Fast Emulator For Shellcodes In Rust

I have developed a fast emulator for modern shellcodes, that perform huge loops of millions of instructions emulated for resolving API or for other stuff.

The emulator is in Rust and all the few dependencies as well, so the rust safety is good for emulating malware.  

There are shellcodes that can be emulated from the beginning to the end, but when this is not possible the tool has many features that can be used like a console, a memory tracing, register tracing, and so on.

https://github.com/sha0coder/scemu

In less than two seconds we have emulated 7 millions of instructions arriving to the recv. 

At this point we have some  IOC like  the ip:port where it's connecting and other details.

Lets see what happens after the recv() spawning a console at position: 7,012,204

target/release/scemu -f shellcodes/shikata.bin -vv -c 7012204

In the console, pressing "enter" several times to emulate  step into several steps and we arrive to a return instruction.

Let's see the stack in this moment:

The "ret" instruction is going to jump to the buffer read with recv() so is a kind of stager.

The option "-e" or "--endpoint" is not ready for now, but it will allow to proxy the calls to get the next  stage automatically, but for now we have the details to get the stage.

SCEMU also identify all the Linux  syscalls for 32bits shellcodes:

The encoder used in shellgen is also supported https://github.com/MarioVilas/shellgen

Let's check with cobalt-strike:

We can see where is connecting and which headers is using, so right now we can replicate the communications.

In verbose mode we could do several greps to see the calls and correlate with ghidra/ida/radare or  for example grep the branches to study the emulation flow.

target/release/scemu -f shellcodes/rshell_sgn.bin -vv | grep j

target/release/scemu -f shellcodes/rshell_sgn.bin -vv -c 44000 -l

The -l --loops options makes the emulation a bit slower but track the number of iterations.

Is possible to print all the registers in every step with  -r or --registers  but also is possible to track  specific register for example with --reg esi

target/release/scemu -f shellcodes/shikata.bin --reg esi 

In this case ESI register points to the API name, if we track EAX or ECX will see that are the counters of the loop. These shellcodes  contains a hard loop to locate the API names.

The flag -i or --inspect allow to monitor memory using expressions like "dword ptr [eax + 0xa]"

target/release/scemu -f shellcodes/shikata.bin -i 'dword ptr [esi]'

And more things to come...  find a demo below:

https://www.youtube.com/watch?v=qTYmMjW3DFs

Related news

1. Bluetooth Hacking Tools Kali
2. Hack Tool Apk No Root
3. Pentest Tools Online
4. Pentest Tools For Android
5. Pentest Tools Android
6. How To Hack
7. Pentest Tools Download
8. Hack Tools Github
9. Ethical Hacker Tools
10. Hacking Tools Usb
11. Hacker Tools Online
12. Pentest Reporting Tools
13. Tools Used For Hacking
14. Hacking Tools
15. Install Pentest Tools Ubuntu
16. Pentest Tools
17. Hacker Tools For Windows
18. Hack Tools For Mac
19. What Are Hacking Tools
20. Best Hacking Tools 2020
21. Best Hacking Tools 2020
22. Pentest Tools Free
23. Hacker Tools For Mac
24. Nsa Hack Tools
25. Hacker Tools Free
26. Hack Rom Tools
27. What Is Hacking Tools
28. Pentest Tools Bluekeep
29. Pentest Tools Kali Linux
30. Hack Rom Tools
31. Computer Hacker
32. Hack Tool Apk
33. Pentest Tools Apk
34. Hacking Tools For Kali Linux
35. Tools 4 Hack
36. Hacker Tools Mac
37. Hacker Tools For Ios
38. Free Pentest Tools For Windows
39. Hacker Tools Free Download
40. Hacking Tools Usb
41. Hack Tools For Windows
42. Hacking Tools For Windows
43. Tools 4 Hack
44. Pentest Tools Tcp Port Scanner
45. Usb Pentest Tools
46. Game Hacking
47. World No 1 Hacker Software
48. Pentest Tools Android
49. Hack Tools For Pc
50. Hacking Tools For Windows
51. Kik Hack Tools
52. Hacker Hardware Tools
53. Hacker Tools Github
54. Pentest Recon Tools
55. Nsa Hacker Tools
56. Beginner Hacker Tools