shellcode-analysis
SHELLDETECT
Shell Detect is the FREE tool to detect presence of Shell Code within a file or network stream. You can either provide raw binary file (such as generated from Metasploit [Reference 4]) or network stream file as input to this tool.
These days attackers distribute malicious files which contains hidden exploit shell code. On opening such files, exploit shell code get executed silently, leading to complete compromise of your system . This is more dangerous when the exploit is 'Zero Day' as it will not be detected by traditional signature based Anti-virus solutions.
These days attackers distribute malicious files which contains hidden exploit shell code. On opening such files, exploit shell code get executed silently, leading to complete compromise of your system . This is more dangerous when the exploit is 'Zero Day' as it will not be detected by traditional signature based Anti-virus solutions.
In such cases ShellDetect may help you to identify presence of shell code (as long as it is in raw format) and help you to keep your system safe.
LIBEMU
libemu is a small library written in C offering basic x86 emulation and shellcode detection using GetPC heuristics. It is designed to be used within network intrusion/prevention detections and honeypots.
libemu supports:
- Executing x86 instructions
- Reading x86 binary code
- Register emulation
- Basic FPU emulation
- Shellcode execution
- Shellcode detection
- Win32 API hooking
- Binary backwardstraversal
- Static analysis
- Using GetPC heuristics
With libemu one can:
- Detect shellcodes
- Execute the shellcodes
- Profile shellcode behaviour
SHELLCODE2EXE
New tools added to dump: XorSearch, Disasm/FindEP, ByteSwap, EndianSwap, Text Display.
DetectType option will auto-detect HTML,JS,Perl,Bash,MZ,SWF,Java & Low Entropy
Beta Support for ActionScript format has been added
DetectType option will auto-detect HTML,JS,Perl,Bash,MZ,SWF,Java & Low Entropy
Beta Support for ActionScript format has been added
CONVERTSHELLCODE
ConvertShellcode is a tool written by Alain Rioux. It shows the assembly instructions that the supplied shellcode string represents.
SHELLCODE (MALWARE-TRACKER)
Web interface to dissassemble shellcode, detect packed shellcode etc.
JMP2IT
** JMP2IT v1.4 - Created by Adam Kramer [2014] - Inspired by Malhost-Setup **
This will allow you to transfer EIP control to a specified offset within a file containing shellcode and then pause to support a malware analysis investigation
The file will be mapped to memory and maintain a handle, allowing shellcode to egghunt for second stage payload as would have happened in original loader
Patches / self modifications are dynamically written to jmp2it-flypaper.out
Usage: jmp2it.exe [file containing shellcode] [file offset to transfer EIP to]
- Example: jmp2it.exe malware.doc 0x15C
- Explaination: The file will be mapped and code at 0x15C will immediately run
- Example: jmp2it.exe malware.doc 0x15C pause
- Explaination: As above, with JMP SHORT 0xFE inserted pre-offset causing loop
- Example: jmp2it.exe malware.doc 0x15C addhandle another.doc pause
- Explaination: As above, but will create additional handle to specified file
- Optional extras (to be added after first two parameters):
- addhandle [path to file] - Create an arbatory handle to a specified file
- Only one of the following two may be used:
- pause - Inserts JMP SHORT 0xFE just before offset causing infinite loop
- pause_int3 - Inserts INT3 just before offset [launch via debugger!]
Note: In these cases, you will be presented with step by step instructions on what you need to do inside a debugger to resume the analysis
shellcode-analysis
![]()
Reviewed by Unknown
on
11:51:00 AM
Rating: