second stage.


In this case is loading tons of API using GetProcAddress at the beginning, then some encode/decode pointer and tls get/set values to store an address. And ends up crashing because is jumping an address that seems more code than address 0x9090f1eb.

Here there are two types of allocations:


Lets spawn a console on -c 3307548 and see if some of this allocations has the next stage.

The "m" command show all the memory maps but the "ma" show only the allocations done by the shellcode.



Dumping memory with "md" we see that there is data, and dissasembling this address with "d" we see the prolog of a function.

So we have second stage unpacked in alloc_e40064


With "mdd" we do a memory dump to disk we found the size in previous screenshot,  and we can do  some static reversing of stage2 in radare/ghidra/ida

In radare we can verify that the extracted is the next stage:


I usually do correlation between the emulation and ghidra, to understand the algorithms.

If wee look further we can realize that the emulator called a function on the stage2, we can see the change of code base address and  is calling the allocated buffer in 0x4f...



And this  stage2 perform several API calls let's check it in ghidra.


We can see in the emulator that enters in the IF block, and what are the (*DAT_...)() calls

Before a crash lets continue to the SEH pointer, in this case is the way, and the exception routine checks IsDebuggerPresent() which is not any debugger pressent for sure, so eax = 0;



So lets say yes and continue the emulation.


Both IsDebuggerPresent() and UnHandledExceptionFilter() can be used to detect a debugger, but the emulator return what has to return to not be detected. 

Nevertheless the shellcode detects something and terminates the process.

Lets trace the branches to understand the logic:


target/release/scemu -f shellcodes/unsuported_cs.bin -vv | egrep '(\*\*|j|cmp|test)'



Continuing the emulation it's setting the SEH  pointer to previous stage:


Lets see from the console where is pointing the SEH chain item:


to be continued ...


https://github.com/sha0coder/scemu






More information
  1. Tools Used For Hacking
  2. Pentest Tools List
  3. Best Pentesting Tools 2018
  4. Hacker Tools For Pc
  5. Hacking Tools
  6. Hack App
  7. Pentest Tools Linux
  8. Hacking Tools For Windows Free Download
  9. Pentest Tools Windows
  10. Hacking Apps
  11. Hack Apps
  12. Underground Hacker Sites
  13. Hack App
  14. Hack Tools For Mac
  15. Hack Tools Mac
  16. Pentest Tools Linux
  17. Hacker Tools For Ios
  18. Hacking Tools For Beginners
  19. Pentest Tools
  20. Hack Tools
  21. Hacking Tools Online
  22. Hack Tool Apk
  23. Pentest Tools Download
  24. Hacker Tools Mac
  25. Pentest Tools Find Subdomains
  26. Pentest Tools Url Fuzzer
  27. Hacking Tools Kit
  28. Physical Pentest Tools
  29. Hacking Tools Mac
  30. Best Pentesting Tools 2018
  31. Black Hat Hacker Tools
  32. Usb Pentest Tools
  33. Pentest Tools Framework
  34. Best Pentesting Tools 2018
  35. Pentest Tools Bluekeep
  36. Install Pentest Tools Ubuntu
  37. Nsa Hacker Tools
  38. Hacking Tools For Games
  39. Hacker
  40. Hacker Tools List
  41. Install Pentest Tools Ubuntu
  42. Hacker
  43. Usb Pentest Tools
  44. Hack Tools For Ubuntu
  45. Hacking Apps
  46. Hacker Tools Hardware
  47. Hacker Tools 2020
  48. Termux Hacking Tools 2019
  49. Pentest Tools Subdomain
  50. Growth Hacker Tools
  51. Hackrf Tools
  52. Hackrf Tools
  53. Hacker Tools Software
  54. Hacker Tools Software
  55. Pentest Tools Url Fuzzer
  56. Hack Tools For Pc
  57. Hacking Tools Windows
  58. New Hacker Tools
  59. Nsa Hack Tools
  60. Hackers Toolbox
  61. Pentest Tools Github
  62. Hacking Tools Windows 10
  63. Hacking Tools For Mac
  64. Pentest Tools For Android
  65. Pentest Tools Tcp Port Scanner
  66. Hacker Tools
  67. Hacker Tools Online
  68. What Are Hacking Tools
  69. Tools Used For Hacking
  70. Pentest Tools Framework
  71. Hacking Tools Name
  72. Hacker Tools Windows
  73. Tools For Hacker
  74. Hack Tools
  75. Hacker Tools 2019
  76. Pentest Tools Port Scanner
  77. Hack Tools For Games
  78. Termux Hacking Tools 2019
  79. Hack Tools Online
  80. Best Hacking Tools 2020
  81. Hacking Tools For Kali Linux
  82. Top Pentest Tools
  83. Pentest Recon Tools
  84. Hacking Tools For Kali Linux
  85. Hacking Tools Hardware
  86. Nsa Hacker Tools
  87. Hacking Tools Online
  88. Hacker Tools For Pc
  89. Hacking Tools For Kali Linux
  90. Blackhat Hacker Tools
  91. Pentest Tools Review
  92. Pentest Tools List
  93. Hacker Tool Kit
  94. Pentest Tools
  95. Black Hat Hacker Tools
  96. Blackhat Hacker Tools
  97. Pentest Tools
  98. Nsa Hack Tools Download
  99. Hack Tools Mac
  100. Hacker Tool Kit
  101. Hacking Tools Online
  102. Hack Tools 2019
  103. Pentest Tools
  104. Hack Tools For Ubuntu
  105. Hack Apps
  106. Pentest Tools Tcp Port Scanner
  107. Growth Hacker Tools
  108. Tools Used For Hacking
  109. Tools 4 Hack
  110. Pentest Tools For Android
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)