OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Tuesday, April 3 2007 23:55.25 CDT Modified: Tuesday, April 3 2007 23:56.29 CDT

Printer Friendly ...

Shellcode Analysis

Author: RolfRolles

# Views: 13925

Here is a simple IDA trick that I use for shellcode analysis. API functions in shellcode are typically looked up dynamically based upon the DLL's base address and a 32-bit hash of the function's name (GetProcAddress via hashing), like such:



seg000:00000268    push    0EC0E4E8Eh ; is actually LoadLibraryA

seg000:0000026D    push    eax

seg000:0000026E    call    sub_29D

The most common API hashing function is the following one, which is sometimes attributed to z0mbie:



seg000:000002C6 loc_2C6:

seg000:000002C6    lodsb

seg000:000002C7    test    al, al

seg000:000002C9    jz      short loc_2D2

seg000:000002CB    ror     edi, 0Dh

seg000:000002CE    add     edi, eax

seg000:000002D0    jmp     short loc_2C6

Since shellcode often makes use of well-known subsets of the Windows API (such as WinExec, CreateProcess, CreateFile, MapViewOfFile, the sockets API, the wininet API, etc), it is often obvious from the context which API functions are being used.  Nevertheless, occasionally you'll have to reverse a hash into an API name, and that can quickly become annoying.

My solution to this is a small python script, based upon Ero's pefile, that creates an IDC declaration of an IDA enumeration for each DLL.  The enum serves as a mapping between each exported name and its hash.  Since the API hashing function may change, the python function to do this is extensible via a function pointer which defaults to the standard hash presented above.

After creating the IDC script and loading it into IDA, simply press 'm' with your cursor over the hash value.  IDA will either find the hash in one of the enumerations or tell you that it can't find it, in which case either your hash function implementation is buggy, or the function lies inside of a DLL whose hashed export names are not yet loaded as an enum.  A successful result is:



seg000:00000268    push    kernel32_apihashes_LoadLibraryA

seg000:0000026D    push    eax

seg000:0000026E    call    sub_29D

One nice thing about this method is that IDA will search all loaded enumerations for the hash value. I.e. you don't need to tell IDA which DLL base address is being passed as arg_0: if it knows the hash, it will tell you both the name of the export and the name of the enumeration that it came from. Using a named enumeration element eliminates the need for a comment at each API call site. Another nice thing is that, since the hash presented above is so common, you can create the enumerations once and put them into a big 'shellcode.idc' file and then immediately apply them to any shellcode using this hash (such as some recent in-the-wild ANI exploits, or the HyperUnpackMe2 VM from my most recent OpenRCE article) without missing a beat.

Porting everything to IDAPython and thereby removing the dependency upon the IDC script is left as a simple exercise for the reader.

Blog Comments

pmb	Posted: Friday, April 24 2009 08:22.24 CDT
Even three years later, this is very useful. Thanks!

PeterFerrie	Posted: Friday, April 24 2009 12:49.33 CDT
Attributing to Zombie would be incorrect. ;-) Delphi has used rol 5 for control IDs since it was created.

ryanwsmith

Posted: Wednesday, April 29 2009 11:10.39 CDT

Or you could use libemu (http://libemu.carnivore.it/), which prints the parameters and functions called. Granted, this emulation method is prone to detection at evasion techniques, but it sounds like this level of shellcode likely wouldn't have that.

Full disclosure: I'm biased towards this method, as I developed a predecessor proof of concept called ShellShock to analyze encrypted and obfuscated shellcodes

A sample output from ShellShock is at http://beatbox.ryanwsmith.com/svn/shellShock/trunk/testCases/results/reverse_shik.out

libemu provides similar outputs, and handles more cases including multi-stage shellcodes

There are 31,313 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
hi!	Jul/01
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit