Jump to content
Nytro

Dynamic shellcode analysis

By Nytro, in Reverse engineering & exploit development

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

Dynamic shellcode analysis

In this article, we will study a shellcode using dynamic analysis. This analysis includes a description of Miasm internals, which explains its length. The shellcode is in the archive dyn_sc_shellcodes.zip, protected with the password infected. The final script is here: dyn_sc_run.py

This analysis is based on Miasm revision 2cf6970.

 

First blood

Here is a raw dump of the shellcode: 

00000000  50 59 49 49 49 49 49 49  49 49 49 49 49 49 49 49  |PYIIIIIIIIIIIIII|
00000010  49 49 37 51 5a 6a 41 58  50 30 41 30 41 6b 41 41  |II7QZjAXP0A0AkAA|
00000020  51 32 41 42 32 42 42 30  42 42 41 42 58 50 38 41  |Q2AB2BB0BBABXP8A|
00000030  42 75 4a 49 62 78 6a 4b  64 58 50 5a 6b 39 6e 36  |BuJIbxjKdXPZk9n6|
00000040  6c 49 4b 67 4b 30 65 6e  7a 49 42 54 46 6b 6c 79  |lIKgK0enzIBTFkly|
00000050  7a 4b 77 73 77 70 77 70  4c 6c 66 54 57 6c 4f 5a  |zKwswpwpLlfTWlOZ|
00000060  39 72 6b 4a 6b 4f 59 42  5a 63 48 68 58 63 59 6f  |9rkJkOYBZcHhXcYo|
00000070  59 6f 4b 4f 7a 55 76 77  45 4f 67 6c 77 6c 43 72  |YoKOzUvwEOglwlCr|
...

We can note that this shellcode is in pure ascii. Let’s disassemble its first basic block: 

python miasm/example/disasm/full.py -m x86_32 shellcode.bin --blockwatchdog 1

This gives the following graph (file graph_execflow.dot):

sc01_bbl1.svg

First basic block of the shellcode

Note the PUSH EAX POP ECX to mimic a MOV ECX, EAX, keeping a pure ascii encoding. As we can see, the shellcode starts with some computations, and willxor a memory cell: 

00000019 XOR        BYTE PTR [ECX+0x30], AL

We could analyze it manually or dynamically. For the exercise, we will try to determine which pointer is manipulated here. Now, the question is: where does the value ECX + 0x30 point to? In Miasm, there are at least two ways to answer this:

  • using a symbolic execution from the beginning to retrieve the equation of ECX at address 0x19
  • using the DependencyGraph, whose goal is to track all the lines which participate to the value of a selected variable. We won’t introduce this module here, because a future post will be dedicated to it.

 

Articol complet: 

http://www.miasm.re/blog/2016/02/12/dynamic_shellcode_analysis.html

 

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...