I have developed a fast emulator for modern shellcodes, that perform huge loops of millions of instructions emulated for resolving API or for other stuff.
The emulator is in Rust and all the few dependencies as well, so the rust safety is good for emulating malware.
There are shellcodes that can be emulated from the beginning to the end, but when this is not possible the tool has many features that can be used like a console, a memory tracing, register tracing, and so on.
https://github.com/sha0coder/scemu
In less than two seconds we have emulated 7 millions of instructions arriving to the recv.
At this point we have some IOC like the ip:port where it's connecting and other details.
Lets see what happens after the recv() spawning a console at position: 7,012,204
target/release/scemu -f shellcodes/shikata.bin -vv -c 7012204
The "ret" instruction is going to jump to the buffer read with recv() so is a kind of stager.
The option "-e" or "--endpoint" is not ready for now, but it will allow to proxy the calls to get the next stage automatically, but for now we have the details to get the stage.
SCEMU also identify all the Linux syscalls for 32bits shellcodes:
The encoder used in shellgen is also supported https://github.com/MarioVilas/shellgen
Let's check with cobalt-strike:
In verbose mode we could do several greps to see the calls and correlate with ghidra/ida/radare or for example grep the branches to study the emulation flow.
target/release/scemu -f shellcodes/rshell_sgn.bin -vv | grep j
target/release/scemu -f shellcodes/rshell_sgn.bin -vv -c 44000 -l
Comentarios