Emulating Shellcodes - Chapter 2

 Lets check different  Cobalt Strike shellcodes and stages in the shellcodes emulator SCEMU.

This stages are fully emulated well and can get the IOC and the behavior of the shellcode.

But lets see another first stage big shellcode with c runtime embedded in a second stage.

In this case is loading tons of API using GetProcAddress at the beginning, then some encode/decode pointer and tls get/set values to store an address. And ends up crashing because is jumping an address that seems more code than address 0x9090f1eb.

Here there are two types of allocations:

Lets spawn a console on -c 3307548 and see if some of this allocations has the next stage.

The "m" command show all the memory maps but the "ma" show only the allocations done by the shellcode.

Dumping memory with "md" we see that there is data, and dissasembling this address with "d" we see the prolog of a function.

So we have second stage unpacked in alloc_e40064

With "mdd" we do a memory dump to disk we found the size in previous screenshot,  and we can do  some static reversing of stage2 in radare/ghidra/ida

In radare we can verify that the extracted is the next stage:

I usually do correlation between the emulation and ghidra, to understand the algorithms.

If wee look further we can realize that the emulator called a function on the stage2, we can see the change of code base address and  is calling the allocated buffer in 0x4f...

And this  stage2 perform several API calls let's check it in ghidra.

We can see in the emulator that enters in the IF block, and what are the (*DAT_...)() calls

Before a crash lets continue to the SEH pointer, in this case is the way, and the exception routine checks IsDebuggerPresent() which is not any debugger pressent for sure, so eax = 0;

So lets say yes and continue the emulation.

Both IsDebuggerPresent() and UnHandledExceptionFilter() can be used to detect a debugger, but the emulator return what has to return to not be detected. 

Nevertheless the shellcode detects something and terminates the process.

Lets trace the branches to understand the logic:

target/release/scemu -f shellcodes/unsuported_cs.bin -vv | egrep '(\*\*|j|cmp|test)'

Continuing the emulation it's setting the SEH  pointer to previous stage:

Lets see from the console where is pointing the SEH chain item:

to be continued ...

https://github.com/sha0coder/scemu

Related word

• Hacking Tools 2019
• Termux Hacking Tools 2019
• World No 1 Hacker Software
• Hacker Tools Github
• Hacking Tools For Beginners
• Pentest Tools Android
• Pentest Tools For Android
• Hack Tools Online
• Pentest Tools Download
• Pentest Tools Tcp Port Scanner
• Hack Tools For Ubuntu
• Physical Pentest Tools
• Pentest Tools Tcp Port Scanner
• Hacking Tools For Kali Linux
• How To Install Pentest Tools In Ubuntu
• Install Pentest Tools Ubuntu
• Best Hacking Tools 2019
• Hacker Tools For Pc
• Hacking Tools Github
• Pentest Tools Bluekeep
• Top Pentest Tools
• Pentest Tools Review
• Hacking Tools Kit
• Tools 4 Hack
• Pentest Tools Online
• Kik Hack Tools
• Underground Hacker Sites
• Hack Tool Apk No Root
• Pentest Tools Bluekeep
• Wifi Hacker Tools For Windows
• Hacking Tools Download
• Hacker Tools Linux
• Hacker Tools 2020
• Growth Hacker Tools
• New Hack Tools
• Hack And Tools
• Hack Tools For Ubuntu
• Hak5 Tools
• Hack Tools 2019
• Termux Hacking Tools 2019
• Hacking Tools For Kali Linux
• Hacking Tools 2020
• Pentest Tools Website
• Hacker Tools 2020
• Best Pentesting Tools 2018
• Pentest Tools Port Scanner
• Pentest Box Tools Download
• Hacking Tools For Windows Free Download
• Hacker Tools Free Download
• Hacking Tools Name
• Hacker Tools Hardware
• Pentest Tools For Windows
• Pentest Tools Apk
• Hacker Tools For Mac
• Pentest Tools Find Subdomains
• Android Hack Tools Github
• Hacking Tools Windows 10
• Pentest Tools Framework
• New Hacker Tools
• Hackrf Tools
• Hacking Tools Name
• Nsa Hack Tools Download
• Hacking Tools Software
• Wifi Hacker Tools For Windows
• Hacks And Tools
• Free Pentest Tools For Windows
• Hacker Tools 2020
• Hacker Tools Mac
• How To Install Pentest Tools In Ubuntu
• Hacker Tools Online
• Hacking Tools Free Download
• Best Pentesting Tools 2018
• Pentest Tools Tcp Port Scanner
• Pentest Tools For Android
• Pentest Tools For Android
• Hackers Toolbox
• Hack Tools Download
• Hak5 Tools
• Hacker Search Tools
• Hacker Hardware Tools
• Hack Tools Mac
• Best Pentesting Tools 2018
• What Are Hacking Tools
• Hack Tools For Pc
• Hacker Tools
• Android Hack Tools Github
• Black Hat Hacker Tools
• Hacker
• Hacking Tools For Windows
• Hacking Tools 2019
• Top Pentest Tools
• Nsa Hack Tools
• Pentest Tools Android
• New Hacker Tools
• Hacker Tool Kit
• Easy Hack Tools
• Hacking Tools For Kali Linux
• Pentest Tools Open Source
• Github Hacking Tools
• Hacker Tools For Ios
• Hack Tool Apk No Root
• Termux Hacking Tools 2019
• New Hacker Tools
• Hacking Tools Pc
• Pentest Tools Android
• Hacker Tools Windows
• Pentest Tools For Mac
• Hack Tools
• Hacker Search Tools
• Hacking Tools For Pc
• Hack Rom Tools
• Pentest Tools Subdomain
• Hacker Hardware Tools
• Hack Tools Mac
• New Hacker Tools
• Pentest Tools Download
• Pentest Tools Online
• Pentest Tools For Android
• Pentest Tools For Mac
• Bluetooth Hacking Tools Kali
• Pentest Box Tools Download
• Pentest Tools Github
• Hacker Tools 2019
• Hacking Tools Hardware
• Termux Hacking Tools 2019
• Pentest Tools Linux
• Hacker Tools Apk
• Best Pentesting Tools 2018
• Hacking Tools For Games
• Hacker Tools Hardware
• Easy Hack Tools
• Hacking Tools Name
• Hacking Tools Usb
• Hacker Tools Hardware
• Hacker Security Tools
• Hack Tools
• Hack Tools Mac