 Hello, I'm Didier Stavens, senior handler with the Internet Storm Center. In this video, we are going to look at the shellcode emulator that I wrote a diary entry about. And here I'm using it on OS X, so I use the wine emulator to run the shellcode emulator like this. Now, there are also versions of this Windows program for OS X and for Linux, but I prefer to use the Windows version with wine on OS X because the Windows version of the shellcode emulator has more features, it supports more APIs than the Linux version. Sometimes you get this error, but you can just ignore this. So let's start debugging. So I have a shellcode here that I want to emulate, and I give option dash F to tell it that the shellcode is inside a file like this, and then it gets emulated. So you see that two zero F bytes were read from this file, that the maximum of two million steps, so that's two million instructions will be executed, that the shellcode was loaded at this address and then that it started to emulate it. And it will report the different Windows API functions that are called by the shellcode, like here load library A for WinInit. And then here we start an HTTP connection. You can see here the user agent string. And then here you can see the connection to the IP address and the port. And then it stops. And that's because we have reached the maximum step counter of two million and then the emulator stops. But we can change that with option S. Let's do this. With option S we can say how many steps that we want. We can say, for example, three million steps like this. And then maybe we will reach the end of our shellcode. But you can also say minus one. And minus one says that there is no limit on the number of instructions to execute like this. Okay. And now you can see we get further. So indeed we get an HTTP open request A to this part, which is send. And then this API function here gets executed. But that has not been hooked. So the emulator stops here. So but with this we know what the shellcode is doing. It is connecting to this IP address on this port, HTTP request to this part with this user agent string. And now the shellcode emulator here can also be used to look at the instructions themselves while they are executed. And I'm going to limit this to 10 instructions now and use option dash V. And then here you see the different instructions as they are being emulated. So a CLD, a call to this address. And then you can see a jump to this address here and then a pop EVP and pushes and so on. So this is not actually a disassembly. It's disassembly for each instruction that gets executed while it is emulated. So it's more like a trace. You can also get a real disassembly with option disasm. And then you tell it the number of instructions, for example 20. And then the first 20 instructions get disassembled. So you can see here the different CLD, a call to this address. But then, since this is not emulated but just disassembled, you can see the next instructions right directly after this call instruction. So here push A, push all on this address. So that was shellcode that uses HTTP to establish a connection. Now we are going to look at a dropper. So here I have written shellcode that will drop a temporary file. So we can run this like this. And now here you can quickly see what this shellcode does. It allocates memory, looks up a temporary part, allocates again memory and then creates a temporary file. And here you can see the name of this temporary file. When it creates this file, it writes data to that file, not a lot of data. I think that's about 26. One A x a decimal, 26 a decimal, it closes the handle and exceeds the process. Now this file has not been created. So this is just emulated. This file has not been created here on my machine. But of course with the dropper you would like to know what is inside that file. And that is possible with a shellcode emulator by using option I. I stands for interactive like this. You can see interactive hooks enabled. And now you get exactly the same output except for this here. When you see create file A, you see interactive mode, local file, SCtempfileDropper.drop underscore zero. So this is a temporary, this is an emulated file that was created in our current directory. You can find this here. Here is that file. And indeed 26 bytes. And we can take a look at the content like this. This is the drop content. So that's how you can look what the dropper writes to disk by using that interactive mode. Now that interactive mode also works for network connections, but for simple sockets. Not for the HTTP connections like we saw before. And to illustrate that, I have generated a shellcode with MSFVenom from Metasploit which establishes a reverse TCP connection for a shell. So let's try to emulate this. And here we have that shellcode. Sorry, I have to add option F because it's in file. And then indeed here you see that the socket library is loaded and initialized. And then here you can see that attempts to connect to this IP address on this port are done. Now this is again emulated. This is not done in real life. So this is not executed. It's emulated. But if you use option I, then it will indeed establish a connection. So the emulator will emulate those network connections. So I have a wire shark here capturing on my Wi-Fi and filtering here for TCP port 4444. So I'm going to launch in interactive mode the debugger for this shellcode like this. And then indeed you can see that packets, sync packets are send here to that IP address on port 4444. But that port is not open on that server. So nothing is actually happening. Let me interrupt this. Okay. And this too. And now you can still continue your analysis, go further in your analysis by trying to emulate the server side. And we're going to do this here. Let's go to this window. Here I have my TCP on iPod program that I have configured to listen on port 4444. And what it will do, it will, when it receives a first connection, send a banner. And this is the banner, sending banner. And then up to 10 requests it's received, it will send this as a reply, sending a reply. So let's start this on iPod. Like this. Okay. This listening wire shark, I'm going to stop. And here I'm going to listen on the loop back address. And then here now I will again execute my shellcode. So emulate my shellcode with interactive hooks. But I will also redirect. So with redir, I can say that all connections have to be redirected to this IP address. You can also specify a port here like this, but I'm not going to do this because we are going to use the same port like this. And then indeed we get something else for emulation. And if we look at wire shark, then here you can see that there was a TCP connection that was published and that data was sent. So here after the connection is made, the shellcode will receive four bytes. And then it allocates memory. And then again it tries to receive bytes thousand at a time. Now if you take a close look here at the size of the virtual memory that was allocated. You can see five, three, six, five, six, E, six, four. So that looks like ASCII. And it is indeed, it is actually so my header, the banner that I sent. So sending the banner, the five, three, that's the capital letter S, six, five, that is the letter E and so on. So this is actually sending. So what this shellcode does, it first reads four bytes from the TCP connection and then interprets those four bytes as a size and uses that to allocate memory. So I'm going to change here, I can show this in a TCP stream. You can see here sending banner and that was what was transmitted. So let's stop this and start this again. And now what I'm going to do here, let's interrupt my TCP honeypot. And I'm going to change this a bit. So what I'm going to do now here instead of sending banner, I'm going to send four bytes that are the data that I want to send. So the size. So you saw that the uppercase letter S from sending was actually the least significant byte in the size. So the 53 hexadecimal. So that means that this is here interpreted in little engine format. So I'm going to give a size of eight in little engine format with eight four bytes, sorry four byte integer. So that's zero eight and then three zero bytes like this. Okay. So that is what we are going to send. I can run the honeypot again, execute the shellcode again. So emulate the shellcode again like this. And indeed, so you see four bytes were read from the stream and then here this time eight bytes were allocated. And then attempt is made to read eight bytes, but nothing is sent anymore. So nothing happens. So what we are going to do now is send eight bytes after we sent the size here eight, we are going to send eight bytes. So let me interrupt my honeypot and let's change this. So here after that size, I'm going to send eight bytes A, B, C, D, E, F, G, like that. No, that's seven, H, that's, that is eight. That should be eight. One, two, three, four, no. This is eight. Okay. And now we can start that honeypot again here, execute this. Let's see four shark is still run. Okay, let's restart this and emulate this. Okay. And now indeed, we get an error here. This address not mapped. So an attempt was made to read this address and it was not executed. So if you take a closer look here, you see that buffers are located at this address 6, 0, 0, 0, 0, 0. And here execution fails as address 6, 0, 0, 0, 0, 8. So that is exactly after the number of bytes that we have given as data. So this is probably what's happening. That is that the shell code here over the TCP connection expects other shell code and then it executes that shell code. So the A, B, C, D, E, F, G, H that we sent was executed. And then afterwards, what came afterwards, well, that failed and gave that map error accessing this address here. So what we are going to do here, we're going to set a breakpoint at this address. It can be done as such. Breakpoint at address 6, 0, 0, 0, 0, 0. Like this. And rerun this again. Okay. And now indeed we get no error. We get a breakpoint at our address and you can see 41. So 41, that's uppercase letter A in ASCII. So if you type question mark, you can get all the commands you can execute here in the debugger. So I'm going to do a dump D, the address 6, 6 here and the size is 8. So indeed you can see here, this is the data that we transmitted. So by using this emulator here, we were able to figure out what this shell code is doing. So it's over the TCP connection reads data, the first four bytes are considered as the length of the data and the rest that is downloaded, that is code, shell code that is downloaded and then mapped into memory and executed. And I can quit this. If we go into wire shark, you can indeed here see the data was sent and also a reply afterwards. Okay. Thank you. Thank you. Bye. Bye. Bye. Bye. Bye.