Shellcode惡意代碼分析利器 – scdbg

原文:Link

What is scdbg?

scdbg是一款多平臺開源的Shellcode模擬運行、分析工具。其基於libemulibrary搭建的虛擬環境，通過模擬32位元處理器、記憶體和基本Windows API運行環境來虛擬執行Shellcode以分析其行為。有了虛擬執行媽媽再也不用擔心我的電腦中病毒了。

基本原理

眾所周知，shellcode為了實現特定的功能必須通過調用系統API來完成－不論先前怎麼變形怎麼加密最後都會調用系統API。scdbg就是通過模擬執行以及hook多達200多個API來探測shellcode的行為。當然比如創建檔和訪問網路這些危險的API並沒有真正的在本機執行，而是通過傳回虛假的返回值來欺騙shellcode讓其平穩運行。

示例

      直接命令列輸入scdbg.exe example.sc 來看看輸出：

      其中example.sc檔就是以二進位形式保存的Shellcode,我們可以看到這段shellcode調用了兩次較關鍵的函數－CreateProcessA，第一次調用tftp.exe程式下載winapi32.exe,第二次準備執行之。很典型的下載並執行行為。有了scdbg我們就不必花很多時間在搭建測試環境、解碼shellcode、調試理解各種分支跳轉、擔心機器是否中招。。。。。。簡單明瞭。

scdbg和通常的命令列工具一樣，有著眾多參數選項，這裡只做最基本的演示，就不一一列舉。想必大家都有在命令列下痛苦的經歷，命令列的歷史就是我等小菜的血淚史，還好scdbg有GUI圖形介面版：

指定偏移，自定參數一目了然。

亮點

A.  跨平臺開源

      同時支援unix和windows系統。對有系統潔癖的同學來說可以放心在unix下搭建環境“調戲”shellcode了。

B.文檔類格式漏洞

      scdbg能很容易通過對話模式分析諸如pdf,excel,word等文檔類漏洞釋放出來的shellcode。這類漏洞的相同點就是首先肯定會通過調用GetFileSize找到宿主檔案控制碼然後進行下一步操作（是這樣的吧:）。感覺這項功能還是有很多應用場景的，命令列如下：

$ ./scdbg -f test.sc -fopen bad.pdf -i

fopen(bad.pdf) = 4d565c

Loaded 312 bytes from file test.sc

Initialization Complete..

Interactive Hooks enabled

401083  GetFileSize(4) = 2031b

401112  GlobalAlloc(sz=2031b) = 60000

401118  SetFilePointer(hFile=4, dist=0, FILE_BEGIN)

401132  ReadFile(hFile=4, buf=60000, numBytes=2031b)

401147  CreateFile(x.exe)

        Interactive mode local file: /tmp/WHhUmhtM

401158  WriteFile()

401176  WinExec(x.exe)

其他重要功能

 記憶體監視－簡單調試Shell－ROPshellcode分析－記憶體dump。。。。。。

資源下載

Windows Native Source/Binaries (201 hooks - current development branch)

• Change log
• Win32 Binaries
• https://github.com/dzzie/VS_LIBEMU
• git clone git://github.com/dzzie/VS_LIBEMU.git

*nix/Cygwin Source/Binaries (100 hooks - inactive)

The older gcc compatible and cross-compilable version is available here:
(tested with cygwin/gcc 3.4 & 4.3, RHEL 2.6/ gcc 4.1)

• win32 binaries
• https://github.com/dzzie/SCDBG
• git clone git://github.com/dzzie/SCDBG.git

Help screen below: (see scdbg -h for current options)

 scdbg is an adaption of the libemu library and sctest project

 Libemu Copyright (C) 2007  Paul Baecher & Markus Koetter

 scdbg developer: David Zimmer

 Compile date: Apr 14 2011 21:02:02

 /foff hexnum          starts execution at file offset

 /mm                   enabled Memory Monitor (logs access to key addresses)

 /mdll                 Monitor Dll - log direct access to dll memory (hook detection/patches)

 /nc                   no color (if using sending output to other apps)

 /f fpath              load shellcode from file specified.

 /o hexnum             base offset to use (default: 0x401000)

 /redir ip:port        redirect connect to ip (port optional)

 /i                    enable interactive hooks

 /v                    verbosity, can be used up to 4 times, ex. /v /v /vv

 /e int                verbosity on error (3 = debug shell)

 /t int                time to delay (ms) between steps when v=1 or 2

 /h                    show this help

 /ba hexnum            break above - breaks if eip > hexnum

 /bp hexnum            set breakpoint on addr or api name (same as -laa  -vvv)

 /bs int               break on step (shortcut for -las  -vvv)

 /a                    adjust offsets to file offsets not virtual

 /d                    dump unpacked shellcode (requires /f)

 /las int              log at step ex. -las 100

 /laa hexnum           log at address or api ex. -laa 0x401020 or -laa ReadFile

 /s int                max number of steps to run (def=2000000, -1 unlimited)

 /hex                  show hex dumps for hook reads/writes

 /findsc               detect possible shellcode buffers (brute force)

 /dump                 view hexdump of the target file (can be used with /foff)

 /disasm int           Disasm int lines (can be used with /foff)

 /fopen file           Opens a handle to  for use with GetFileSize() scanners

 /- /+                 increments or decrements GetFileSize, can use multiple times

 /hooks                dumps a list all implemented api hooks

 /r                    show analysis report at end of run

 /pp                   peb patch - required for some shellcodes (rare)

 /b0                   break if 00 00 add [eax],al

 /patch fpath          load patch file  for libemu memory

 /dir  folder          process all .sc files in  echo results to .txt

   dbg> shell prompt commands:

        ? - help, this help screen, h also works

        v - change verbosity (0-4)

        g - go - continue with v=0

        s - step, continues execution, ENTER also works

        c - reset step counter

        r - execute till return (v=0 recommended)

        u - unassembled address

        b - break at address

        m - reset max step count (-1 = infinate)

        e - set eip

        w - dWord dump,(32bit ints) prompted for hex base addr and then size

        d - Dump Memory (hex dump) prompted for hex base addr and then size

        x - execute x steps (use with reset step count)

        t - set time delay (ms) for verbosity level 1/2

        k - show stack

        i - break at instruction (scans disasm for next string match)

        f - dereF registers (show any common api addresses in regs)

        o - step over

        .lp - lookup - get symbol for address

        .pl - reverse lookup - get address for symbol

        .seh - shows current value at fs[0]

        .reg - manually set register value

        .poke1 - write a single byte to memory

        .poke4 - write a 4 byte value to memory

        .savemem - saves a memdump of specified range to file

        q - quit