search

Bw3ll / sharem

SHAREM is a shellcode analysis framework, capable of emulating more than 20,000 WinAPIs and virutally all Windows syscalls. It also contains its own custom disassembler, with many innovative features, such as being able to show the deobfuscated disassembly of an encoded shellcode, or integrating emulation data to enhance the disassembly.
GNU General Public License v3.0
336 stars 53 forks source link

Exception with a x86_64 shellcode #54

Closed HongThatCong closed 1 year ago

HongThatCong commented 1 year ago

It is a shellcode extractor, it will extract a CobaltStrike Beacon Dll x64 in mem and reflective load. dump2.bin.txt is shellcode raw bin file. Please rename it to .bin image Tks dump2.bin.txt

Bw3ll commented 1 year ago

Thank you for this. I have spent a lot of time investigating this, and this has led to a new feature - timeless debugging for the stack. I thought that would be useful for this, but unfortunately it is not.

I did identify there was a problem with breaking out of loops, which caused it to prematurely terminate at the location in question. After fixing this issue, there are no more problems with breaking out of loops. This new feature and the change to the breaking out of loops has not been updated to GitHub yet, but likely will in the next day or two. I will update here once I have done so.

However, there is a new problem. The shellcode tries to go to RAX, but RAX is a value that is not the correct value. This causes it to terminate.

>>> RAX: **0x16ffff20** RBX: 0x12015fc1 RCX: 0x16fffe48 RDX: 0x0 RSI: 0x16fffff0 RDI: 0x16ffff78 R8: 0x0 R9: 0x0 R10: 0x12000026 R11: 0x0 R12: 0x0 R13: 0x0 R14: 0x0 R15: 0x0 RBP: 0x16ffffb0 RSP: 0x16fffe20

67967: 0x120168a0 call qword ptr [rax]

RAX comes from: mov rax, [rsp+88h+arg_0]

At this point, the only thing I can think to do would be to have it try call qword ptr [rax], fail, and the skip it, and go to the next instruction. That would be a new feature, and of course something would be missing as well - since we would not be able to go to that location - we could only skip it.

I have also noted that this is an extremely large size for a shellcode. I noticed for one of the loops it tried to break out of - that it would eventually get there on its own. I did not note how long it took - more than 5000 iterations. It is possible that if it executed on its own without breaking out of loops disabled, it possibly could get to a point where rsp+88h+arg_0 has the correct value. This would likely take a tremendous amount of time, if it were possible.

So at this point I have fixed part of the issue with this - some buggy behavior with breaking out of loops - but there is now a new issue without a solution. Again, I will update once I have pushed an update with the changes.

Bw3ll commented 1 year ago

I updated the new changes to Sharem. It helps resolve your immediate issue, but the shellcode still ultimately fails. Unfortunately, that does not help you finish emulating this shellcode successfully.

If I create the other feature mentioned above, I will update this.

HongThatCong commented 1 year ago

Thank you very much