原文:Link
$ ./scdbg -f test.sc -fopen bad.pdf -i
fopen(bad.pdf) = 4d565c
Loaded 312 bytes from file test.sc
Initialization Complete..
Interactive Hooks enabled
401083 GetFileSize(4) = 2031b
401112 GlobalAlloc(sz=2031b) = 60000
401118 SetFilePointer(hFile=4, dist=0, FILE_BEGIN)
401132 ReadFile(hFile=4, buf=60000, numBytes=2031b)
401147 CreateFile(x.exe)
Interactive mode local file: /tmp/WHhUmhtM
401158 WriteFile()
401176 WinExec(x.exe)
記憶體監視-簡單調試Shell-ROPshellcode分析-記憶體dump。。。。。。
- Change log
- Win32 Binaries
- https://github.com/dzzie/VS_LIBEMU
- git clone
git://github.com/dzzie/VS_LIBEMU.git
*nix/Cygwin Source/Binaries (100 hooks - inactive)
The older gcc compatible and cross-compilable version is available here:
(tested with cygwin/gcc 3.4 & 4.3, RHEL 2.6/ gcc 4.1)
- win32 binaries
- https://github.com/dzzie/SCDBG
- git clone
git://github.com/dzzie/SCDBG.git
Help screen below: (see scdbg -h for
current options)
scdbg
is an adaption of the libemu library and sctest project
Libemu
Copyright (C) 2007 Paul Baecher &
Markus Koetter
scdbg
developer: David Zimmer
Compile date: Apr 14 2011 21:02:02
/foff
hexnum starts execution at file
offset
/mm enabled Memory Monitor (logs
access to key addresses)
/mdll
Monitor Dll - log direct
access to dll memory (hook detection/patches)
/nc no color (if using sending
output to other apps)
/f
fpath load shellcode from
file specified.
/o
hexnum base offset to use (default:
0x401000)
/redir
ip:port redirect connect to ip
(port optional)
/i enable interactive hooks
/v verbosity, can be used up
to 4 times, ex. /v /v /vv
/e
int verbosity on error (3
= debug shell)
/t
int time to delay (ms)
between steps when v=1 or 2
/h show this help
/ba
hexnum break above - breaks if
eip > hexnum
/bp
hexnum set breakpoint on addr
or api name (same as -laa -vvv)
/bs
int break on step (shortcut
for -las -vvv)
/a adjust offsets to file
offsets not virtual
/d dump unpacked shellcode
(requires /f)
/las
int log at step ex. -las 100
/laa
hexnum log at address or api
ex. -laa 0x401020 or -laa ReadFile
/s
int max number of steps to
run (def=2000000, -1 unlimited)
/hex show hex dumps for hook
reads/writes
/findsc detect possible shellcode
buffers (brute force)
/dump view hexdump of the target
file (can be used with /foff)
/disasm int Disasm int lines (can be used with
/foff)
/fopen
file Opens a handle to for use with GetFileSize() scanners
/-
/+ increments or
decrements GetFileSize, can use multiple times
/hooks dumps a list all implemented
api hooks
/r show analysis report at end
of run
/pp peb patch - required for
some shellcodes (rare)
/b0 break if 00 00 add [eax],al
/patch
fpath load patch file for libemu memory
/dir
folder process all .sc
files in echo results to .txt
dbg> shell prompt commands:
? - help, this help screen, h also works
v - change verbosity (0-4)
g - go - continue with v=0
s - step, continues execution, ENTER also works
c - reset step counter
r - execute till return (v=0 recommended)
u - unassembled address
b - break at address
m - reset max step count (-1 = infinate)
e - set eip
w - dWord dump,(32bit ints) prompted for hex base addr and then size
d - Dump Memory (hex dump) prompted for hex base addr and then size
x - execute x steps (use with reset step count)
t - set time delay (ms) for verbosity level 1/2
k - show stack
i - break at instruction (scans disasm for next string match)
f - dereF registers (show any common api addresses in regs)
o - step over
.lp - lookup - get symbol for address
.pl - reverse lookup - get address for symbol
.seh - shows current value at fs[0]
.reg - manually set register value
.poke1 - write a single byte to memory
.poke4 - write a 4 byte value to memory
.savemem - saves a memdump of specified range to file
q - quit
沒有留言:
張貼留言