Emulating Shellcodes - Chapter 2

 Lets check different  Cobalt Strike shellcodes and stages in the shellcodes emulator SCEMU.

This stages are fully emulated well and can get the IOC and the behavior of the shellcode.

But lets see another first stage big shellcode with c runtime embedded in a second stage.

In this case is loading tons of API using GetProcAddress at the beginning, then some encode/decode pointer and tls get/set values to store an address. And ends up crashing because is jumping an address that seems more code than address 0x9090f1eb.

Here there are two types of allocations:

Lets spawn a console on -c 3307548 and see if some of this allocations has the next stage.

The "m" command show all the memory maps but the "ma" show only the allocations done by the shellcode.

Dumping memory with "md" we see that there is data, and dissasembling this address with "d" we see the prolog of a function.

So we have second stage unpacked in alloc_e40064

With "mdd" we do a memory dump to disk we found the size in previous screenshot,  and we can do  some static reversing of stage2 in radare/ghidra/ida

In radare we can verify that the extracted is the next stage:

I usually do correlation between the emulation and ghidra, to understand the algorithms.

If wee look further we can realize that the emulator called a function on the stage2, we can see the change of code base address and  is calling the allocated buffer in 0x4f...

And this  stage2 perform several API calls let's check it in ghidra.

We can see in the emulator that enters in the IF block, and what are the (*DAT_...)() calls

Before a crash lets continue to the SEH pointer, in this case is the way, and the exception routine checks IsDebuggerPresent() which is not any debugger pressent for sure, so eax = 0;

So lets say yes and continue the emulation.

Both IsDebuggerPresent() and UnHandledExceptionFilter() can be used to detect a debugger, but the emulator return what has to return to not be detected. 

Nevertheless the shellcode detects something and terminates the process.

Lets trace the branches to understand the logic:

target/release/scemu -f shellcodes/unsuported_cs.bin -vv | egrep '(\*\*|j|cmp|test)'

Continuing the emulation it's setting the SEH  pointer to previous stage:

Lets see from the console where is pointing the SEH chain item:

to be continued ...

https://github.com/sha0coder/scemu

More information

1. Hacker Tools Free
2. Wifi Hacker Tools For Windows
3. Hacking Tools For Games
4. Hack Rom Tools
5. Hackers Toolbox
6. Tools 4 Hack
7. Hack Tools For Games
8. Hackrf Tools
9. Hack Tool Apk No Root
10. Pentest Tools Kali Linux
11. Hacking Tools And Software
12. Hackers Toolbox
13. Hack And Tools
14. Hacking Tools And Software
15. Hacker Tools Free
16. Usb Pentest Tools
17. Physical Pentest Tools
18. Hacking Tools For Mac
19. Pentest Tools Download
20. Tools 4 Hack
21. Hacker Tools Windows
22. Termux Hacking Tools 2019
23. Pentest Tools For Mac
24. Nsa Hacker Tools
25. Hacker Tools Windows
26. Hacking App
27. Hacker Tools Linux
28. New Hack Tools
29. Hack Tools For Windows
30. Hacker Security Tools
31. Underground Hacker Sites
32. Bluetooth Hacking Tools Kali
33. Hacker
34. Blackhat Hacker Tools
35. Hack Tools
36. Pentest Tools List
37. Hacker Tools Free
38. Pentest Tools Website
39. Hacker Tools Apk Download
40. Pentest Recon Tools
41. Hacking Tools Name
42. Hacking Tools 2019
43. Pentest Tools Free
44. Pentest Tools For Android
45. What Is Hacking Tools
46. New Hack Tools
47. Hacking Tools For Beginners
48. What Are Hacking Tools
49. Hacker Tools Mac
50. Pentest Automation Tools
51. Hack Tools Download
52. Bluetooth Hacking Tools Kali
53. Pentest Tools For Ubuntu
54. Bluetooth Hacking Tools Kali
55. Hack Tools For Pc
56. Pentest Tools Free
57. Hacking Tools Kit
58. Pentest Tools For Windows
59. How To Install Pentest Tools In Ubuntu
60. Tools For Hacker
61. Pentest Tools Port Scanner
62. Pentest Tools For Mac
63. Hacker Tools Windows
64. How To Install Pentest Tools In Ubuntu
65. Pentest Recon Tools
66. Hack Tools 2019
67. Underground Hacker Sites
68. Wifi Hacker Tools For Windows
69. World No 1 Hacker Software
70. Hacker Techniques Tools And Incident Handling
71. Hacker Tools
72. Hacking App
73. Pentest Tools Free
74. Hacking Tools For Beginners
75. Tools For Hacker
76. Hack Tools 2019
77. What Are Hacking Tools
78. Hacking Tools For Windows
79. Pentest Tools Github
80. Hacking Apps
81. Pentest Tools Download
82. Hacker Hardware Tools
83. Pentest Tools For Ubuntu
84. Hackrf Tools
85. Best Hacking Tools 2020
86. Hacking Tools For Mac
87. Hacking Tools For Games
88. Hacking Tools 2020
89. Hack Website Online Tool
90. Hacker Tools For Pc
91. Hack Tools For Games
92. Pentest Tools For Mac
93. Hacking Tools Kit
94. Computer Hacker
95. Hacker Tools Linux
96. Pentest Tools For Ubuntu
97. Termux Hacking Tools 2019
98. Top Pentest Tools
99. Hacking Tools For Games
100. Hack Rom Tools
101. Hack App
102. Hacker Tools Github
103. Tools For Hacker
104. Pentest Tools Subdomain
105. Hack Tool Apk No Root
106. What Is Hacking Tools
107. Hacking Tools 2020
108. Hacking Tools Kit
109. Ethical Hacker Tools
110. Hack Tools For Ubuntu
111. New Hacker Tools
112. Hacking Tools Windows
113. Pentest Tools Framework
114. Hack Tools Online
115. Hacking Tools For Windows Free Download
116. Hack Tools Online
117. Pentest Tools Linux
118. Best Hacking Tools 2019
119. Usb Pentest Tools
120. Hacker Tools For Ios
121. Hacking Tools Kit
122. Blackhat Hacker Tools
123. Pentest Tools Apk
124. Hacker
125. Hacking Tools Free Download
126. Hacking Tools
127. Hacking Tools For Pc
128. Pentest Tools Url Fuzzer
129. Pentest Box Tools Download
130. Ethical Hacker Tools
131. Pentest Tools Alternative
132. Pentest Tools Online
133. How To Make Hacking Tools
134. Hacker Tools Free
135. Wifi Hacker Tools For Windows
136. Hack Website Online Tool
137. How To Install Pentest Tools In Ubuntu
138. Hacks And Tools
139. Hack Tools Online
140. Hack Tools Github
141. Hacking Tools 2020
142. Pentest Tools Github