Fast Emulator For Shellcodes In Rust

I have developed a fast emulator for modern shellcodes, that perform huge loops of millions of instructions emulated for resolving API or for other stuff.

The emulator is in Rust and all the few dependencies as well, so the rust safety is good for emulating malware.  

There are shellcodes that can be emulated from the beginning to the end, but when this is not possible the tool has many features that can be used like a console, a memory tracing, register tracing, and so on.

https://github.com/sha0coder/scemu

In less than two seconds we have emulated 7 millions of instructions arriving to the recv. 

At this point we have some  IOC like  the ip:port where it's connecting and other details.

Lets see what happens after the recv() spawning a console at position: 7,012,204

target/release/scemu -f shellcodes/shikata.bin -vv -c 7012204

In the console, pressing "enter" several times to emulate  step into several steps and we arrive to a return instruction.

Let's see the stack in this moment:

The "ret" instruction is going to jump to the buffer read with recv() so is a kind of stager.

The option "-e" or "--endpoint" is not ready for now, but it will allow to proxy the calls to get the next  stage automatically, but for now we have the details to get the stage.

SCEMU also identify all the Linux  syscalls for 32bits shellcodes:

The encoder used in shellgen is also supported https://github.com/MarioVilas/shellgen

Let's check with cobalt-strike:

We can see where is connecting and which headers is using, so right now we can replicate the communications.

In verbose mode we could do several greps to see the calls and correlate with ghidra/ida/radare or  for example grep the branches to study the emulation flow.

target/release/scemu -f shellcodes/rshell_sgn.bin -vv | grep j

target/release/scemu -f shellcodes/rshell_sgn.bin -vv -c 44000 -l

The -l --loops options makes the emulation a bit slower but track the number of iterations.

Is possible to print all the registers in every step with  -r or --registers  but also is possible to track  specific register for example with --reg esi

target/release/scemu -f shellcodes/shikata.bin --reg esi 

In this case ESI register points to the API name, if we track EAX or ECX will see that are the counters of the loop. These shellcodes  contains a hard loop to locate the API names.

The flag -i or --inspect allow to monitor memory using expressions like "dword ptr [eax + 0xa]"

target/release/scemu -f shellcodes/shikata.bin -i 'dword ptr [esi]'

And more things to come...  find a demo below:

https://www.youtube.com/watch?v=qTYmMjW3DFs

More info

1. Hacker Tools Github
2. Physical Pentest Tools
3. Hacking Tools Windows 10
4. Pentest Tools List
5. Hacking Tools Kit
6. Game Hacking
7. Pentest Tools Framework
8. Pentest Tools Free
9. Hack Tools Mac
10. How To Make Hacking Tools
11. Hacking Tools For Beginners
12. Hack Tools For Mac
13. Hacking Tools Github
14. Ethical Hacker Tools
15. Pentest Tools Online
16. Pentest Tools Open Source
17. Hack Tools Pc
18. Hacking Tools Pc
19. Hack Tool Apk
20. Hacking Tools Download
21. Hacking App
22. Hacking Tools For Kali Linux
23. Underground Hacker Sites
24. Black Hat Hacker Tools
25. Github Hacking Tools
26. Hack Tools For Games
27. Hacking Tools For Beginners
28. Pentest Tools Windows
29. Hack Tools For Pc
30. Hacking Tools Pc
31. Computer Hacker
32. Hacking Tools 2019
33. Hack Tool Apk No Root
34. Pentest Tools Framework
35. Hacker Tools Linux
36. Computer Hacker
37. Hack App
38. Pentest Automation Tools
39. Hacker Techniques Tools And Incident Handling
40. Hacking Tools 2020
41. Hacker Tools For Mac
42. Hacker Tools Software
43. Hacking Tools Software
44. Hacker Tools Hardware
45. Pentest Tools Framework
46. Hack Website Online Tool
47. Hack Tool Apk
48. Hacker Tools Mac
49. Hack Tool Apk No Root
50. Usb Pentest Tools
51. Usb Pentest Tools
52. Hacker Tools Hardware
53. Best Hacking Tools 2020
54. Hacking App
55. Hacking Tools Free Download