sctest, tool in libemu
I recently just tested out sctest, a tool to process shellcode provided in libemu.
The usage is as follows:
sctest -gS -s 10000 -v -G test.dot
Basically there are several steps prior to that (which I need a friend to help me out!).
Say, I have a file called hexdump.txt;
Try with 10, 000 steps:
$ sctest -Ss 10000 -g < hexdump.txt
verbose = 0 success
offset = 0x00000005
stepcount 10000
Try with 100, 000 steps we got this:
$ sctest -Ss 100000 -gv < hexdump.txt
verbose = 1 success
offset = 0x00000005
stepcount 100000
HMODULE LoadLibraryA ( LPCTSTR lpFileName = 0x0012fe80 => = "ws2_32"; ) = 0x71a10000; int WSAStartup ( WORD wVersionRequested = 2; LPWSADATA lpWSAData = 1244276; ) = 0; SOCKET WSASocket ( int af = 2; int type = 1; int protocol = 0; LPWSAPROTOCOL_INFO lpProtocolInfo = 0; GROUP g = 0; DWORD dwFlags = 0; ) = 66; int bind ( SOCKET s = 66; struct sockaddr_in * name = 0x0012fe6c => struct = { short sin_family = 2; unsigned short sin_port = 23569 (port=4444); struct in_addr sin_addr = { unsigned long s_addr = 0 (host=0.0.0.0); }; char sin_zero = " "; }; int namelen = 16; ) = 0; int listen ( SOCKET s = 66; int backlog = 2; ) = 0; SOCKET accept ( SOCKET s = 66; struct sockaddr * addr = 0x0012fe4c => struct = { }; int addrlen = 0x0012fe50 => none; ) = 68; int closesocket ( SOCKET s = 66; ) = 0;
Now, let us create a flow graph. We will add -G flag this time.
$ sctest -Ss 100000 -gvG bla.dot
You will get a file, bla.dot ... and by using Graphviz package later you just choose whether to use fdp, circo, neato to create your flow graph. Say, I am comfortable with dot. Remember, since we may create a lot of flow lines, include splines=true in your dot file.
I got a graph as above.
Comments