scdbg fopen mode


Author: David Zimmer
Date: 03.08.11 - 4:58pm



Added a new option to scdbg the other day that allows it to work with file format shellcode that scans for open file handles using GetFileSize().

When ReadFile is called the -fopen mode allows the shellcode to actually access data within the target file. If you add the -i interactive mode as well, then the retrieved (and probably decoded) buffers are then written to disk as a randomly named tmp file when a write api is called.

All in all pretty painless capture of decoded and dropped executables!
$ ./sctest -f test.sc -fopen bad.pdf -s -1 -i
fopen(bad.pdf) = 4d565c
Loaded 312 bytes from file test.sc
Initilization Complete..
Interactive Hooks enabled
Max Steps: -1
Using base offset: 0x401000

401083  GetFileSize(4) = 2031b
401112  GlobalAlloc(sz=2031b) = 60000
401118  SetFilePointer(hFile=4, dist=0, FILE_BEGIN)
401132  ReadFile(hFile=4, buf=60000, numBytes=2031b)
401147  CreateFile(x.exe)
        Interactive mode local file: /tmp/WHhUmhtM
401158  WriteFile()
401176  WinExec(x.exe)

Couple other updates include:
exe - added hooks for SetFilePointer, ReadFile, strstr, 
      strtoul, FreeLibrary, GlobalFree, GetCurrentProcess, 
      TerminateProcess
      /bp and /laa now accept api names to break at
dll - enabled support for TEST A8 and A9 (seems ok but need more testing..)
updated binaries and source uploaded.




Comments: (0)

 
Leave Comment:
Name:
Email: (not shown)
Message: (Required)
Math Question: 65 + 27 = ? followed by the letter: R 



About Me
More Blogs
Main Site
Posts: (All)
2023 ( 4 )
2022 ( 5 )
2021 ( 2 )
2020 ( 5 )
2019 ( 6 )
2017 ( 5 )
2016 ( 4 )
2015 ( 5 )
2014 ( 5 )
2013 ( 9 )
2012 ( 13 )
2011 (19)
     Graphing ideas
     .Net Hacking
     Old iDefense Releases
     BootLoaders
     hll shellcode
     ActionScript Tips
     -patch fu
     scdbg ordinal lookup
     scdbg -api mode
     Peb Module Lists
     scdbg vrs Process Injection
     GetProcAddress Scanner
     scdbg fopen mode
     scdbg findsc mode
     scdbg MemMonitor
     demo shellcodes
     scdbg download
     api hashs redux
     Api hash gen
2010 ( 11 )
2009 ( 1 )