Archive

Posts Tagged ‘shellcode analysis’

Analysing shellcode

March 14, 2016 Leave a comment

Very often i need to analyse malware samples, 0 day exploits for which i dont have any prior info. so i generally put breakpoint on following APIs for dynamic analysis:

Kernel32.CreateProcessA

Kernel32.CreateFileA

Kernel32.VirtualAlloc

Kernel32.VirtualProtect

Kernel32.CreateThread

most of the time either shellcode does following:

1.creates a file

2.allocate memeory using virtualalloc and mark it executable using virtualalloc/protect

3.create a new thread

4. Creates a new process

 

having a breakpoint on such common APIs will help to quickly locate the shellcode. another tool i use is procmon which give more details on the activities being performed and you can select the APIs to put breakpoints on.

once you got a breakpoint hit, you need to traceback and locate the actual vulnerable function which calls the shellcode. and after some stepin/stepout you will land in to the shellcode starting point.

 

i also sometimes use static analysis techniques in case i am able to extract shellcode from the file. once i extracted the shellcode i just need to run it with debugger/dissembler to see what its doing.

There are many techniques by which you can analyse shellcode in a exploit. i generally use following url to convert shellcode to executable so that i can run that in olly/IDA and then can step in to with ease:

http://sandsprite.com/shellcode_2_exe.php

Hope this helps.

 

Advertisements
%d bloggers like this: