跳转到帖子

游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

TheHackerWorld官方

如何使用scemu安全地模拟Shellcode执行

HACK1949
HACK1949
问答中心

精选回复

发布于

如何使用scemu安全地模拟Shellcode执行

6205bb717bdd0.jpg

关于scemu

scemu是一款功能强大的Shellcode模拟工具,该工具支持x86 32位模拟仿真,可以帮助广大研究人员以安全的方式运行和分析Shellcode。

功能介绍

1、Rust安全,适用于恶意软件;

2、所有依赖项基于Rust;

3、速度运行快;

4、每秒300万条指令;

5、每秒打印100000条指令;

6、iced-x86 rust反编译器提供支持;

7、迭代检测器;

8、内存和寄存器跟踪;

9、代码颜色高亮显示;

10、支持在某个时刻停止、分析和修改状态;

11、实现了105条指令;

12、实现了5个DLL的112个WinAPI;

13、支持所有的Linux系统调用syscall;

14、SEH链;

15、向量异常处理程序;

16、支持PEB、TEB结构;

17、带有内存分配器;

18、支持使用已知Payload测试;

19、Metasploit Shellcode;

20、Metasploit Encoder;

21、Cobalt Strike;

22、Shellgen;

23、Guloader;

工具下载

广大研究人员可以使用下列命令将该项目源码克隆至本地:

git clone https://github.com/sha0coder/scemu.git

工具使用

SCEMU 32bits emulator for Shellcodes 0.2.5

@sha0coder

 

USAGE:

    scemu [FLAGS] [OPTIONS]

 

FLAGS:

    -e, --endpoint    使用Tor或VPN与终端进行通信

    -h, --help        输出帮助信息

    -l, --loops        显示循环迭代

    -m, --memory      跟踪所有的内存访问读取和写入行为

    -n, --nocolors      无颜色输出打印

    -r, --regs          打印每一步的寄存器值

    -V, --version       打印版本信息

    -v, --verbose      -vv开启Verbose模式

 

OPTIONS:

    -b, --base <ADDRESS>            设置代码基址set base address for code

    -c, --console <NUMBER>          选择时间进行控制台信息审查

    -C, --console_addr <ADDRESS>    检测到第一个eip = address时生成终端

    -a, --entry <ADDRESS>            Shellcode的入口点

    -f, --filename <FILE>              设置Shellcode源码文件

    -i, --inspect <DIRECTION>         监控内存,例如:-i 'dword ptr [ebp + 0x24]

    -M, --maps <PATH>               选择内存映射目录

    -R, --reg <REGISTER>             跟踪指定的寄存器,包括值和内容

-s, --string <ADDRESS>           监控指定地址的字符串

工具使用场景

scemu模拟一个简单的Shellcode并检测execve()中断:

1642700231_61e99dc7a7d6cc38cc8ff.png!sma

我们选择某一行停止并检查内存:

1642700238_61e99dcee4c4f3381a5af.png!sma

在Linux下模拟了将近两百万条GuLoader指令后,伪造cpuid和其他内容,便足以混淆调试器:

1642700245_61e99dd565cba06873a82.png!sma

API加载器的内存导出数据:

1642700252_61e99ddca419164deffa6.png!sma

工具默认提供了一些映射信息,我们也可以手动进行创建:

1642700259_61e99de3a756df4c9a4fd.png!sma

模拟基于LdrLoadDLl()的Windows Shellcode,并输出信息:

1642700267_61e99deb6e4980511122e.png!sma

终端窗口支持查看和编辑CPU的当前状态:

--- console ---

=>h

--- help ---

q ...................... quit

cls .................... clear screen

h ...................... help

s ...................... stack

v ...................... vars

r ...................... register show all

r reg .................. show reg

rc ..................... register change

f ...................... show all flags

fc ..................... clear all flags

fz ..................... toggle flag zero

fs ..................... toggle flag sign

c ...................... continue

ba ..................... breakpoint on address

bi ..................... breakpoint on instruction number

bmr .................... breakpoint on read memory

bmw .................... breakpoint on write memory

bc ..................... clear breakpoint

n ...................... next instruction

eip .................... change eip

push ................... push dword to the stack

pop .................... pop dword from stack

fpu .................... fpu view

md5 .................... check the md5 of a memory map

seh .................... view SEH

veh .................... view vectored execption pointer

m ...................... memory maps

ma ..................... memory allocs

mc ..................... memory create map

mn ..................... memory name of an address

ml ..................... memory load file content to map

mr ..................... memory read, speficy ie: dword ptr [esi]

mw ..................... memory read, speficy ie: dword ptr [esi]  and then: 1af

md ..................... memory dump

mrd .................... memory read dwords

mds .................... memory dump string

mdw .................... memory dump wide string

mdd .................... memory dump to disk

mt ..................... memory test

ss ..................... search string

sb ..................... search bytes

sba .................... search bytes in all the maps

ssa .................... search string in all the maps

ll ..................... linked list walk

d ...................... dissasemble

dt ..................... dump structure

enter .................. step into

Cobalt Stike API加载器与Metasploit类似,模拟结果如下:

1642700286_61e99dfe43a589b61d3d7.png!sma

Cobalt Strike API调用:

1642700293_61e99e054cf8fe72e8a1a.png!sma

Metasploit rshell API调用:

1642700299_61e99e0ba25a1b2b95ea7.png!sma

Metasploit SGN编码器使用FPU来隐藏polymorfism:

1642700306_61e99e123c37e0da1bee9.png!sma

Metasploit shikata-ga-nai编码器:

1642700317_61e99e1db4a80a954e135.png!sma

显示PEB结构信息:

=>dt

structure=>peb

address=>0x7ffdf000

PEB {

    reserved1: [

        0x0,

        0x0,

    ],

    being_debugged: 0x0,

    reserved2: 0x0,

    reserved3: [

        0xffffffff,

        0x400000,

    ],

    ldr: 0x77647880,

    process_parameters: 0x2c1118,

    reserved4: [

        0x0,

        0x2c0000,

        0x77647380,

    ],

    alt_thunk_list_ptr: 0x0,

    reserved5: 0x0,

    reserved6: 0x6,

    reserved7: 0x773cd568,

    reserved8: 0x0,

    alt_thunk_list_ptr_32: 0x0,

    reserved9: [

        0x0,

...

显示PEB_LDR_DATA结构:

=>dt

structure=>PEB_LDR_DATA

address=>0x77647880

PebLdrData {

    length: 0x30,

    initializated: 0x1,

    sshandle: 0x0,

    in_load_order_module_list: ListEntry {

        flink: 0x2c18b8,

        blink: 0x2cff48,

    },

    in_memory_order_module_list: ListEntry {

        flink: 0x2c18c0,

        blink: 0x2cff50,

    },

    in_initialization_order_module_list: ListEntry {

        flink: 0x2c1958,

        blink: 0x2d00d0,

    },

    entry_in_progress: ListEntry {

        flink: 0x0,

        blink: 0x0,

    },

}

=>

显示LDR_DATA_TABLE_ENTRY和第一个模块名称:

=>dt

structure=>LDR_DATA_TABLE_ENTRY

address=>0x2c18c0

LdrDataTableEntry {

    reserved1: [

        0x2c1950,

        0x77647894,

    ],

    in_memory_order_module_links: ListEntry {

        flink: 0x0,

        blink: 0x0,

    },

    reserved2: [

        0x0,

        0x400000,

    ],

    dll_base: 0x4014e0,

    entry_point: 0x1d000,

    reserved3: 0x40003e,

    full_dll_name: 0x2c1716,

    reserved4: [

        0x0,

        0x0,

        0x0,

        0x0,

        0x0,

        0x0,

        0x0,

        0x0,

    ],

    reserved5: [

        0x17440012,

        0x4000002c,

        0xffff0000,

    ],

    checksum: 0x1d6cffff,

    reserved6: 0xa640002c,

    time_date_stamp: 0xcdf27764,

}

=>

恶意软件在异常中隐藏信息:

3307726 0x4f9673: push  ebp

3307727 0x4f9674: push  edx

3307728 0x4f9675: push  eax

3307729 0x4f9676: push  ecx

3307730 0x4f9677: push  ecx

3307731 0x4f9678: push  4F96F4h

3307732 0x4f967d: push  dword ptr fs:[0]

Reading SEH 0x0

-------

3307733 0x4f9684: mov   eax,[51068Ch]

--- console ---

=>

检查异常结构:

--- console ---

=>r esp

        esp: 0x22de98

=>dt

structure=>cppeh_record

address=>0x22de98

CppEhRecord {

    old_esp: 0x0,

    exc_ptr: 0x4f96f4,

    next: 0xfffffffe,

    exception_handler: 0xfffffffe,

    scope_table: PScopeTableEntry {

        enclosing_level: 0x278,

        filter_func: 0x51068c,

        handler_func: 0x288,

    },

    try_level: 0x288,

}

=>

项目地址

scemu:【GitHub传送门】

本文作者:Alpha_h4ck

创建帐户或登录后发表意见

转到主题列表

最近浏览 0

  • 没有会员查看此页面。