scemu
x86 32/64bits emulator, for securely emulating shellcodes
Features
- 📦 rust safety, good for malware.
- All dependencies are in rust.
- zero unsafe{} blocks.
- ⚡ very fast emulation (much faster than unicorn)
- 3,000,000 instructions/second
- 100,000 instructions/second printing every instruction -vv.
- powered by iced-x86 rust disassembler awesome library.
- iteration detector.
- memory and register tracking.
- colorized.
- stop at a specific moment and explore the state or modify it.
- 174 instructions implemented.
- 112 winapi implemented 5 dlls.
- all Linux syscalls.
- SEH chains.
- vectored exception handler.
- PEB, TEB structures.
- memory allocator.
- react with int3.
- non debugged cpuid.
- tests with known payloads:
- metasploit shellcodes.
- Metasploit encoders.
- cobalt strike.
- shellgen.
- guloader (not totally for now, but arrive further than the debugger)
Some use cases
scemu emulates a simple shellcode detecting the execve() interrupt.
We select the line to stop and inspect the memory.
After emulating nearly 2 million instructions of GuLoader win32 in Linux, faking cpuid’s and other tricks in the way, arrives to a sigtrap to confuse debuggers.
Example of memory dump on the api loader.
There are several maps by default and can be created more with apis like LoadLibraryA or manually from the console.
Emulating basic windows shellcode based on LdrLoadDLl() that prints a message:
The console allows to view and edits the current state of the cpu:
--- console ---
=>h
--- help ---
q ...................... quit
cls .................... clear screen
h ...................... help
s ...................... stack
v ...................... vars
r ...................... register show all
r reg .................. show reg
rc ..................... register change
f ...................... show all flags
fc ..................... clear all flags
fz ..................... toggle flag zero
fs ..................... toggle flag sign
c ...................... continue
ba ..................... breakpoint on address
bi ..................... breakpoint on instruction number
bmr .................... breakpoint on read memory
bmw .................... breakpoint on write memory
bc ..................... clear breakpoint
n ...................... next instruction
eip .................... change eip
push ................... push dword to the stack
pop .................... pop dword from stack
fpu .................... fpu view
md5 .................... check the md5 of a memory map
seh .................... view SEH
veh .................... view vectored execption pointer
m ...................... memory maps
ma ..................... memory allocs
mc ..................... memory create map
mn ..................... memory name of an address
ml ..................... memory load file content to map
mr ..................... memory read, speficy ie: dword ptr [esi]
mw ..................... memory read, speficy ie: dword ptr [esi] and then: 1af
md ..................... memory dump
mrd .................... memory read dwords
mds .................... memory dump string
mdw .................... memory dump wide string
mdd .................... memory dump to disk
mt ..................... memory test
ss ..................... search string
sb ..................... search bytes
sba .................... search bytes in all the maps
ssa .................... search string in all the maps
ll ..................... linked list walk
d ...................... dissasemble
dt ..................... dump structure
enter .................. step into
The cobalt strike api loader is the same that Metasploit, emulating it:
Cobalt Strike API called:
Metasploit rshell API called:
Metasploit SGN encoder using few fpu to hide the polymorfism:
Metasploit shikata-ga-nai encoder that also starts with fpu:
Copyright (C) 2022 sha0coder
