Menu
 
» »Unlabelled » Emulating Shellcodes - Chapter 2

A+ A-

 Lets check different  Cobalt Strike shellcodes and stages in the shellcodes emulator SCEMU.




This stages are fully emulated well and can get the IOC and the behavior of the shellcode.

But lets see another first stage big shellcode with c runtime embedded in a second stage.


In this case is loading tons of API using GetProcAddress at the beginning, then some encode/decode pointer and tls get/set values to store an address. And ends up crashing because is jumping an address that seems more code than address 0x9090f1eb.

Here there are two types of allocations:


Lets spawn a console on -c 3307548 and see if some of this allocations has the next stage.

The "m" command show all the memory maps but the "ma" show only the allocations done by the shellcode.



Dumping memory with "md" we see that there is data, and dissasembling this address with "d" we see the prolog of a function.

So we have second stage unpacked in alloc_e40064


With "mdd" we do a memory dump to disk we found the size in previous screenshot,  and we can do  some static reversing of stage2 in radare/ghidra/ida

In radare we can verify that the extracted is the next stage:


I usually do correlation between the emulation and ghidra, to understand the algorithms.

If wee look further we can realize that the emulator called a function on the stage2, we can see the change of code base address and  is calling the allocated buffer in 0x4f...



And this  stage2 perform several API calls let's check it in ghidra.


We can see in the emulator that enters in the IF block, and what are the (*DAT_...)() calls

Before a crash lets continue to the SEH pointer, in this case is the way, and the exception routine checks IsDebuggerPresent() which is not any debugger pressent for sure, so eax = 0;



So lets say yes and continue the emulation.


Both IsDebuggerPresent() and UnHandledExceptionFilter() can be used to detect a debugger, but the emulator return what has to return to not be detected. 

Nevertheless the shellcode detects something and terminates the process.

Lets trace the branches to understand the logic:


target/release/scemu -f shellcodes/unsuported_cs.bin -vv | egrep '(\*\*|j|cmp|test)'



Continuing the emulation it's setting the SEH  pointer to previous stage:


Lets see from the console where is pointing the SEH chain item:


to be continued ...


https://github.com/sha0coder/scemu






More info


  1. Hacker
  2. Pentest Tools Bluekeep
  3. New Hacker Tools
  4. Nsa Hack Tools Download
  5. Hacker Tools Free Download
  6. Hacker Techniques Tools And Incident Handling
  7. Hacking Tools For Beginners
  8. Hacker Tools For Windows
  9. Hack Rom Tools
  10. New Hacker Tools
  11. Hacking Tools Pc
  12. How To Make Hacking Tools
  13. Hacker Tools Apk Download
  14. Pentest Tools For Mac
  15. Hacker Tools Mac
  16. Usb Pentest Tools
  17. Hacking Tools For Pc
  18. Pentest Tools Review
  19. Hack Tools
  20. Hacking Tools Windows 10
  21. Nsa Hack Tools Download
  22. Hack Tools
  23. Pentest Tools Free
  24. Computer Hacker
  25. Hackrf Tools
  26. Hacker Tools
  27. Hacking Tools For Windows
  28. Pentest Tools Kali Linux
  29. Install Pentest Tools Ubuntu
  30. Ethical Hacker Tools
  31. Hacker Tools For Pc
  32. Hacker Tools Software
  33. Growth Hacker Tools
  34. Pentest Tools Download
  35. Hack Tools Download
  36. Pentest Tools Subdomain
  37. Hack Tools Online
  38. Physical Pentest Tools
  39. Pentest Tools Android
  40. Ethical Hacker Tools
  41. Computer Hacker
  42. Top Pentest Tools
  43. Hack Tools For Games
  44. Pentest Box Tools Download
  45. Hack Tools
  46. Hack Tools For Games
  47. Physical Pentest Tools
  48. Android Hack Tools Github
  49. Hacking Tools Software
  50. Tools Used For Hacking
  51. Pentest Tools Online
  52. Black Hat Hacker Tools
  53. Wifi Hacker Tools For Windows
  54. Pentest Tools Online
  55. Free Pentest Tools For Windows
  56. Hacking Tools Github
  57. How To Install Pentest Tools In Ubuntu
  58. Pentest Tools For Windows
  59. Pentest Tools Github
  60. Pentest Tools Kali Linux
  61. Usb Pentest Tools
  62. Pentest Tools Open Source
  63. Ethical Hacker Tools
  64. Pentest Tools Bluekeep
  65. Pentest Tools Alternative
  66. Termux Hacking Tools 2019
  67. Hacker Tools 2020
  68. Pentest Tools Bluekeep
  69. Pentest Tools List
  70. Growth Hacker Tools
  71. Pentest Tools Download
  72. Bluetooth Hacking Tools Kali
  73. Hack Rom Tools
  74. Hack Tools Download
  75. Pentest Tools For Mac
  76. Pentest Box Tools Download
  77. Hacker Tools Apk
  78. Pentest Tools Alternative
  79. Hacking Tools 2020
  80. Hacking Tools Windows
  81. Tools For Hacker
  82. Nsa Hack Tools Download
  83. Hacking Tools Name
  84. How To Hack
  85. Pentest Tools Url Fuzzer
  86. Hacker Tools 2020
  87. Pentest Tools For Windows
  88. Pentest Tools For Windows
  89. What Is Hacking Tools
  90. Hacking Tools Windows
  91. Pentest Tools Alternative
  92. Tools 4 Hack
  93. Computer Hacker
  94. Pentest Tools Online
  95. Growth Hacker Tools
  96. Underground Hacker Sites
  97. Hack Tool Apk
  98. Hacking Tools For Windows Free Download
  99. Underground Hacker Sites
  100. Hack Tool Apk
  101. Hacker Tools 2019
  102. How To Make Hacking Tools
  103. Hack Tools
  104. Pentest Box Tools Download
  105. What Are Hacking Tools
  106. Tools For Hacker
  107. How To Install Pentest Tools In Ubuntu
  108. Top Pentest Tools
  109. Tools Used For Hacking
  110. Hackers Toolbox
  111. Hack Apps
  112. Hacking Tools For Windows 7
  113. Hacking Tools For Kali Linux
  114. Pentest Tools Apk
  115. What Is Hacking Tools
  116. Pentest Tools Windows
  117. Hacking Tools Kit
  118. New Hack Tools
  119. Physical Pentest Tools
  120. Best Pentesting Tools 2018
  121. Hacking Tools For Windows Free Download
  122. Hack Tools Mac
  123. Hacking Tools Windows
  124. New Hacker Tools
  125. Hacker Tools Software
  126. Hack Tools
  127. Pentest Tools Port Scanner
  128. Bluetooth Hacking Tools Kali
  129. Pentest Box Tools Download
  130. Hack Website Online Tool
  131. Hacking Tools Mac
  132. Pentest Tools Open Source
  133. Pentest Tools Kali Linux
  134. Pentest Tools Tcp Port Scanner
  135. Hacking Tools For Mac
  136. Hacker Tools Github
  137. Beginner Hacker Tools
  138. Hacker
  139. Pentest Tools For Android
  140. Hacker Tools Apk Download
  141. Tools For Hacker
  142. Bluetooth Hacking Tools Kali
  143. Hacking Tools For Games
  144. Pentest Tools Subdomain
  145. Nsa Hack Tools
  146. Hacking Tools Software
di 07.07

Posting Komentar

Langganan: Posting Komentar (Atom)
 
Top