Libemu is an x86 emulation library. It has many tools though but i will be covering "sctest" only. This tool has very good detection rate. First lets make a raw shellcode with metasploit's msfvenom tool.
$ msfvenom -p windows/messagebox -f raw > shell.bin
where:
-p payload
-f format of generated payloads. For complete list type msfvenom --help-formats
(Note: sctest require input data in form of raw bytes, so you have to convert your shellcode into raw data if you generate shellcode in other formats.)
After creating shellcode , lets test it with sctest tool.
$ cat shell.bin | sctest -gvS -s 1000000
where:
-g using GetPC heuristics
-S input from stdin
-v verbose
-s step-count
Above command result:
verbose = 1
success offset = 0x00000000
[emu 0x0x7fb331404c10 info ] The following function is a stub instr_wait_9b functions/misc.c:88
unhooked call to MessageBoxA
stepcount 157109
HMODULE LoadLibraryA (
LPCTSTR lpFileName = 0x00416fb2 =>
= "user32.dll";
) = 0x7e410000;"success" marks the presence of shellcode in the given data, shell.bin. Some more information is also provided like LoadLibraryA call and call to MessageBoxA api.
For query, please comment.
