Package proposal: runsc.vm

[edygert]

Package Name

runsc

Tool Name

runsc32.exe and runsc64.exe

Package type

ZIP_EXE

Tool's version number

1.0.0

Category

Utilities

Tool's authors

Evan H. Dygert

Tool's description

Makes running shellcode in a debugger easy.

Download URL

https://github.com/edygert/runsc/releases/download/V1.0.0/runsc.zip

Download SHA256 Hash

b50e03866c4830290384905c185b2ee876463f3dea15c8c751f0d12cf26fe7b5

Why is this tool a good addition?

Running shellcode in a debugger can be tricky. runsc32/runsc64 starts the shellcode in a suspended state, giving the analyst time to attach to the process with a debugger and then resume the shellcode.

[edygert]

The zip file contains two executables, one for 32 and the other for 64 bit shellcode. The files can either be in the PATH or specified using the full path and filename.

[Ana06]

We have already shellcode_launcher, which can be used:

• with the -bp option to raise a breakpoint and attach using the JIT debugger
• patching the first bytes by EBFE, allowing to attach to the created process

But it is not exactly like running the shellcode in suspended state.

@edygert do you still think we need runsc?

[Ana06]

Related https://github.com/mandiant/VM-Packages/issues/181 do we need to add both?

[edygert]

The ability for runsc32/runsc64 to launch the shellcode in a suspended state makes it easier to use than shellcode_launcher (IMO) so I would include both. ShellcodeExec, however does not provide any new functionality not provided by runsc*/shellcode_launcher.

[edygert]

runsc has another feature that is important for shellcode that expects the address of the shellcode to be on the stack. runsc does this automatically.

[Ana06]

@edygert I think sclauncher in https://github.com/mandiant/VM-Packages/issues/886 adds the functionality you are describing here in addition to create PE files from shellcode. What do you think about adding that tool instead?

[edygert]

There are some important differences between sclauncher and runsc that make the tools complimentary. sclauncher creates PE files, runsc does not. runsc loads documents that the shellcode relies on, sclauncher does not. I plan on add the PE file creation feature to runsc so it will be one stop shopping. So I recommend keeping both.

[Ana06]

@jstrosch what is your opinion on this? I tend to think that sclauncher and runsc are similar enough to only need one. We could add both to VM-Packages to allow people to easily decide which one to install, but we would still need a default in FLARE-VM (at the moment that's sclauncher)

[edygert]

They are both small so why not both?

[jstrosch]

I'm actually working on adding the ability to load additional content into memory - for example, this shellcode (https://github.com/jstrosch/malware-samples/tree/master/malware_analysis_exercises/2022/October) uses an egg hunter technique to find the next stage in the maldoc. So loading that document along with the shellcode would be quite helpful. I think the PE option is one of the most helpful features, so I would still advocate for a shellcode utility that does that to be the default (so sclauncher). Outside of that, they appear to offer similar capabilities. I'd say add them both if that is not an issue - I know the VM get's large and every little tool adds to the overall size though.

[jstrosch]

@Ana06 fwiw - updated sclauncher to include the ability to load additional content and made new releases on the project page.