ShellCodeEmulator: Shellcode emulator written with Unicorn

Windows shellcode emulation tool based upon unicorn framework

ShellcodeEmulator emulates Windows shellcode with the help of windbg process memory dumps. You can provide shellcode to analyze with any Windows process dump image. The tool will emulate as much as of the userland code using the shellcode bytes and the provided dump image.

You can add your custom syscall handlers or any handlers in between the API calls used by shellcode and the kernel layer. This can provide a full view of the user stack. It will let you investigate shellcode that bypasses loose API hooks in higher callstack level.

Installation

1. Install WinDbg
2. Install ShellcodeEmulator

pip install git+https://github.com/ohjeongwook/ShellcodeEmulator --upgrade

3. Please run following command if you experience any PyKD/WinDbg integration issues
   • PyKD has some issues with DLL package distribution.

python -m pykdfix.fix_windbg_files

Usage

> python -m shellcode_emulator.run



Usage: run.py [options] args



Options:

  -h, --help            show this help message and exit

  -b IMAGE_BASE, --image_base=IMAGE_BASE

                        Image base to load the shellcode inside process memory

  -d DUMP_FILENAME, --dump_filename=DUMP_FILENAME

                        A process dump file from normal Windows process

  -l LIST_FILENAME, --list_filename=LIST_FILENAME

                        A list filename generated by IDA (this can be used

                        instead of shellcode filename)

Example

1. Take process dump from Windows notepad process using Process Explorer and save it as notepad.dmp
2. Run wincalc.bin shellcode

python -m shellcode_emulator.run wincalc.bin -d notepad.dmp

Source: https://github.com/ohjeongwook/