BlobRunner – Quickly Debug Shellcode Extracted During Malware Analysis

0
11
BlobRunner - Quickly Debug Shellcode Extracted During Malware Analysis

BlobRunner is an easy device to rapidly debug shellcode extracted throughout malware evaluation.

BlobRunner allocates reminiscence for the goal file and jumps to the bottom (or offset) of the allotted reminiscence. This permits an analyst to rapidly debug into extracted artifacts with minimal overhead and energy.

To use BlobRunner, you may obtain the compiled executable from the releases web page or construct your individual utilizing the steps under.


Building
Building the executable is straight ahead and comparatively painless.
Requirements

  • Download and set up Microsoft Visual C++ Build Tools or Visual Studio

Build Steps

  • Open Visual Studio Command Prompt
  • Navigate to the listing the place BlobRunner is checked out
  • Build the executable by operating:
cl blobrunner.c

Building BlobRunner x64
Building the x64 model is just about the identical as above, however merely makes use of the x64 tooling.

  • Open x64 Visual Studio Command Prompt
  • Navigate to the listing the place BlobRunner is checked out
  • Build the executable by operating:
 cl /Feblobrunner64.exe /Foblobrunner64.out blobrunner.c

Usage
To debug:

  • Open BlobRunner in your favourite debugger.
  • Pass the shellcode file as the primary parameter.
  • Add a breakpoint earlier than the bounce into the shellcode
  • Step into the shellcode
BlobRunner.exe shellcode.bin

Debug into file at a selected offset.

BlobRunner.exe shellcode.bin --offset 0x0100

Debug into file and do not pause earlier than the bounce. Warning: Ensure you’ve a breakpoint set earlier than the bounce.

BlobRunner.exe shellcode.bin --nopause

Debugging x64 Shellcode
Inline meeting isn’t supported by the x64 compiler, so to assist debugging into x64 shellcode the loader creates a suspended thread which lets you place a breakpoint on the thread entry, earlier than the thread is resumed.

Remote Debugging Shell Blobs (IDAPro)
The course of is just about equivalent to debugging shellcode domestically – with the exception that the you might want to copy the shellcode file to the remote system. If the file is copied to the identical path you might be operating win32_remote.exe from, you simply want to make use of the file identify for the parameter. Otherwise, you have to to specify the trail to the shellcode file on the distant system.

Shellcode Samples
You can rapidly generate shellcode samples utilizing the Metasploit device msfvenom.
Generating a easy Windows exec payload.

msfvenom -a x86 --platform home windows -p home windows/exec cmd=calc.exe -o test2.bin

Feedback / Help

  • Any questions, feedback or requests yow will discover us on twitter: @seanmw or @herrcore
  • Pull requests welcome!

MoreTip.com

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.