Sometimes you find a piece of shellcode that is fluent in its execution and you want to recreate it yourself to understand its underlying mechanisms. Sickle can help you compare the original shellcode to your “recreated” version.
Bad character identification
It’s important to note that currently bad character identification is best used within a Linux based OS. When dumping shellcode on Windows bad characters will not be highlighted. Below is an example of usage in a Unix environment:
Sickle can also take a binary file and convert the extracted opcodes (shellcode) to machine instructions (-obj). Keep in mind this works with raw opcodes (-r) and STDIN (-s) as well. In the following example, I am converting a reverse shell designed by Stephen Fewer to assembly.
The structure of Sickle has been completely redesigned in order to allow drop in modules. This will allow users to easily implement new formats and development modules. All supported architectures have remained the same as v1.6, and 2 new modules have been added. Documentation has also been added for those looking to implement their own formats or modules.
It is written in Python3 and to have full functionality I recommend installing capstone, however, at the moment the only “function” that requires capstone is disassembly. If you don’t need the disassembly function, Sickle should work out of the box. Installation of Capstone is as easy as 1,2,3:
- apt-get install python3-pip
- pip3 install capstone
If you don’t compile your shellcode in NASM I have added an “objdump2shellcode” like function. Although I recommend using NASM for a streamline experience. For ease of access I prefer to add Sickle to the /usr/bin/ directory however if you use Black Arch Linux Sickle comes pre-installed. (previously known as objdump2shellcode):
Copyright (c) 2017 Milton Valencia