cool head picture

UNLE⛧SH THE BEAST ト何ゼ

Analyzing shellcode with Qiling Framework

Dec. 23, 2020 // echel0n

Analyzing shellcode with Qiling Framework

Hello guys!

In this blog, i will show you how to analyze malicious shellcode with qiling framework.
Actually, If you really need quick check if some shellcode is trying to connect any IP, you can use this example. 

  1. #!/usr/bin/env python

  2. """

  3. This code will hook connect() function and will print out the address which

  4. shellcode is trying to.

  5. The sample shellcode is from BATTLEWARE CTF

  6. sample shellcode base64 encoded:

  7. kJCQkJCQkJCQkJCQkJCQkJCQkJDb3rpanC/h2XQk9F4zybFSMVYXg+78AwyPzRRMR5PXrJj0XkmpNAQamoROThduAnqsAouNBajtoJaBzqMU2AIDJBNXQmFOmhY6BAmGT1CSLQN0ktLUd7NFbi4TZKNaGn6gZ9T1EhPn32rcRB5DL5RnZNDjkZZt9GbkqXF8TjkhWG7utCt8W7JzYVoXCJ3Xlt4Xo7z6fHfcW9nW4buCh0ewL9P1mycQNCO4Pk9QiuH7/qZqIvnJQJKVN2vjvPM/s9bSP1gm2pXPdnRGsCY0Nlgsu2l4TxECE6ry7UyxCIaOuQxjBl9mm07IHwLLgr7Lwe+BQOYQT6GDAjhB3njvXvQUc8yT5PrtC7OrwEVRRnr8R5sax8NA38bKBVvt3NNkqYiLMmdmau3J0CRCgLSxqBPCveTlKg9RsFWgNTQu3KW75WTV8afNflwyTONf6ZMa3Bts2fxuaaW6gwO2LqOwtwc=

  8. """

  9. 

  10. from qiling import *

  11. from qiling.const import *

  12. from binascii import hexlify

  13. 

  14. # IP format for humans

  15. def ip_builder(IP: bytes) -> str:

  16.     """TODO: Docstring for ip_builder.

  17.     :IP: bytes

  18.     :returns: str

  19.     """

  20.     first = int(IP[0:2], 16)

  21.     second = int(IP[2:4], 16)

  22.     third = int(IP[4:6], 16)

  23.     fourth = int(IP[6:8], 16)

  24. 

  25.     return f"{first}.{second}.{third}.{fourth}"

  26. 

  27. 

  28. def human_readable_ip_str(name):

  29.     ipp_addr_version = hexlify(name[0:2])

  30.     ip_addr_port = int(hexlify(name[2:4]), 16)

  31.     ip_addr = hexlify(name[4:8])

  32. 

  33.     ip = ip_builder(ip_addr)

  34. 

  35.     print(f"Trying to connect ~> {ip}:{ip_addr_port}")

  36. 

  37. 

  38. def _connect(ql, address, params):

  39.     value = ql.mem.read(params["name"], params["namelen"])

  40.     human_readable_ip_str(value)

  41. 

  42. 

  43. def prepare() -> Qiling:

  44. 

  45.     shellcode = open("./bin.sc", "rb").read()

  46.     rootfs = "/tools/qiling/examples/rootfs/x86_windows"

  47.     ostype = "windows"

  48.     archtype = "x86"

  49.     output = "default"

  50. 

  51.     ql = Qiling(

  52.         shellcoder=shellcode,

  53.         rootfs=rootfs,

  54.         ostype=ostype,

  55.         archtype=archtype,

  56.         output=output,

  57.         console=True,

  58.     )

  59. 

  60.     ql.filter = ["connect"]

  61.     ql.set_api("connect", _connect, QL_INTERCEPT.ENTER)

  62.     return ql

  63. 

  64. 

  65. def main():

  66.     ql = prepare()

  67.     try:

  68.         ql.run()

  69.     except:

  70.         pass

  71. 

  72. 

  73. if __name__ == "__main__":

  74.     main()

Example output below;