吉沃运营专员 发表于 2022-1-26 16:21:53

scemu 模拟 shellcode 执行

scemu 是一个 x86 32 位模拟器,用于安全地模拟 shellcode,64 位还在路上 ......

一、特性


[*]Rust 安全,适用于恶意软件;
[*]所有依赖项基于 Rust;
[*]速度运行快;
[*]每秒 300 万条指令;
[*]每秒打印 100000 条指令;
[*]iced-x86 rust 反编译器提供支持;
[*]迭代检测器;
[*]内存和寄存器跟踪;
[*]代码颜色高亮显示;
[*]支持在某个时刻停止、分析和修改状态;
[*]实现了 105 条指令;
[*]实现了 5 个 DLL 的 112 个 WinAPI;
[*]支持所有的 Linux 系统调用 syscall;
[*]SEH 链;
[*]向量异常处理程序;
[*]支持 PEB、TEB 结构;
[*]带有内存分配器;
[*]支持使用已知 Payload 测试;
[*]Metasploit Shellcode;
[*]Metasploit Encoder;
[*]Cobalt Strike;
[*]Shellgen;
[*]Guloader;

二、用法

SCEMU 32bits emulator for Shellcodes 0.2.5
@sha0coder

USAGE:
    scemu

FLAGS:
    -e, --endpoint    perform communications with the endpoint, use tor or vpn!
    -h, --help      Prints help information
    -l, --loops       show loop interations, it is slow.
    -m, --memory      trace all the memory accesses read and write.
    -n, --nocolors    print without colors for redirectin to a file >out
    -r, --regs      print the register values in every step.
    -V, --version   Prints version information
    -v, --verbose   -vv for view the assembly, -v only messages, without verbose only see the api calls and goes
                      faster

OPTIONS:
    -b, --base <ADDRESS>            set base address for code
    -c, --console <NUMBER>          select in which moment will spawn the console to inspect.
    -C, --console_addr <ADDRESS>    spawn console on first eip = address
    -a, --entry <ADDRESS>         entry point of the shellcode, by default starts from the beginning.
    -f, --filename <FILE>         set the shellcode binary file.
    -i, --inspect <DIRECTION>       monitor memory like: -i 'dword ptr
    -M, --maps <PATH>               select the memory maps folder
    -R, --reg <REGISTER>            trace a specific register in every step, value and content
    -s, --string <ADDRESS>          monitor string on a specific address
三、一些使用粟子

scemu 模拟一个简单的 shellcode 并检测 execve() 中断:



选择某一行停止并检查内存:



在 Linux 下模拟了将近两百万条 GuLoader 指令后,伪造 cpuid 和其他内容,便足以混淆调试器:



API 加载器的内存导出数据:



工具默认提供了一些映射信息,也可以手动进行创建:



基于 LdrLoadDLl() 的 Windows Shellcode 模拟并输出信息:



终端窗口支持查看和编辑 CPU 的当前状态:

--- console ---
=>h
--- help ---
q ...................... quit
cls .................... clear screen
h ...................... help
s ...................... stack
v ...................... vars
r ...................... register show all
r reg .................. show reg
rc ..................... register change
f ...................... show all flags
fc ..................... clear all flags
fz ..................... toggle flag zero
fs ..................... toggle flag sign
c ...................... continue
ba ..................... breakpoint on address
bi ..................... breakpoint on instruction number
bmr .................... breakpoint on read memory
bmw .................... breakpoint on write memory
bc ..................... clear breakpoint
n ...................... next instruction
eip .................... change eip
push ................... push dword to the stack
pop .................... pop dword from stack
fpu .................... fpu view
md5 .................... check the md5 of a memory map
seh .................... view SEH
veh .................... view vectored execption pointer
m ...................... memory maps
ma ..................... memory allocs
mc ..................... memory create map
mn ..................... memory name of an address
ml ..................... memory load file content to map
mr ..................... memory read, speficy ie: dword ptr
mw ..................... memory read, speficy ie: dword ptr and then: 1af
md ..................... memory dump
mrd .................... memory read dwords
mds .................... memory dump string
mdw .................... memory dump wide string
mdd .................... memory dump to disk
mt ..................... memory test
ss ..................... search string
sb ..................... search bytes
sba .................... search bytes in all the maps
ssa .................... search string in all the maps
ll ..................... linked list walk
d ...................... dissasemble
dt ..................... dump structure
enter .................. step into
Cobalt Stike API 加载器与 Metasploit 类似,模拟结果如下:



Cobalt Strike API 调用:



Metasploit rshell API 调用:



Metasploit SGN 编码器使用 FPU 来隐藏 polymorfism:



Metasploit shikata-ga-nai 编码器:



显示 PEB 结构信息:

=>dt
structure=>peb
address=>0x7ffdf000
PEB {
    reserved1: [
      0x0,
      0x0,
    ],
    being_debugged: 0x0,
    reserved2: 0x0,
    reserved3: [
      0xffffffff,
      0x400000,
    ],
    ldr: 0x77647880,
    process_parameters: 0x2c1118,
    reserved4: [
      0x0,
      0x2c0000,
      0x77647380,
    ],
    alt_thunk_list_ptr: 0x0,
    reserved5: 0x0,
    reserved6: 0x6,
    reserved7: 0x773cd568,
    reserved8: 0x0,
    alt_thunk_list_ptr_32: 0x0,
    reserved9: [
      0x0,
...
显示 PEB_LDR_DATA 结构:

=>dt
structure=>PEB_LDR_DATA
address=>0x77647880
PebLdrData {
    length: 0x30,
    initializated: 0x1,
    sshandle: 0x0,
    in_load_order_module_list: ListEntry {
      flink: 0x2c18b8,
      blink: 0x2cff48,
    },
    in_memory_order_module_list: ListEntry {
      flink: 0x2c18c0,
      blink: 0x2cff50,
    },
    in_initialization_order_module_list: ListEntry {
      flink: 0x2c1958,
      blink: 0x2d00d0,
    },
    entry_in_progress: ListEntry {
      flink: 0x0,
      blink: 0x0,
    },
}
=>
显示 LDR_DATA_TABLE_ENTRY 和第一个模块名称:

=>dt
structure=>LDR_DATA_TABLE_ENTRY
address=>0x2c18c0
LdrDataTableEntry {
    reserved1: [
      0x2c1950,
      0x77647894,
    ],
    in_memory_order_module_links: ListEntry {
      flink: 0x0,
      blink: 0x0,
    },
    reserved2: [
      0x0,
      0x400000,
    ],
    dll_base: 0x4014e0,
    entry_point: 0x1d000,
    reserved3: 0x40003e,
    full_dll_name: 0x2c1716,
    reserved4: [
      0x0,
      0x0,
      0x0,
      0x0,
      0x0,
      0x0,
      0x0,
      0x0,
    ],
    reserved5: [
      0x17440012,
      0x4000002c,
      0xffff0000,
    ],
    checksum: 0x1d6cffff,
    reserved6: 0xa640002c,
    time_date_stamp: 0xcdf27764,
}
=>
恶意软件在异常中隐藏信息:

3307726 0x4f9673: pushebp
3307727 0x4f9674: pushedx
3307728 0x4f9675: pusheax
3307729 0x4f9676: pushecx
3307730 0x4f9677: pushecx
3307731 0x4f9678: push4F96F4h
3307732 0x4f967d: pushdword ptr fs:
Reading SEH 0x0
-------
3307733 0x4f9684: mov   eax,
--- console ---
=>
检查异常结构:

--- console ---
=>r esp
      esp: 0x22de98
=>dt
structure=>cppeh_record
address=>0x22de98
CppEhRecord {
    old_esp: 0x0,
    exc_ptr: 0x4f96f4,
    next: 0xfffffffe,
    exception_handler: 0xfffffffe,
    scope_table: PScopeTableEntry {
      enclosing_level: 0x278,
      filter_func: 0x51068c,
      handler_func: 0x288,
    },
    try_level: 0x288,
}
=>
页: [1]
查看完整版本: scemu 模拟 shellcode 执行