Lets check different Cobalt Strike shellcodes and stages in the shellcodes emulator SCEMU.
This stages are fully emulated well and can get the IOC and the behavior of the shellcode.
But lets see another first stage big shellcode with c runtime embedded in a second stage.
In this case is loading tons of API using GetProcAddress at the beginning, then some encode/decode pointer and tls get/set values to store an address. And ends up crashing because is jumping an address that seems more code than address 0x9090f1eb.
Here there are two types of allocations:
Lets spawn a console on -c 3307548 and see if some of this allocations has the next stage.
The "m" command show all the memory maps but the "ma" show only the allocations done by the shellcode.
Dumping memory with "md" we see that there is data, and dissasembling this address with "d" we see the prolog of a function.
So we have second stage unpacked in alloc_e40064
With "mdd" we do a memory dump to disk we found the size in previous screenshot, and we can do some static reversing of stage2 in radare/ghidra/ida
In radare we can verify that the extracted is the next stage:
I usually do correlation between the emulation and ghidra, to understand the algorithms.
If wee look further we can realize that the emulator called a function on the stage2, we can see the change of code base address and is calling the allocated buffer in 0x4f...
And this stage2 perform several API calls let's check it in ghidra.
We can see in the emulator that enters in the IF block, and what are the (*DAT_...)() calls
Before a crash lets continue to the SEH pointer, in this case is the way, and the exception routine checks IsDebuggerPresent() which is not any debugger pressent for sure, so eax = 0;
So lets say yes and continue the emulation.
Both IsDebuggerPresent() and UnHandledExceptionFilter() can be used to detect a debugger, but the emulator return what has to return to not be detected.
Nevertheless the shellcode detects something and terminates the process.
Lets trace the branches to understand the logic:
target/release/scemu -f shellcodes/unsuported_cs.bin -vv | egrep '(\*\*|j|cmp|test)'
Lets see from the console where is pointing the SEH chain item:
to be continued ...
https://github.com/sha0coder/scemu
More info
- Nsa Hacker Tools
- Easy Hack Tools
- Hacker Tool Kit
- Pentest Tools Url Fuzzer
- Github Hacking Tools
- Hack Tools Online
- Hacking Tools Kit
- Hack Tools For Windows
- Pentest Box Tools Download
- Hacker Tools Mac
- Tools Used For Hacking
- Pentest Reporting Tools
- Pentest Tools For Mac
- Hackrf Tools
- Pentest Tools Github
- Pentest Tools Windows
- Hack Tools For Windows
- Hacking Apps
- Wifi Hacker Tools For Windows
- Hacking Tools For Windows Free Download
- Hack Tools For Mac
- Hack Website Online Tool
- Hacker Tool Kit
- Hacking Tools For Pc
- Hacking Tools Kit
- Hacker Tool Kit
- Hacker Search Tools
- Hack And Tools
- Hack Tools For Mac
- Hacking Tools And Software
- Hacking Tools Mac
- Hackers Toolbox
- Hacking Tools Kit
- Hack Tools
- Tools Used For Hacking
- New Hack Tools
- Hacking Tools Download
- Hacker Tools 2020
- Hacker Tools List
- Hacker Tools For Mac
- What Is Hacking Tools
- Hacker Tool Kit
- Hacker
- Pentest Tools List
- Hack Website Online Tool
- Hacker Tools Mac
- Pentest Tools Github
- Hack Tool Apk
- Game Hacking
- Usb Pentest Tools
- Hacking Tools
- Pentest Tools Review
- Hak5 Tools
- Hacks And Tools
- Hack Tools For Ubuntu
- What Is Hacking Tools
- Hacking Tools For Windows Free Download
- Hack Rom Tools
- Hack Tool Apk No Root
- Pentest Tools Download
- Hackrf Tools
- Pentest Tools Android
- Pentest Tools Website Vulnerability
- Hacking Tools For Beginners
- Pentest Box Tools Download
- Ethical Hacker Tools
- Growth Hacker Tools
- Hacking Tools Pc
- Hacking Tools For Games
- Hack Tools For Mac
- Pentest Tools Url Fuzzer
- Github Hacking Tools
- Hacker Security Tools
- Hack Tools 2019
- Pentest Tools Review
- How To Install Pentest Tools In Ubuntu
- Pentest Tools Framework
- Hack Tools Download
- Hack Tools For Ubuntu
- What Is Hacking Tools
- Hacking Tools Hardware
- Hack Tools For Mac
- Hacking Tools Mac
- Hack Tools Mac
- Hacker Security Tools
- Hack Tools Pc
- Pentest Tools Download
- Hacking Tools For Mac
- Game Hacking
- Hacker Tool Kit
- Pentest Tools Apk
- Pentest Tools Port Scanner
- Hack Tools 2019
- Hacking Tools For Windows
- Pentest Reporting Tools
- Hacking Tools For Kali Linux
- Hacker Tools Linux
- New Hacker Tools
- Hacker Tools
- Hack Tools Online
- Pentest Tools
- Hack Rom Tools
- Hacker Tools Free
- Hacking Tools Online
- Hacker Tools 2020
- Termux Hacking Tools 2019
- Hacking Tools Mac
- Pentest Tools Online
- Pentest Tools Review
- Github Hacking Tools
- Hacker Tools
- Install Pentest Tools Ubuntu
- Hack And Tools
- What Is Hacking Tools
- Hack App
- Tools Used For Hacking
- Hack Tool Apk
- Black Hat Hacker Tools
- Pentest Tools Website Vulnerability
- Hacker Tools Free
- Hacking Tools Github
- Nsa Hacker Tools
- Hack Tool Apk No Root
- Hacker Tools For Mac
- Nsa Hacker Tools
- Hacker Tool Kit
- Kik Hack Tools
- Hacking App
- Pentest Tools Apk
- Hacker Tools List
- Nsa Hack Tools
- Hacker Tools Apk
- Hacker Tools 2020
- Hacker
- Physical Pentest Tools
- Hacker Techniques Tools And Incident Handling
- Hacking App
- Hacking Tools Pc
- Hacker Hardware Tools
- Hack Tools Pc
- Hacking Tools Download
- Growth Hacker Tools
- Android Hack Tools Github
- Computer Hacker
- Hacker Tools Github
- Hacker Tools Software
- Pentest Tools Linux
- Pentest Tools Website Vulnerability
- Nsa Hacker Tools
- Hacker Tools
- Hacker Tools For Windows
- Hacker Tools List
- Hacker Tools For Windows
- Pentest Tools Bluekeep
- Pentest Tools Subdomain
- Hacking Tools 2020
- Hacking Tools Online
- Hacking Tools For Windows Free Download
- Pentest Tools Nmap
- Ethical Hacker Tools
- Hack Rom Tools
- Hacking Tools Usb
- Kik Hack Tools
- Hak5 Tools
- Pentest Tools Find Subdomains
- Game Hacking
- Hacking Tools 2019
- Tools Used For Hacking
- Pentest Tools Url Fuzzer
No comments:
Post a Comment