scemu
特征
- 📦rust safety,对恶意软件有利。
- 所有的依赖都in rust。
- 没有unsafe{}块。
- ⚡非常快的仿真(比unicorn快得多)
- 3 000 000指令/秒
- 100,000条指令/第二次打印每条指令-vv。
- 提供iced-x86 rust反编译器库。
- 迭代检测器
- 内存和寄存器跟踪
- 彩色的
- 在特定的时刻停下来,探索或者修改它
- 105项指示得到执行
- 112个WINAPI实现了5个DLLs
- 所有Linux系统调用
- SEH链
- 向量异常处理程序
- PEB,TEB结构
- 内存分配器
- 与INT 3反应。
- 未调试的cpuid
- 具有已知有效载荷的测试:
- more fpu
- mmx
- 64 bits
- scripting?
```
使用
```shell SCEMU 32bits emulator for Shellcodes 0.2.5 @sha0coder
USAGE: scemu [FLAGS] [OPTIONS]
FLAGS: -e, —endpoint perform communications with the endpoint, use tor or vpn! -h, —help Prints help information -l, —loops show loop interations, it is slow. -m, —memory trace all the memory accesses read and write. -n, —nocolors print without colors for redirectin to a file >out -r, —regs print the register values in every step. -V, —version Prints version information -v, —verbose -vv for view the assembly, -v only messages, without verbose only see the api calls and goes faster
OPTIONS: -b, —base
set base address for code -c, —console
```shell
用于 Shellcodes 0.2.5 的 SCEMU 32 位仿真器
@sha0coder
用法:
scemu [标志] [选项]
标志:
-e, --endpoint 与端点进行通信,使用tor或vpn
-h, --help 打印帮助信息
-l, --loops 显示循环交互,它很慢
-m, --memory 跟踪所有内存访问读写
-n, --nocolors 打印不带颜色以重定向到文件 >out
-r, --regs 打印每一步的寄存器值
-V, --version 打印版本信息
-v, --verbose -vv 用于查看程序集,-v 仅消息
选项:
-b, --base <ADDRESS> 设置代码的基地址
-c, --console <NUMBER> 选择在哪个时刻生成要检查的控制台
-C, --console_addr <ADDRESS> 在第一个 eip = 地址上生成控制台
-a, --entry <ADDRESS> shellcode的入口点,默认从头开始
-f, --filename <FILE> 设置 shellcode 二进制文件
-i, --inspect <DIRECTION> 监控内存,例如:-i 'dword ptr [ebp + 0x24]
-M, --maps <PATH> 选择内存映射文件夹
-R, --reg <REGISTER> 在每一步跟踪一个特定的寄存器,值和内容
-s, --string <ADDRESS> 监控特定地址上的字符串
一些用例
Scemu模拟一个检测execve()中断的简单ShellCode:
我们选择一行停止,并检查内存:
在 linux 中模拟了近 200 万条 GuLoader win32 指令后,伪装 cpuid 和其他技巧,到达一个 sigtrap(SIG 崩溃) 以混淆调试器:
API加载程序上的内存转储示例:
默认情况下,有几个映射,可以使用像LoadLibrary A这样的API创建更多,也可以从控制台手动创建:
基于打印消息的LdrLoadDLl()仿真基本WindowsShellCode:
控制台允许查看CPU当前状态的编辑:
--- console ---
=>h
--- help ---
q ...................... quit
cls .................... clear screen
h ...................... help
s ...................... stack
v ...................... vars
r ...................... register show all
r reg .................. show reg
rc ..................... register change
f ...................... show all flags
fc ..................... clear all flags
fz ..................... toggle flag zero
fs ..................... toggle flag sign
c ...................... continue
ba ..................... breakpoint on address
bi ..................... breakpoint on instruction number
bmr .................... breakpoint on read memory
bmw .................... breakpoint on write memory
bc ..................... clear breakpoint
n ...................... next instruction
eip .................... change eip
push ................... push dword to the stack
pop .................... pop dword from stack
fpu .................... fpu view
md5 .................... check the md5 of a memory map
seh .................... view SEH
veh .................... view vectored execption pointer
m ...................... memory maps
ma ..................... memory allocs
mc ..................... memory create map
mn ..................... memory name of an address
ml ..................... memory load file content to map
mr ..................... memory read, speficy ie: dword ptr [esi]
mw ..................... memory read, speficy ie: dword ptr [esi] and then: 1af
md ..................... memory dump
mrd .................... memory read dwords
mds .................... memory dump string
mdw .................... memory dump wide string
mdd .................... memory dump to disk
mt ..................... memory test
ss ..................... search string
sb ..................... search bytes
sba .................... search bytes in all the maps
ssa .................... search string in all the maps
ll ..................... linked list walk
d ...................... dissasemble
dt ..................... dump structure
enter .................. step into
q ......................退出
cls ....................清除屏幕
h ......................帮助
s ......................堆栈
v ......................变量
r ......................注册 显示所有
r reg ..................显示 reg
rc .....................注册更改
f ......................显示所有标志
fc .....................清除所有标志
fz .....................切换标志为零
fs .....................切换标志符号
c ......................继续
ba .....................地址上的断点
bi .....................指令号上的断点
bmr ....................读内存断点
bmw ....................写入内存的断点
bc .....................清除断点
n ......................下一条指令
eip ....................更改eip
push ...................将 dword 推入堆栈
pop ....................从堆栈中弹出 dword
fpu ....................fpu 视图
md5 ....................检查内存映射的md5
seh ....................查看 SEH
veh ....................查看向量执行指针
m ......................内存映射
ma .....................内存分配
mc .....................内存创建映射
mn .....................地址的内存名称
ml .....................内存加载文件内容到映射
mr .....................内存读取,特别是:dword ptr [esi]
mw .....................内存读取,特别是:dword ptr [esi] 然后:1af
md .....................内存转储
mrd ....................内存读取 dwords
mds ....................内存转储字符串
mdw ....................内存转储宽字符串
mdd ....................内存转储到磁盘
mt .....................内存测试
ss .....................搜索字符串
sb .....................搜索字节
sba ....................在所有映射中搜索字节
ssa ....................在所有地图中搜索字符串
ll .....................链表遍历
d ......................拆卸
dt .....................转储结构
enter ..................步入
Cobalt Strike API加载程序与Metasploit相同,并模拟它:
Cobalt Strike的API调用:
Metasploit rshell的API调用:
Metasploit SGN编码器使用少量FPU隐藏多态性:
Metasploit shikata-ga-nai编码器,也以FPU开头:
显示PEB结构:
=>dt
structure=>peb
address=>0x7ffdf000
PEB {
reserved1: [
0x0,
0x0,
],
being_debugged: 0x0,
reserved2: 0x0,
reserved3: [
0xffffffff,
0x400000,
],
ldr: 0x77647880,
process_parameters: 0x2c1118,
reserved4: [
0x0,
0x2c0000,
0x77647380,
],
alt_thunk_list_ptr: 0x0,
reserved5: 0x0,
reserved6: 0x6,
reserved7: 0x773cd568,
reserved8: 0x0,
alt_thunk_list_ptr_32: 0x0,
reserved9: [
0x0,
...
显示PEBLDR数据结构:
=>dt
structure=>PEB_LDR_DATA
address=>0x77647880
PebLdrData {
length: 0x30,
initializated: 0x1,
sshandle: 0x0,
in_load_order_module_list: ListEntry {
flink: 0x2c18b8,
blink: 0x2cff48,
},
in_memory_order_module_list: ListEntry {
flink: 0x2c18c0,
blink: 0x2cff50,
},
in_initialization_order_module_list: ListEntry {
flink: 0x2c1958,
blink: 0x2d00d0,
},
entry_in_progress: ListEntry {
flink: 0x0,
blink: 0x0,
},
}
=>
显示LDR_DATA_TABLE_ENTRY和第一个模块名
=>dt
structure=>LDR_DATA_TABLE_ENTRY
address=>0x2c18c0
LdrDataTableEntry {
reserved1: [
0x2c1950,
0x77647894,
],
in_memory_order_module_links: ListEntry {
flink: 0x0,
blink: 0x0,
},
reserved2: [
0x0,
0x400000,
],
dll_base: 0x4014e0,
entry_point: 0x1d000,
reserved3: 0x40003e,
full_dll_name: 0x2c1716,
reserved4: [
0x0,
0x0,
0x0,
0x0,
0x0,
0x0,
0x0,
0x0,
],
reserved5: [
0x17440012,
0x4000002c,
0xffff0000,
],
checksum: 0x1d6cffff,
reserved6: 0xa640002c,
time_date_stamp: 0xcdf27764,
}
=>
恶意软件在异常中隐藏了一些东西:
3307726 0x4f9673: push ebp
3307727 0x4f9674: push edx
3307728 0x4f9675: push eax
3307729 0x4f9676: push ecx
3307730 0x4f9677: push ecx
3307731 0x4f9678: push 4F96F4h
3307732 0x4f967d: push dword ptr fs:[0]
Reading SEH 0x0
-------
3307733 0x4f9684: mov eax,[51068Ch]
--- console ---
=>
检查异常结构:
--- console ---
=>r esp
esp: 0x22de98
=>dt
structure=>cppeh_record
address=>0x22de98
CppEhRecord {
old_esp: 0x0,
exc_ptr: 0x4f96f4,
next: 0xfffffffe,
exception_handler: 0xfffffffe,
scope_table: PScopeTableEntry {
enclosing_level: 0x278,
filter_func: 0x51068c,
handler_func: 0x288,
},
try_level: 0x288,
}
=>
这里我们有错误例程0x4f96f4和过滤器0x51068c。