Login: Password: Remember Me Register Forums >> Brainstorms - General >> new tool scdbg (shellcode analysis)

Topic created on: February 11, 2011 08:41 CST by dzzie .



here is a project i have been playing with that I thought I would share.



scdbg is a shellcode analysis application (based on sctest) which uses the libemu emulation library.



It has been modified to include more output for manual RE

as well as add basic debugging capabilities.



libemu homepage

http://libemu.carnivore.it/



scdbg Binaries / Source / Screen shots:

http://sandsprite.com/blogs/index.php?uid=7&pid=152



Video demo

http://sandsprite.com/CodeStuff/scdbg.wmv



more details on mem monitor mode

http://sandsprite.com/blogs/index.php?uid=7&pid=158





Additions include:

+ support for user32, shell32, ntdll, wininet

+ ~17 new api hooks

+ display of return addresses, file offsets, step counts

+ ability to start logging at target addresses/step counts

+ ability to set breakpoints, scan for specific instructions

+ ability to single step, step over, execute till return

+ ability to dump decoded shellcode from memory, dump allocs

+ interactive debug shell to stop and examine registers or memory

+ basic support for SEH and shellcode which patches UEF

+ monitoring of read/writes to key addresses to determine

how the shellcode operates, which lists it walks, and if it

trys to detect hooks on WinApi or if it patches any API





Help screen below



_______________

| |

| |

| libemu |

| x86 emulation |

| |

| |

| |

\ O |

\______________| build: 0.2.dz



-----[ libemu - x86 shellcode emulation ]-----

Copyright (C) 2007 Paul Baecher & Markus Koetter



/hex show hex dumps for hook reads/writes

/findsc Scans file for possible shellcode buffers (getpc mode)

/foff hexnum starts execution at file offset

/mm enables Memory Monitor to log access to key addresses.

/mdll uses Memory Monitor to log direct access to dll memory (detect hooks)

/nc no color (if using sending output to other apps)

/S < file.sc read shellcode/buffer from stdin

/f fpath load shellcode from file specified.

/o hexnum base offset to use (default: 0x401000)

/redir ip:port redirect connect to ip (port optional)

/G fpath save a dot formatted callgraph in filepath

/i enable interactive hooks

/v verbosity, can be used up to 4 times, ex. /v /v /vv

/e int verbosity on error (3 = debug shell)

/t int time to delay (ms) between steps when v=1 or 2

/h show this help

/bp hexnum set breakpoint (shortcut for -laa <hexaddr> -vvv)

/bs int break on step (shortcut for -las <int> -vvv)

/a adjust offsets to file offsets not virtual

/d dump unpacked shellcode if changed (requires /f)

/las int log at step ex. -las 100

/laa hexnum log at address ex. -laa 0x401020

/s int max number of steps to run (def=1000000, -1 unlimited)



dbg> shell prompt commands:

? - help, this help screen, h also works

v - change verbosity (0-4)

g - go - continue with v=0

s - step, continues execution, ENTER also works

c - reset step counter

r - execute till return (v=0 recommended)

u - unassembled address

b - break at address

m - reset max step count (-1 = infinate)

e - set eip

w - dWord dump,(32bit ints) prompted for hex base addr and then size

d - Dump Memory (hex dump) prompted for hex base addr and then size

x - execute x steps (use with reset step count)

t - set time delay (ms) for verbosity level 1/2

k - show stack

i - break at instruction (scans disasm for next string match)

f - dereF registers (show any common api addresses in regs)

o - step over

.lp - lookup - get symbol for address

.pl - reverse lookup - get address for symbol

.seh - shows current value at fs[0]

.reg - manually set register value

.poke1 - write a single byte to memory

.poke4 - write a 4 byte value to memory

.savemem - saves a memdump of specified range to file

q - quit

February 11, 2011 08:41 CST byhere is a project i have been playing with that I thought I would share.scdbg is a shellcode analysis application (based on sctest) which uses the libemu emulation library.It has been modified to include more output for manual REas well as add basic debugging capabilities.libemu homepagescdbg Binaries / Source / Screen shots:Video demomore details on mem monitor mode

djnemo February 13, 2011 04:39.02 CST good job dzzie :)

dzzie April 15, 2011 02:13.25 CDT

Just finished a port of the code over to Visual Studio 2008

https://github.com/dzzie/VS_LIBEMU



dll build is also available with sample code in C# and Visual Basic 6.

Note: Registration is required to post to the forums.



