Awesome
Scanr
Detect x86 shellcode in files and traffic.
Usage
> python main.py --help
Usage: main.py [-h] [-f OBJ_PATH] [-o START_OFFSET] [-l LIMIT] [-d]
[-i INTERFACE] [-c CAPTURE]
Windows shellcode emulation and detection tool
optional arguments:
-h, --help show this help message and exit
-f OBJ_PATH input file
-o START_OFFSET shellcode start offset
-l LIMIT max instructions to analyze
-d enable debug mode
-i INTERFACE network interface
-c CAPTURE network capture
Example: python main.py -c test-http-get.pcap
Output
python main.py -d -f call4_dword_xor_shell
[!] Starting analysis in file mode
[*] Analyzing file <open file 'call4_dword_xor_shell', mode 'r' at 0x10ed2bdb0>
[+] Found 1 potential offsets:
0x00000000
0x0 : xor ecx, ecx
0x2 : sub ecx, -0x54
0x5 : call 9
0xa : rcr byte ptr [esi - 0x7f], 0x76
0xe : push cs
0xf : js 0xfffffff5
0x11 : dec eax
0x12 : mov eax, dword ptr [0xe2fcee83]
0x17 : hlt
0x18 : test byte ptr [edx + ecx*8], cl
0x1b : mov eax, dword ptr [0x2828e478]
0x20 : popfd
0x21 : aad 0x88
[!] Trying with offset number 0 at 0x00000000
[*] Emulator processing shellcode
0x2000: xor ecx, ecx
0x2002: sub ecx, -0x54
0x2005: call 4
0x2009: inc eax
0x200b: pop esi
mem READ: 0x4, data size = 4, data value = 0x0
near deref:
0a 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x200c: xor dword ptr [esi + 0xe], 0xa148e478
mem READ: 0x2018, data size = 4, data value = 0x0
near deref:
84 0c ca a1 78 e4 28 28 9d d5 88 c5 f3 b4 78 2a
[!] Self-modyfying code heuristic triggered!
0x2013: sub esi, -4
0x2016: loop 0xfffffff6
0x200c: xor dword ptr [esi + 0xe], 0xa148e478
mem READ: 0x201c, data size = 4, data value = 0x0
near deref:
78 e4 28 28 9d d5 88 c5 f3 b4 78 2a 2a e8 c3 f3
# skipped..
[!] Self-modyfying code heuristic triggered!
0x2013: sub esi, -4
0x2016: loop 0xfffffff6
0x200c: xor dword ptr [esi + 0xe], 0xa148e478
mem READ: 0x2164, data size = 4, data value = 0x0
near deref:
ad e4 48 a1 cc cc cc cc 00 00 00 00 00 00 00 00
[!] Self-modyfying code heuristic triggered!
0x2013: sub esi, -4
0x2016: loop 0xfffffff6
0x2018: cld
0x2019: call 0x87
0x20a0: pop ebp
[!] GetPC (callpop) heuristic triggered!
mem READ: 0x4, data size = 4, data value = 0x0
near deref:
1e 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x20a1: push 0x3233
0x20a6: push 0x5f327377
0x20ab: push esp
0x20ac: push 0x726774c
0x20b1: call ebp
0x201e: pushal
0x201f: mov ebp, esp
0x2021: xor eax, eax
0x2023: mov edx, dword ptr fs:[eax + 0x30]
[!] PEB accessed!
mem READ: 0x30, data size = 4, data value = 0x0
near deref:
30 00 00 00 00 00 00 00 00 00 00 00 3c 00 00 00
0x2027: mov edx, dword ptr [edx + 0xc]
[!] PEB_Ldr accessed!
[!] HEUR level 3, shellcode detected. Exiting!
mem READ: 0x3c, data size = 4, data value = 0x0
near deref:
3c 00 00 00 00 00 00 00 00 00 00 00 48 00 00 00
[+] Processed!
Shellcode address ranges:
low: 0x2018
high: 0x2164
Decoded shellcode:
0x0 : cld
0x1 : call 0x88
0x6 : pushal
0x7 : mov ebp, esp
0x9 : xor eax, eax
0xb : mov edx, dword ptr fs:[eax + 0x30]
0xf : mov edx, dword ptr [edx + 0xc]
0x12 : mov edx, dword ptr [edx + 0x14]
0x15 : mov esi, dword ptr [edx + 0x28]
0x18 : movzx ecx, word ptr [edx + 0x26]
0x1c : xor edi, edi
0x1e : lodsb al, byte ptr [esi]
# skipped..
[+] Finished analysis, took 0.067544 seconds