Fast Emulator For Shellcodes In Rust

I have developed a fast emulator for modern shellcodes, that perform huge loops of millions of instructions emulated for resolving API or for other stuff.

The emulator is in Rust and all the few dependencies as well, so the rust safety is good for emulating malware.  

There are shellcodes that can be emulated from the beginning to the end, but when this is not possible the tool has many features that can be used like a console, a memory tracing, register tracing, and so on.

https://github.com/sha0coder/scemu

In less than two seconds we have emulated 7 millions of instructions arriving to the recv. 

At this point we have some  IOC like  the ip:port where it's connecting and other details.

Lets see what happens after the recv() spawning a console at position: 7,012,204

target/release/scemu -f shellcodes/shikata.bin -vv -c 7012204

In the console, pressing "enter" several times to emulate  step into several steps and we arrive to a return instruction.

Let's see the stack in this moment:

The "ret" instruction is going to jump to the buffer read with recv() so is a kind of stager.

The option "-e" or "--endpoint" is not ready for now, but it will allow to proxy the calls to get the next  stage automatically, but for now we have the details to get the stage.

SCEMU also identify all the Linux  syscalls for 32bits shellcodes:

The encoder used in shellgen is also supported https://github.com/MarioVilas/shellgen

Let's check with cobalt-strike:

We can see where is connecting and which headers is using, so right now we can replicate the communications.

In verbose mode we could do several greps to see the calls and correlate with ghidra/ida/radare or  for example grep the branches to study the emulation flow.

target/release/scemu -f shellcodes/rshell_sgn.bin -vv | grep j

target/release/scemu -f shellcodes/rshell_sgn.bin -vv -c 44000 -l

The -l --loops options makes the emulation a bit slower but track the number of iterations.

Is possible to print all the registers in every step with  -r or --registers  but also is possible to track  specific register for example with --reg esi

target/release/scemu -f shellcodes/shikata.bin --reg esi 

In this case ESI register points to the API name, if we track EAX or ECX will see that are the counters of the loop. These shellcodes  contains a hard loop to locate the API names.

The flag -i or --inspect allow to monitor memory using expressions like "dword ptr [eax + 0xa]"

target/release/scemu -f shellcodes/shikata.bin -i 'dword ptr [esi]'

And more things to come...  find a demo below:

https://www.youtube.com/watch?v=qTYmMjW3DFs

More articles

• Tools For Hacker
• Hacking Tools For Beginners
• Best Pentesting Tools 2018
• Hack And Tools
• Hack Tools For Pc
• Hack Tools For Mac
• Best Hacking Tools 2019
• Hack Tools For Pc
• Hacker Tools Linux
• Pentest Tools Website Vulnerability
• Hack Tools For Windows
• Hacker Search Tools
• Pentest Automation Tools
• Hacking Tools Software
• Hack Tools Pc
• New Hacker Tools
• Pentest Tools Open Source
• Hacking Tools For Windows 7
• Hacker Tools Apk Download
• Hacking Apps
• Hacker Tools For Windows
• Pentest Tools Open Source
• Pentest Box Tools Download
• Pentest Tools For Ubuntu
• Hacker Tools Apk
• Pentest Tools Nmap
• Pentest Tools Nmap
• Hacking Tools Download
• Pentest Tools Subdomain
• Pentest Tools Url Fuzzer
• Hacking Tools Mac
• Easy Hack Tools
• Pentest Tools Windows
• Hack Tool Apk
• Easy Hack Tools
• Pentest Tools For Android
• Hackrf Tools
• Hack Tools Online
• Tools Used For Hacking
• Nsa Hack Tools Download
• Hacker Tools List
• Hacking App
• Pentest Tools Open Source
• Hack Website Online Tool
• Hack Website Online Tool
• Github Hacking Tools
• Nsa Hack Tools Download
• Pentest Box Tools Download
• Hacks And Tools
• Hacking Tools Free Download
• Hacker Tools Apk
• Pentest Reporting Tools
• Hack Tool Apk No Root
• Kik Hack Tools
• Hacking Tools Free Download
• Hak5 Tools
• Hacking Tools Download
• Install Pentest Tools Ubuntu
• Growth Hacker Tools
• Best Hacking Tools 2020
• New Hack Tools
• Termux Hacking Tools 2019
• Physical Pentest Tools
• Hak5 Tools
• Hack Tools
• Top Pentest Tools
• How To Hack
• Hacking Tools For Pc
• Game Hacking
• New Hack Tools
• Blackhat Hacker Tools
• Computer Hacker
• Pentest Tools List
• Pentest Tools List
• Physical Pentest Tools
• Pentest Tools List
• Pentest Tools Download
• Hacking Tools Windows
• Hacking Tools Mac
• Pentest Reporting Tools
• Hacking Tools Usb
• Hack And Tools
• Hacker Tools For Windows
• Hacking Tools Usb
• Best Pentesting Tools 2018
• Hack Tools 2019
• Blackhat Hacker Tools
• Hacking Tools For Kali Linux
• Nsa Hacker Tools
• Hacker Tools Free Download
• Hacker Tools Mac
• Github Hacking Tools
• Hacking Tools For Games
• Hacker Tools
• Pentest Tools Open Source
• Install Pentest Tools Ubuntu
• Hacking Tools Kit
• Hack Tools Github
• Android Hack Tools Github
• Hacking Tools For Windows
• Hacker Tools Linux
• Hacking Tools 2019
• Hack Tools
• Tools 4 Hack
• Pentest Tools Port Scanner
• Hacking Tools For Windows Free Download
• Hacker Tools Github
• Growth Hacker Tools
• Hacking Tools Download
• Pentest Tools Android
• Hack Tools Download
• Hacking Tools Github
• Pentest Tools Download
• Best Pentesting Tools 2018
• Hack Tools For Pc
• Pentest Tools
• Hacking Tools Software
• Hacker Tools For Windows
• Hack Tools For Ubuntu
• Best Pentesting Tools 2018
• Pentest Tools Linux
• Easy Hack Tools
• Hacking Tools Usb
• Nsa Hack Tools Download
• Hack Tools For Ubuntu
• Hacker Techniques Tools And Incident Handling
• Hacking Tools
• Hacking Tools For Kali Linux
• Pentest Tools Open Source
• Pentest Tools Framework
• Pentest Reporting Tools
• Hacking Tools For Games
• Hack Tool Apk No Root
• Hacking Tools Kit
• Hacking Tools For Windows 7
• Pentest Tools Website Vulnerability
• Hacking Tools For Games
• Hacker Tools Linux
• Nsa Hacker Tools
• Hacking Tools For Beginners
• Tools Used For Hacking
• Hacker Tools
• Hack Tools For Mac
• Hacker Tools Software
• Hack Tools
• Hacker Tools