edygert
commented
1 year ago The zip file contains two executables, one for 32 and the other for 64 bit shellcode. The files can either be in the PATH or specified using the full path and filename.
Open edygert opened 1 year ago
edygert
commented
1 year ago The zip file contains two executables, one for 32 and the other for 64 bit shellcode. The files can either be in the PATH or specified using the full path and filename.
Ana06
commented
10 months ago We have already shellcode_launcher, which can be used:
-bp option to raise a breakpoint and attach using the JIT debuggerEBFE, allowing to attach to the created processBut it is not exactly like running the shellcode in suspended state.
@edygert do you still think we need runsc?
Ana06
commented
10 months ago Related https://github.com/mandiant/VM-Packages/issues/181 do we need to add both?
edygert
commented
10 months ago The ability for runsc32/runsc64 to launch the shellcode in a suspended state makes it easier to use than shellcode_launcher (IMO) so I would include both. ShellcodeExec, however does not provide any new functionality not provided by runsc*/shellcode_launcher.
edygert
commented
10 months ago runsc has another feature that is important for shellcode that expects the address of the shellcode to be on the stack. runsc does this automatically.
Ana06
commented
7 months ago @edygert I think sclauncher in https://github.com/mandiant/VM-Packages/issues/886 adds the functionality you are describing here in addition to create PE files from shellcode. What do you think about adding that tool instead?
edygert
commented
6 months ago There are some important differences between sclauncher and runsc that make the tools complimentary. sclauncher creates PE files, runsc does not. runsc loads documents that the shellcode relies on, sclauncher does not. I plan on add the PE file creation feature to runsc so it will be one stop shopping. So I recommend keeping both.
Ana06
commented
1 month ago @jstrosch what is your opinion on this? I tend to think that sclauncher and runsc are similar enough to only need one. We could add both to VM-Packages to allow people to easily decide which one to install, but we would still need a default in FLARE-VM (at the moment that's sclauncher)
edygert
commented
1 month ago They are both small so why not both?
jstrosch
commented
1 month ago I'm actually working on adding the ability to load additional content into memory - for example, this shellcode (https://github.com/jstrosch/malware-samples/tree/master/malware_analysis_exercises/2022/October) uses an egg hunter technique to find the next stage in the maldoc. So loading that document along with the shellcode would be quite helpful. I think the PE option is one of the most helpful features, so I would still advocate for a shellcode utility that does that to be the default (so sclauncher). Outside of that, they appear to offer similar capabilities. I'd say add them both if that is not an issue - I know the VM get's large and every little tool adds to the overall size though.
jstrosch
commented
1 month ago @Ana06 fwiw - updated sclauncher to include the ability to load additional content and made new releases on the project page.
Package Name
runsc
Tool Name
runsc32.exe and runsc64.exe
Package type
ZIP_EXE
Tool's version number
1.0.0
Category
Utilities
Tool's authors
Evan H. Dygert
Tool's description
Makes running shellcode in a debugger easy.
Download URL
https://github.com/edygert/runsc/releases/download/V1.0.0/runsc.zip
Download SHA256 Hash
b50e03866c4830290384905c185b2ee876463f3dea15c8c751f0d12cf26fe7b5
Why is this tool a good addition?
Running shellcode in a debugger can be tricky. runsc32/runsc64 starts the shellcode in a suspended state, giving the analyst time to attach to the process with a debugger and then resume the shellcode.