Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-22 04:33:28 +00:00
Code Issues Projects Releases Packages Wiki Activity

GitBook: [master] 415 pages and 6 assets modified

Browse source
This commit is contained in:
CPol 2020-12-22 11:26:21 +00:00 committed by gitbook-bot
parent 551effb766
commit 941ee068cd
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
7 changed files with 38 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

BIN
.gitbook/assets/image (254).png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 12 KiB

BIN
.gitbook/assets/image (343).png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 14 KiB

BIN
.gitbook/assets/image (401).png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 139 KiB

BIN
.gitbook/assets/image (402).png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 44 KiB

BIN
.gitbook/assets/image (403).png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 22 KiB

BIN
.gitbook/assets/image (404).png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 29 KiB

42
reversing/reversing-tools/README.md
View file

@ -126,14 +126,39 @@ Then, looking to this ca see when the execution was stopped in the dll you want
### Debugging a shellcode with blobrunner
[Blobrunner](https://github.com/OALabs/BlobRunner) will **allocate** the **shellcode** inside a space of memory, will **indicate** you the **memory address** were the shellcode was allocated and will **stop** the execution.
[**Blobrunner**](https://github.com/OALabs/BlobRunner) will **allocate** the **shellcode** inside a space of memory, will **indicate** you the **memory address** were the shellcode was allocated and will **stop** the execution.
Then, you need to **attach a debugger** \(Ida or x64dbg\) to the process and put a **breakpoint the indicated memory address** and **resume** the execution. This way you will be debugging the shellcode.
The releases github page contains zips containing the compiled releases: [https://github.com/OALabs/BlobRunner/releases/tag/v0.0.5](https://github.com/OALabs/BlobRunner/releases/tag/v0.0.5)
You can find a slightly modified version of Blobrunner in the following link. In order to compile it just **create a C/C++ project in Visual Studio Code, copy and paste the code and build it**.
{% page-ref page="blobrunner.md" %}
### Debugging a shellcode with jmp2it
\*\*\*\*[**jmp2it** ](https://github.com/adamkramer/jmp2it/releases/tag/v1.4)is very similar to blobrunner. It will **allocate** the **shellcode** inside a space of memory, and start an **eternal loop**. You then need to **attach the debugger** to the process, **play start wait 2-5 secs and press stop** and you will find yourself inside the **eternal loop**. Jump to the next instruction of the eternal loop as it will be a call to the shellcode, and finally you will find yourself executing the shellcode.
![](../../.gitbook/assets/image%20%28403%29.png)
You can download a compiled version of [jmp2it inside the releases page](https://github.com/adamkramer/jmp2it/releases/).
### Debugging shellcode using Cutter
\*\*\*\*[**Cutter**](https://github.com/rizinorg/cutter/releases/tag/v1.12.0) is the GUI of radare. Using cutter you can emulate the shellcode and inspect it dynamically.
Note that Cutter allows you to "Open File" and "Open Shellcode". In my case when I opened the shellcode as a file it decompiled it correctly, but when I opened it as a shellcode it didn't:
![](../../.gitbook/assets/image%20%28254%29.png)
In order to start the emulation in the place you want to, set a bp there and apparently cutter will automatically start the emulation from there:
![](../../.gitbook/assets/image%20%28402%29.png)
![](../../.gitbook/assets/image%20%28343%29.png)
You can see the stack for example inside a hex dump:
![](../../.gitbook/assets/image%20%28404%29.png)
### Deobfuscating shellcode and getting executed functions
@ -142,13 +167,22 @@ It will tell you things like **which functions** is the shellcode using and if t
```bash
scdbg.exe -f shellcode # Get info
scdbg.exe -f shellcode -r #Run it
scdbg.exe -f shellcode -r #Run it with hooks
scdbg.exe -f shellcode -r #show analysis report at end of run
scdbg.exe -f shellcode -i -r #enable interactive hooks (file and network) and show analysis report at end of run
scdbg.exe -f shellcode -d #Dump decoded shellcode
scdbg.exe -f shellcode /findsc #Find offset where starts
scdbg.exe -f shellcode /foff 0x0000004D #Start the executing in that offset
```
To **run a shellcode** you can also use: [http://mcdermottcybersecurity.com/articles/windows-x64-shellcode\#testing](http://mcdermottcybersecurity.com/articles/windows-x64-shellcode#testing)
scDbg also counts with a graphical launcher where you can select the options you want and execute the shellcode
![](../../.gitbook/assets/image%20%28401%29.png)
The **Create Dump** option will dump the final shellcode if any change is done to the shellcode dynamically in memory \(useful to download the decoded shellcode\). The **start offset** can be useful to start the shellcode at a specific offset. The **Debug Shell** option is useful to debug the shellcode using the scDbg terminal \(however I find any of the options explained before better for this matter as you will be able to use Ida or x64dbg\).
### Disassembling using CyberChef
Upload you shellcode file as input and use the following receipt to decompile it: [https://gchq.github.io/CyberChef/\#recipe=To\_Hex\('Space',0\)Disassemble\_x86\('32','Full%20x86%20architecture',16,0,true,true\)](https://gchq.github.io/CyberChef/#recipe=To_Hex%28'Space',0%29Disassemble_x86%28'32','Full%20x86%20architecture',16,0,true,true%29)
## [Movfuscator](https://github.com/xoreaxeaxeax/movfuscator)