Nytro Posted July 29, 2014 Report Posted July 29, 2014 Shellcode Detection and Emulation with LibemuIntroduction Libemu is a library which can be used for x86 emulation and shellcode detection. Libemu can be used in IDS/IPS/Honeypot systems for emulating the x86 shellcode, which can be further processed to detect malicious behavior. It can also be used together with Wireshark to pull shellcode off the wire to be analyzed, analyze shellcode inside malicous .rtf/.pdf documents, etc. It has a lot of use-cases and is used in numerous open-source projects like dionaea, thug, peepdf, pyew, etc., and it plays an integral part in shellcode analysis. Libemu can detect and execute shellcode by using the GetPC heuristics, as we will see later in the article. The very first thing we can do is download Libemu via Git with the following command: [TABLE][TR][TD=class: gutter]1[/TD][TD=class: code]# git clone git://git.carnivore.it/libemu.git[/TD][/TR][/TABLE] If we would like to know how much code has been written for this project, we can simply execute sloccount, which will output the number of lines for each subdirectory and a total of 43,742 AnsiC code lines and 15 Python code lines. If we would rather take a look at nice graphs, we can visit the Ohloh web page to see something like below, where it’s evident that about 50k lines of code has been written. The installation instructions can be found at [1], which is why we won’t describe them in this article. We can also install the Pylibemu, so we can interact with Libemu directly from Python.Articol complet: Shellcode Detection and Emulation with Libemu - InfoSec Institute Quote
