support for metasploit encoder

sha0coder · sha0coder · commit bb77903442eb · 2021-11-24T15:56:47.000+01:00
diff --git a/README.md b/README.md
@@ -1,24 +1,37 @@
 # scemu
 x86 32bits emulator, for securely emulating shellcodes 
 
+## Features
 - rust safety, good for malware.
 - rust speed, ~10,000 instructions per second
 - iteration detector
 - colorized
 - stop at specific moment and explore the state or modify it.
-- 90 instructions implemented
+- 92 instructions implemented
 - 39 winapi implemented of 5 dlls
 - SEH chains
 - vectored exception handler
 - int3
 - non debugged cpuid
 - zero unsafe{} blocks
-
-Usage:
+- tests with known payloads:
+	- metasploit shellcodes
+	- metasploit encoder
+	- cobalt strike
+	- guloader (not totally for now)
+
+## TODO
+	- more fpu
+	- mmx
+	- 64 bits
+	- scripting?
+	- stagers: get next stage
+
+## Usage
 ![usage](pics/usage.png)
 
 
-Some use cases:
+## Some use cases
 
 scemu emulates a simple shellcode detecting the execve() interrupt.
 ![exploring basic shellcode](pics/basic_shellcode1.png)
@@ -51,3 +64,6 @@ Cobalt Strike API called:
 
 Metasploit rshell API called:
 ![msf rshell](pics/metasploit_rshell.png)
+
+Metasploit encoder using few fpu to hide the polymorfism:
+![msf encoded](pics/msf_encoded.png)
diff --git a/pics/msf_encoded.png b/pics/msf_encoded.png
diff --git a/src/emu32.rs b/src/emu32.rs
@@ -175,6 +175,7 @@ pub struct Emu32 {
     cfg: Config,
     colors: Colors,
     pos: u64,
+    force_break: bool,
 }
 
 impl Emu32 {
@@ -193,6 +194,7 @@ impl Emu32 {
             cfg: Config::new(),
             colors: Colors::new(),
             pos: 0,
+            force_break: false,
         }
     }
 
@@ -755,11 +757,19 @@ impl Emu32 {
             panic!("writting in non mapped memory");
         }*/
 
+        let name = match self.maps.get_addr_name(addr) {
+            Some(n) => n,
+            None => "error".to_string(),
+        };
+
+        if name == "code" {
+            if self.cfg.verbose >= 1 {
+                println!("/!\\ polymorfic code");
+            }
+            self.force_break = true;
+        }
+
         if self.cfg.trace_mem {
-            let name = match self.maps.get_addr_name(addr) {
-                Some(n) => n,
-                None => "error".to_string(),
-            };
             println!("mem trace write -> '{}' 0x{:x}: 0x{:x}  map:'{}'", operand, addr, value, name);
         }
 
@@ -1339,7 +1349,7 @@ impl Emu32 {
             let code = self.maps.get_mem(map_name.as_str());
             let block = code.read_from(eip);
             let insns = cs.disasm_all(block, eip as u64).expect("Failed to disassemble");
-            
+
             for ins in insns.as_ref() {
                 //TODO: use InsnDetail https://docs.rs/capstone/0.4.0/capstone/struct.InsnDetail.html
                 //let detail: InsnDetail = cs.insn_detail(&ins).expect("Failed to get insn detail");
@@ -5509,6 +5519,57 @@ impl Emu32 {
                         self.fpu.set_eip(self.regs.eip);
                     },
 
+                    Some("lcall") => {
+                        if !step {
+                            panic!("{}{} {}  {{{:?}}} {}", self.colors.green, self.pos, ins, ins.bytes(), self.colors.nc);
+                        }
+                        /*
+                            emulated with unicorn as a loop:
+                                0x1000016:      add     edx, 4   ebp:0x2801000
+                                0x1000019:      lcall   0x51c0:0xd572a83f   ebp:0x2801000
+                                0x1000010:      xor     dword ptr [edx + 0x14], ebx   ebp:0x2801000
+                                0x1000013:      add     ebx, dword ptr [edx + 0x14]   ebp:0x2801000
+                                0x1000016:      add     edx, 4   ebp:0x2801000
+                                0x1000019:      lcall   0x51c0:0xd572a83f   ebp:0x2801000
+                                0x1000010:      xor     dword ptr [edx + 0x14], ebx   ebp:0x2801000
+                                0x1000013:      add     ebx, dword ptr [edx + 0x14]   ebp:0x2801000
+                                0x1000016:      add     edx, 4   ebp:0x2801000
+                                0x1000019:      lcall   0x51c0:0xd572a83f   ebp:0x2801000
+                                0x1000010:      xor     dword ptr [edx + 0x14], ebx   ebp:0x2801000
+                                0x1000013:      add     ebx, dword ptr [edx + 0x14]   ebp:0x2801000
+                                0x1000016:      add     edx, 4   ebp:0x2801000
+                                0x1000019:      lcall   0x51c0:0xd572a83f   ebp:0x2801000
+                                0x1000010:      xor     dword ptr [edx + 0x14], ebx   ebp:0x2801000
+                                0x1000013:      add     ebx, dword ptr [edx + 0x14]   ebp:0x2801000
+                                0x1000016:      add     edx, 4   ebp:0x2801000
+                                0x1000019:      lcall   0x51c0:0xd572a83f   ebp:0x2801000
+                                0x1000010:      xor     dword ptr [edx + 0x14], ebx   ebp:0x2801000
+                                0x1000013:      add     ebx, dword ptr [edx + 0x14]   ebp:0x2801000
+                                0x1000016:      add     edx, 4   ebp:0x2801000
+                                0x1000019:      lcall   0x51c0:0xd572a83f   ebp:0x2801000
+                                0x1000010:      xor     dword ptr [edx + 0x14], ebx   ebp:0x2801000
+                                0x1000013:      add     ebx, dword ptr [edx + 0x14]   ebp:0x2801000
+                                0x1000016:      add     edx, 4   ebp:0x2801000
+                                0x1000019:      lcall   0x51c0:0xd572a83f   ebp:0x2801000
+                                0x1000010:      xor     dword ptr [edx + 0x14], ebx   ebp:0x2801000
+                                0x1000013:      add     ebx, dword ptr [edx + 0x14]   ebp:0x2801000
+                                0x1000016:      add     edx, 4   ebp:0x2801000
+                                0x1000019:      lcall   0x51c0:0xd572a83f   ebp:0x2801000
+                                0x1000010:      xor     dword ptr [edx + 0x14], ebx   ebp:0x2801000
+                                0x1000013:      add     ebx, dword ptr [edx + 0x14]   ebp:0x2801000
+                                0x1000016:      add     edx, 4   ebp:0x2801000
+                                0x1000019:      lcall   0x51c0:0xd572a83f   ebp:0x2801000
+                                0x1000010:      xor     dword ptr [edx + 0x14], ebx   ebp:0x2801000
+                                0x1000013:      add     ebx, dword ptr [edx + 0x14]   ebp:0x2801000
+                                0x1000016:      add     edx, 4   ebp:0x2801000
+                                0x1000019:      lcall   0x51c0:0xd572a83f   ebp:0x2801000
+                                0x100001b:      test    al, 0x72   ebp:0x2801000
+                                0x100001c:      jb      0xfffff3   ebp:0x2801000
+
+                            opcodes:
+                                10 0x3c0019: lcall 0x51c0, 0xd572a83f  {[154, 63, 168, 114, 213, 192, 81]} 
+                        */
+                    },
 
                     Some("sysenter") => {
                         println!("{}{} {}{} function: 0x{:x}", self.colors.red, self.pos, ins, self.colors.nc, self.regs.eax);
@@ -5519,11 +5580,16 @@ impl Emu32 {
                         println!("{}{} {}{}", self.colors.red, self.pos, ins, self.colors.nc);
                         panic!("unimplemented instruction");
                     },
+
                     None => panic!("none instruction"),
                 }
 
                 self.regs.eip += sz as u32;
 
+                if self.force_break {
+                    self.force_break = false;
+                    break;
+                }
             }
         }   
 
diff --git a/src/emu32/maps/mem32.rs b/src/emu32/maps/mem32.rs
@@ -61,8 +61,13 @@ impl Mem32 {
 
     pub fn read_from(&self, addr:u32) -> &[u8] {
         let idx = (addr - self.base_addr) as usize;
-        let sz = (self.bottom_addr - self.base_addr) as usize;
-        return self.mem.get(idx..sz).unwrap();
+        let max_sz = (self.bottom_addr - self.base_addr) as usize;
+        /*
+        let mut sz = idx + 5;
+        if sz > max_sz {
+            sz = max_sz;
+        }*/
+        return self.mem.get(idx..max_sz).unwrap();
     }
 
     pub fn read_bytes(&self, addr:u32, sz:usize) -> &[u8] {
