DecoyMini 技术交流社区

 找回密码
 立即注册

QQ登录

只需一步,快速开始

搜索
查看: 4701|回复: 0

[工具] scemu 模拟 shellcode 执行

[复制链接]

188

主题

35

回帖

30

荣誉

Rank: 9Rank: 9Rank: 9

UID
2
积分
354
精华
1
沃币
2 枚
注册时间
2021-6-24

论坛管理

发表于 2022-1-26 16:21:53 | 显示全部楼层 |阅读模式
scemu 是一个 x86 32 位模拟器,用于安全地模拟 shellcode,64 位还在路上 ......

一、特性

  • Rust 安全,适用于恶意软件;
  • 所有依赖项基于 Rust;
  • 速度运行快;
  • 每秒 300 万条指令;
  • 每秒打印 100000 条指令;
  • iced-x86 rust 反编译器提供支持;
  • 迭代检测器;
  • 内存和寄存器跟踪;
  • 代码颜色高亮显示;
  • 支持在某个时刻停止、分析和修改状态;
  • 实现了 105 条指令;
  • 实现了 5 个 DLL 的 112 个 WinAPI;
  • 支持所有的 Linux 系统调用 syscall;
  • SEH 链;
  • 向量异常处理程序;
  • 支持 PEB、TEB 结构;
  • 带有内存分配器;
  • 支持使用已知 Payload 测试;
  • Metasploit Shellcode;
  • Metasploit Encoder;
  • Cobalt Strike;
  • Shellgen;
  • Guloader;

二、用法

  1. SCEMU 32bits emulator for Shellcodes 0.2.5
  2. @sha0coder

  3. USAGE:
  4.     scemu [FLAGS] [OPTIONS]

  5. FLAGS:
  6.     -e, --endpoint    perform communications with the endpoint, use tor or vpn!
  7.     -h, --help        Prints help information
  8.     -l, --loops       show loop interations, it is slow.
  9.     -m, --memory      trace all the memory accesses read and write.
  10.     -n, --nocolors    print without colors for redirectin to a file >out
  11.     -r, --regs        print the register values in every step.
  12.     -V, --version     Prints version information
  13.     -v, --verbose     -vv for view the assembly, -v only messages, without verbose only see the api calls and goes
  14.                       faster

  15. OPTIONS:
  16.     -b, --base <ADDRESS>            set base address for code
  17.     -c, --console <NUMBER>          select in which moment will spawn the console to inspect.
  18.     -C, --console_addr <ADDRESS>    spawn console on first eip = address
  19.     -a, --entry <ADDRESS>           entry point of the shellcode, by default starts from the beginning.
  20.     -f, --filename <FILE>           set the shellcode binary file.
  21.     -i, --inspect <DIRECTION>       monitor memory like: -i 'dword ptr [ebp + 0x24]
  22.     -M, --maps <PATH>               select the memory maps folder
  23.     -R, --reg <REGISTER>            trace a specific register in every step, value and content
  24.     -s, --string <ADDRESS>          monitor string on a specific address
复制代码

三、一些使用粟子

scemu 模拟一个简单的 shellcode 并检测 execve() 中断:



选择某一行停止并检查内存:



在 Linux 下模拟了将近两百万条 GuLoader 指令后,伪造 cpuid 和其他内容,便足以混淆调试器:



API 加载器的内存导出数据:



工具默认提供了一些映射信息,也可以手动进行创建:



基于 LdrLoadDLl() 的 Windows Shellcode 模拟并输出信息:



终端窗口支持查看和编辑 CPU 的当前状态:

  1. --- console ---
  2. =>h
  3. --- help ---
  4. q ...................... quit
  5. cls .................... clear screen
  6. h ...................... help
  7. s ...................... stack
  8. v ...................... vars
  9. r ...................... register show all
  10. r reg .................. show reg
  11. rc ..................... register change
  12. f ...................... show all flags
  13. fc ..................... clear all flags
  14. fz ..................... toggle flag zero
  15. fs ..................... toggle flag sign
  16. c ...................... continue
  17. ba ..................... breakpoint on address
  18. bi ..................... breakpoint on instruction number
  19. bmr .................... breakpoint on read memory
  20. bmw .................... breakpoint on write memory
  21. bc ..................... clear breakpoint
  22. n ...................... next instruction
  23. eip .................... change eip
  24. push ................... push dword to the stack
  25. pop .................... pop dword from stack
  26. fpu .................... fpu view
  27. md5 .................... check the md5 of a memory map
  28. seh .................... view SEH
  29. veh .................... view vectored execption pointer
  30. m ...................... memory maps
  31. ma ..................... memory allocs
  32. mc ..................... memory create map
  33. mn ..................... memory name of an address
  34. ml ..................... memory load file content to map
  35. mr ..................... memory read, speficy ie: dword ptr [esi]
  36. mw ..................... memory read, speficy ie: dword ptr [esi]  and then: 1af
  37. md ..................... memory dump
  38. mrd .................... memory read dwords
  39. mds .................... memory dump string
  40. mdw .................... memory dump wide string
  41. mdd .................... memory dump to disk
  42. mt ..................... memory test
  43. ss ..................... search string
  44. sb ..................... search bytes
  45. sba .................... search bytes in all the maps
  46. ssa .................... search string in all the maps
  47. ll ..................... linked list walk
  48. d ...................... dissasemble
  49. dt ..................... dump structure
  50. enter .................. step into
复制代码

Cobalt Stike API 加载器与 Metasploit 类似,模拟结果如下:



Cobalt Strike API 调用:



Metasploit rshell API 调用:



Metasploit SGN 编码器使用 FPU 来隐藏 polymorfism:



Metasploit shikata-ga-nai 编码器:



显示 PEB 结构信息:

  1. =>dt
  2. structure=>peb
  3. address=>0x7ffdf000
  4. PEB {
  5.     reserved1: [
  6.         0x0,
  7.         0x0,
  8.     ],
  9.     being_debugged: 0x0,
  10.     reserved2: 0x0,
  11.     reserved3: [
  12.         0xffffffff,
  13.         0x400000,
  14.     ],
  15.     ldr: 0x77647880,
  16.     process_parameters: 0x2c1118,
  17.     reserved4: [
  18.         0x0,
  19.         0x2c0000,
  20.         0x77647380,
  21.     ],
  22.     alt_thunk_list_ptr: 0x0,
  23.     reserved5: 0x0,
  24.     reserved6: 0x6,
  25.     reserved7: 0x773cd568,
  26.     reserved8: 0x0,
  27.     alt_thunk_list_ptr_32: 0x0,
  28.     reserved9: [
  29.         0x0,
  30. ...
复制代码

显示 PEB_LDR_DATA 结构:

  1. =>dt
  2. structure=>PEB_LDR_DATA
  3. address=>0x77647880
  4. PebLdrData {
  5.     length: 0x30,
  6.     initializated: 0x1,
  7.     sshandle: 0x0,
  8.     in_load_order_module_list: ListEntry {
  9.         flink: 0x2c18b8,
  10.         blink: 0x2cff48,
  11.     },
  12.     in_memory_order_module_list: ListEntry {
  13.         flink: 0x2c18c0,
  14.         blink: 0x2cff50,
  15.     },
  16.     in_initialization_order_module_list: ListEntry {
  17.         flink: 0x2c1958,
  18.         blink: 0x2d00d0,
  19.     },
  20.     entry_in_progress: ListEntry {
  21.         flink: 0x0,
  22.         blink: 0x0,
  23.     },
  24. }
  25. =>
复制代码

显示 LDR_DATA_TABLE_ENTRY 和第一个模块名称:

  1. =>dt
  2. structure=>LDR_DATA_TABLE_ENTRY
  3. address=>0x2c18c0
  4. LdrDataTableEntry {
  5.     reserved1: [
  6.         0x2c1950,
  7.         0x77647894,
  8.     ],
  9.     in_memory_order_module_links: ListEntry {
  10.         flink: 0x0,
  11.         blink: 0x0,
  12.     },
  13.     reserved2: [
  14.         0x0,
  15.         0x400000,
  16.     ],
  17.     dll_base: 0x4014e0,
  18.     entry_point: 0x1d000,
  19.     reserved3: 0x40003e,
  20.     full_dll_name: 0x2c1716,
  21.     reserved4: [
  22.         0x0,
  23.         0x0,
  24.         0x0,
  25.         0x0,
  26.         0x0,
  27.         0x0,
  28.         0x0,
  29.         0x0,
  30.     ],
  31.     reserved5: [
  32.         0x17440012,
  33.         0x4000002c,
  34.         0xffff0000,
  35.     ],
  36.     checksum: 0x1d6cffff,
  37.     reserved6: 0xa640002c,
  38.     time_date_stamp: 0xcdf27764,
  39. }
  40. =>
复制代码

恶意软件在异常中隐藏信息:

  1. 3307726 0x4f9673: push  ebp
  2. 3307727 0x4f9674: push  edx
  3. 3307728 0x4f9675: push  eax
  4. 3307729 0x4f9676: push  ecx
  5. 3307730 0x4f9677: push  ecx
  6. 3307731 0x4f9678: push  4F96F4h
  7. 3307732 0x4f967d: push  dword ptr fs:[0]
  8. Reading SEH 0x0
  9. -------
  10. 3307733 0x4f9684: mov   eax,[51068Ch]
  11. --- console ---
  12. =>
复制代码

检查异常结构:

  1. --- console ---
  2. =>r esp
  3.         esp: 0x22de98
  4. =>dt
  5. structure=>cppeh_record
  6. address=>0x22de98
  7. CppEhRecord {
  8.     old_esp: 0x0,
  9.     exc_ptr: 0x4f96f4,
  10.     next: 0xfffffffe,
  11.     exception_handler: 0xfffffffe,
  12.     scope_table: PScopeTableEntry {
  13.         enclosing_level: 0x278,
  14.         filter_func: 0x51068c,
  15.         handler_func: 0x288,
  16.     },
  17.     try_level: 0x288,
  18. }
  19. =>
复制代码

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有账号?立即注册

x
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Archiver|小黑屋|DecoyMini 技术交流社区 (吉沃科技) ( 京ICP备2021005070号 )

GMT+8, 2025-1-18 15:59 , Processed in 0.061380 second(s), 26 queries .

Powered by Discuz! X3.4

Copyright © 2001-2023, Tencent Cloud.

快速回复 返回顶部 返回列表