sexta-feira, 26 de maio de 2023

Emulating Shellcodes - Chapter 2

 Lets check different  Cobalt Strike shellcodes and stages in the shellcodes emulator SCEMU.




This stages are fully emulated well and can get the IOC and the behavior of the shellcode.

But lets see another first stage big shellcode with c runtime embedded in a second stage.


In this case is loading tons of API using GetProcAddress at the beginning, then some encode/decode pointer and tls get/set values to store an address. And ends up crashing because is jumping an address that seems more code than address 0x9090f1eb.

Here there are two types of allocations:


Lets spawn a console on -c 3307548 and see if some of this allocations has the next stage.

The "m" command show all the memory maps but the "ma" show only the allocations done by the shellcode.



Dumping memory with "md" we see that there is data, and dissasembling this address with "d" we see the prolog of a function.

So we have second stage unpacked in alloc_e40064


With "mdd" we do a memory dump to disk we found the size in previous screenshot,  and we can do  some static reversing of stage2 in radare/ghidra/ida

In radare we can verify that the extracted is the next stage:


I usually do correlation between the emulation and ghidra, to understand the algorithms.

If wee look further we can realize that the emulator called a function on the stage2, we can see the change of code base address and  is calling the allocated buffer in 0x4f...



And this  stage2 perform several API calls let's check it in ghidra.


We can see in the emulator that enters in the IF block, and what are the (*DAT_...)() calls

Before a crash lets continue to the SEH pointer, in this case is the way, and the exception routine checks IsDebuggerPresent() which is not any debugger pressent for sure, so eax = 0;



So lets say yes and continue the emulation.


Both IsDebuggerPresent() and UnHandledExceptionFilter() can be used to detect a debugger, but the emulator return what has to return to not be detected. 

Nevertheless the shellcode detects something and terminates the process.

Lets trace the branches to understand the logic:


target/release/scemu -f shellcodes/unsuported_cs.bin -vv | egrep '(\*\*|j|cmp|test)'



Continuing the emulation it's setting the SEH  pointer to previous stage:


Lets see from the console where is pointing the SEH chain item:


to be continued ...


https://github.com/sha0coder/scemu






Related articles


  1. Physical Pentest Tools
  2. Hacking Tools Name
  3. Hacker Tools For Pc
  4. How To Install Pentest Tools In Ubuntu
  5. Hack Tools For Mac
  6. Hacker Tool Kit
  7. Hacker Techniques Tools And Incident Handling
  8. Hacking Tools Software
  9. Hacking Tools Online
  10. World No 1 Hacker Software
  11. Tools Used For Hacking
  12. Hacker Tool Kit
  13. Pentest Tools
  14. Nsa Hack Tools
  15. Hacking Tools For Windows Free Download
  16. Hacker Tools Windows
  17. Hacking Tools For Games
  18. Hacking Tools
  19. Nsa Hack Tools
  20. What Is Hacking Tools
  21. Hacking Tools Kit
  22. Pentest Tools Review
  23. Beginner Hacker Tools
  24. Hack Tools Mac
  25. Pentest Box Tools Download
  26. Hacking Tools For Kali Linux
  27. Hack Tools Mac
  28. Hacker Techniques Tools And Incident Handling
  29. Hacking Tools For Mac
  30. Hack Tools Pc
  31. Hacker Tool Kit
  32. Hack Rom Tools
  33. Hacker Hardware Tools
  34. Hacking Tools For Pc
  35. Hacking Tools For Pc
  36. Hacking Tools Hardware
  37. Pentest Tools Url Fuzzer
  38. Hack App
  39. Hacker Tools 2019
  40. Pentest Tools For Mac
  41. Hacker Tools For Pc
  42. Hack Tools Online
  43. Hacker Tools For Pc
  44. Hack Tools Online
  45. World No 1 Hacker Software
  46. Pentest Tools
  47. Hack Tools For Windows
  48. Hacker Search Tools
  49. Hacking Tools Windows 10
  50. Hacking Tools Free Download
  51. Tools 4 Hack
  52. Android Hack Tools Github
  53. Hacker Tools For Ios
  54. Hack Website Online Tool
  55. Pentest Tools
  56. Pentest Automation Tools
  57. Hacker Hardware Tools
  58. Hacking Tools Windows 10
  59. Pentest Tools For Mac
  60. Hacking Tools Windows
  61. Pentest Tools Find Subdomains
  62. Hacking Tools 2019
  63. Hack And Tools
  64. Hack Rom Tools
  65. Hacker Tools Free Download
  66. Pentest Tools Find Subdomains
  67. Pentest Tools Github
  68. Hack Tools
  69. Wifi Hacker Tools For Windows
  70. Pentest Tools Review
  71. Hacker Tools Windows
  72. Hacker Hardware Tools
  73. Hacking Tools Usb
  74. Pentest Tools List
  75. Wifi Hacker Tools For Windows
  76. Install Pentest Tools Ubuntu
  77. Tools For Hacker
  78. Nsa Hacker Tools
  79. Hack Tools Pc
  80. Pentest Tools Url Fuzzer
  81. Hack Rom Tools
  82. Tools 4 Hack
  83. Hacker Hardware Tools
  84. Tools For Hacker
  85. Hacker Tools List
  86. Hack Tools Download
  87. Hacking Tools Online
  88. Wifi Hacker Tools For Windows
  89. Blackhat Hacker Tools
  90. Best Pentesting Tools 2018
  91. Hacking Tools For Beginners
  92. Hacker Tools 2020
  93. Hacker Tools For Pc
  94. Hacking Tools And Software
  95. Install Pentest Tools Ubuntu
  96. How To Hack
  97. Hacking Tools For Windows
  98. Hack Tool Apk
  99. Hacking Tools Kit
  100. Hack Rom Tools
  101. Hacking Tools Usb
  102. Pentest Tools For Ubuntu
  103. Hacking Tools Windows 10
  104. Hack Tools For Windows
  105. Hackers Toolbox
  106. Hack Tools 2019
  107. Hack Tool Apk
  108. How To Hack
  109. Pentest Tools List
  110. Hacking Tools Online
  111. Hacking Tools For Kali Linux
  112. Hackers Toolbox
  113. Hack Tools For Pc
  114. Hackers Toolbox
  115. Nsa Hacker Tools
  116. Android Hack Tools Github
  117. Hack Tools Pc
  118. Computer Hacker
  119. Hacking Tools Mac
  120. Termux Hacking Tools 2019
  121. Blackhat Hacker Tools
  122. Github Hacking Tools
  123. Hacker Tools Software
  124. Pentest Tools Review
  125. Pentest Tools Github
  126. Hacking Tools Free Download
  127. Pentest Tools Nmap
  128. Hacking Tools Windows 10
  129. Hack Website Online Tool
  130. Hacking Tools Kit
  131. Hacker Tools For Ios
  132. Hacker Tools Free
  133. Pentest Tools List
  134. Best Hacking Tools 2020
  135. Pentest Tools Kali Linux
  136. Hacking Tools Kit
  137. Pentest Tools List
  138. Free Pentest Tools For Windows
  139. Pentest Tools Apk
  140. Hacker Tools Hardware
  141. Hack Website Online Tool
  142. What Are Hacking Tools
  143. Best Hacking Tools 2019
  144. Pentest Tools List
  145. Hacker Tools Github
  146. Hack Tools For Ubuntu
  147. Usb Pentest Tools
  148. Pentest Tools Framework
  149. Ethical Hacker Tools
  150. Hacker Tools
  151. Hacker Tools For Pc
  152. Hack Website Online Tool
  153. Game Hacking
  154. Hacker Tools
  155. Pentest Box Tools Download
  156. Hack Tools Mac
  157. Pentest Tools Subdomain
  158. Tools For Hacker
  159. Hack Tool Apk No Root
  160. Bluetooth Hacking Tools Kali
  161. Hacker Tools Hardware
  162. Pentest Tools Bluekeep
Publicada por à(s)

Sem comentários:

Enviar um comentário

Subscrever: Enviar feedback (Atom)

Quando eu te falei em amor

Quando os meus olhos te tocaram
Eu senti que encontrara
A outra, metade de mim
Tive medo de acordar
Como se vivesse um sonho
Que não pensei em realizar
E a força do desejo
Faz me chegar perto de ti

Quando eu te falei em amor
Tu sorriste para mim
E o mundo ficou bem melhor
Quando eu te falei em amor
Nos sentimos os dois
Que o amanha vem depois
E não no fim

Estas linhas que hoje escrevo
São do livro da memória
Do que eu sinto por ti
E tudo o que tu me das
É parte da história que eu ainda não vivi
E a força do desejo
Faz me chegar de ti

Quando eu te falei em amor
Tu sorriste para mim
E o mundo ficou bem melhor
Quando eu te falei em amor
Nos sentimos os dois
Que o amanha vem depois e não no fim

André Sardet

Collide

The dawn is breaking
A light shining through
You're barely waking
And I'm tangled up in you
Yeah

But I'm open, you're closed
Where I follow, you'll go
I worry I won't see your face
Light up again

Even the best fall down sometimes
Even the wrong words seem to rhyme
Out of the doubt that fills my mind
I somehow find, you and I collide

I'm quiet, you know
You make a first impression
I've found I'm scared to know
I'm always on your mind

Even the best fall down sometimes
Even the stars refuse to shine
Out of the back you fall in time
I somehow find, you and I collide

Don't stop here
I've lost my place
I'm close behind

Even the best fall down sometimes
Even the wrong words seem to rhyme
Out of the doubt that fills your mind

You finally find, you and I collide
You finally find You and I collide
You finally findYou and I collide

Howie Day


Everything

You're a falling star, You're the get away
car.
You're the line in the sand when I go too
far.
You're the swimming pool, on an August day.
And You're the perfect thing to see.

And you play it coy, but it's kinda cute.
Ah, When you smile at me you know exactly what you
do.
Baby don't pretend, that you don't know it's
true.
Cause you can see it when I look at you.

And in this crazy life, and through these crazy
times
It's you, it's you, You make me sing.
You're every line, you're every word, you're
everything.

You're a carousel, you're a wishing well,
And you light me up, when you ring my bell.
You're a mystery, you're from outer space,
You're every minute of my everyday.

And I can't believe, uh that I'm your man,
And I get to kiss you baby just because I
can.
Whatever comes our way, ah we'll see it
through,
And you know that's what our love can do.

And in this crazy life, and through these crazy
times
It's you, it's you, You make me sing
You're every line, you're every word, you're
everything.

So, La, La, La, La, La, La, La
So, La, La, La, La, La, La, La

And in this crazy life, and through these crazy
times
It's you, it's you, You make me sing.
You're every line, you're every word, you're
everything.
You're every song, and I sing along.
Cause you're my everything.
yeah, yeah

So, La, La, La, La, La, La, La
So, La, La, La, La, La, La, La

Michael Bublé