Sunday, March 18, 2012

SCDBG - A Tool for shellcode analysis


scdbg is a shellcode analysis application (based on sctest) which uses the libemu emulation library.

It has been modified to include more output for manual RE
as well as add basic debugging capabilities.

libemu homepage
http://libemu.carnivore.it/

scdbg Binaries / Source / Screen shots:
http://sandsprite.com/blogs/index.php?uid=7&pid=152

Video demo
http://sandsprite.com/CodeStuff/scdbg.wmv

more details on mem monitor mode

http://sandsprite.com/blogs/index.php?uid=7&pid=158


Additions include:
+ support for user32, shell32, ntdll, wininet
+ ~17 new api hooks
+ display of return addresses, file offsets, step counts
+ ability to start logging at target addresses/step counts
+ ability to set breakpoints, scan for specific instructions
+ ability to single step, step over, execute till return
+ ability to dump decoded shellcode from memory, dump allocs
+ interactive debug shell to stop and examine registers or memory
+ basic support for SEH and shellcode which patches UEF
+ monitoring of read/writes to key addresses to determine
how the shellcode operates, which lists it walks, and if it
trys to detect hooks on WinApi or if it patches any API

Help screen below

_______________
| |
| |
| libemu |
| x86 emulation |
| |
| |
| |
\ O |
\______________| build: 0.2.dz

-----[ libemu - x86 shellcode emulation ]-----
Copyright (C) 2007 Paul Baecher & Markus Koetter

/hex show hex dumps for hook reads/writes
/findsc Scans file for possible shellcode buffers (getpc mode)
/foff hexnum starts execution at file offset
/mm enables Memory Monitor to log access to key addresses.
/mdll uses Memory Monitor to log direct access to dll memory (detect hooks)
/nc no color (if using sending output to other apps)
/S < file.sc read shellcode/buffer from stdin /f fpath load shellcode from file specified. /o hexnum base offset to use (default: 0x401000) /redir ip:port redirect connect to ip (port optional) /G fpath save a dot formatted callgraph in filepath /i enable interactive hooks /v verbosity, can be used up to 4 times, ex. /v /v /vv /e int verbosity on error (3 = debug shell) /t int time to delay (ms) between steps when v=1 or 2 /h show this help /bp hexnum set breakpoint (shortcut for -laa -vvv)
/bs int break on step (shortcut for -las -vvv)
/a adjust offsets to file offsets not virtual
/d dump unpacked shellcode if changed (requires /f)
/las int log at step ex. -las 100
/laa hexnum log at address ex. -laa 0x401020
/s int max number of steps to run (def=1000000, -1 unlimited)

dbg> shell prompt commands:
? - help, this help screen, h also works
v - change verbosity (0-4)
g - go - continue with v=0
s - step, continues execution, ENTER also works
c - reset step counter
r - execute till return (v=0 recommended)
u - unassembled address
b - break at address
m - reset max step count (-1 = infinate)
e - set eip
w - dWord dump,(32bit ints) prompted for hex base addr and then size
d - Dump Memory (hex dump) prompted for hex base addr and then size
x - execute x steps (use with reset step count)
t - set time delay (ms) for verbosity level 1/2
k - show stack
i - break at instruction (scans disasm for next string match)
f - dereF registers (show any common api addresses in regs)
o - step over
.lp - lookup - get symbol for address
.pl - reverse lookup - get address for symbol
.seh - shows current value at fs[0]
.reg - manually set register value
.poke1 - write a single byte to memory
.poke4 - write a 4 byte value to memory
.savemem - saves a memdump of specified range to file
q - quit
Download:

Download


0 comments for "SCDBG - A Tool for shellcode analysis"

Post a Comment

background