scdbg download

Author: David Zimmer
Date: 01.21.11 - 5:27am

scdbg is a shellcode analysis application built around the libemu emulation library. When run it will display to the user all of the Windows API the shellcode attempts to call.

What I wanted was a emulation version of sclog that I could be free to run without worry on my dekstop.
Additions include:
140+ new api hooks, 9 new dlls, interactive debug shell, rebuilt PEB, support for file format exploits, support for return address scanners, memory monitor, report mode, dump mode, easily human readable outputs, log after xx capabilities, directory mode, inline analysis of process injection shellcode and more...

here log after step option (-las) shows exactly why shellcode is crashing:
it is trying to execute 2nd stage shellcode from stack loaded with a recv.
This shellcode could be run further with the -i interactive mode option.

The simplest command line you can use is:
  • scdbg -f
Where is the raw shellcode in binary format.

An example of working with shellcode for a file format exploit might look like:
  • scdbg -f -fopen bad.doc_ -s -1 -i
In this case, the shellcode can scan for the open file handle, and actually decode and extract the embedded executables dropping them to disk for you.

Docs & Resources: For Windows Users I have ported the library over to give a native compile using Visual Studio 2008. This is the main development branch going forward.

Linux users should grab the GCC source below which can still be cross compiled. (Windows cygwin users may also be interested in the GCC builds as they still contain the graphing and original -getpc features)

The Visual Studio source repository also includes several other sub projects such as tool to create -patch files as well as project to compile as __stdcall DLL. This libemu dll is suitable for use with Visual Basic 6, C Sharp any other language which can consume a standard Windows dll. Example projects are available in the languages mentioned above.

Windows Native Source/Binaries (15 dlls, 242 hooks - current development branch)
*nix/Cygwin Source/Binaries (100 hooks - inactive)

The older gcc compatible and cross-compilable version is available here:
(tested with cygwin/gcc 3.4 & 4.3, RHEL 2.6/ gcc 4.1) Thanks again to Markus and Paul for releasing this very cool library!

Help screen below: (see scdbg -h for current options)

 scdbg is an adaption of the libemu library and sctest project
 Libemu Copyright (C) 2007  Paul Baecher & Markus Koetter
 scdbg developer: David Zimmer 
 Compile date: Apr 14 2011 21:02:02

 /foff hexnum          starts execution at file offset
 /mm                   enabled Memory Monitor (logs access to key addresses)
 /mdll                 Monitor Dll - log direct access to dll memory (hook detection/patches)
 /nc                   no color (if using sending output to other apps)
 /f fpath              load shellcode from file specified.
 /o hexnum             base offset to use (default: 0x401000)
 /redir ip:port        redirect connect to ip (port optional)
 /i                    enable interactive hooks
 /v                    verbosity, can be used up to 4 times, ex. /v /v /vv
 /e int                verbosity on error (3 = debug shell)
 /t int                time to delay (ms) between steps when v=1 or 2
 /h                    show this help
 /ba hexnum            break above - breaks if eip > hexnum
 /bp hexnum            set breakpoint on addr or api name (same as -laa  -vvv)
 /bs int               break on step (shortcut for -las  -vvv)
 /a                    adjust offsets to file offsets not virtual
 /d                    dump unpacked shellcode (requires /f)
 /las int              log at step ex. -las 100
 /laa hexnum           log at address or api ex. -laa 0x401020 or -laa ReadFile
 /s int                max number of steps to run (def=2000000, -1 unlimited)
 /hex                  show hex dumps for hook reads/writes
 /findsc               detect possible shellcode buffers (brute force)
 /dump                 view hexdump of the target file (can be used with /foff)
 /disasm int           Disasm int lines (can be used with /foff)
 /fopen file           Opens a handle to  for use with GetFileSize() scanners
 /- /+                 increments or decrements GetFileSize, can use multiple times
 /hooks                dumps a list all implemented api hooks
 /r                    show analysis report at end of run
 /pp                   peb patch - required for some shellcodes (rare)
 /b0                   break if 00 00 add [eax],al
 /patch fpath          load patch file  for libemu memory
 /dir  folder          process all .sc files in  echo results to .txt

   dbg> shell prompt commands:
        ? - help, this help screen, h also works
        v - change verbosity (0-4)
        g - go - continue with v=0
        s - step, continues execution, ENTER also works
        c - reset step counter
        r - execute till return (v=0 recommended)
        u - unassembled address
        b - break at address
        m - reset max step count (-1 = infinate)
        e - set eip
        w - dWord dump,(32bit ints) prompted for hex base addr and then size
        d - Dump Memory (hex dump) prompted for hex base addr and then size
        x - execute x steps (use with reset step count)
        t - set time delay (ms) for verbosity level 1/2
        k - show stack
        i - break at instruction (scans disasm for next string match)
        f - dereF registers (show any common api addresses in regs)
        o - step over
        .lp - lookup - get symbol for address
        .pl - reverse lookup - get address for symbol
        .seh - shows current value at fs[0]
        .reg - manually set register value
        .poke1 - write a single byte to memory
        .poke4 - write a 4 byte value to memory
        .savemem - saves a memdump of specified range to file
        q - quit

Comments: (2)

On 01.23.16 - 3:47pm Dave wrote:
Note that the windows version of scdbg.exe looks to run ok under wine. the gui_launcher.exe however will not.

On 10.18.17 - 5:44am Dave wrote:
if you hit a shellcode that has a legit opcode not supported you can try it against the scdbg unicorn build which has merged the libemu Win32 env with the Unicorn (QEMU) emulator. All the hooks are in place and working, but I have not ported all of the command line options over yet.

You can read more about how this was done in my Writing a libemu/Unicorn Compatability Layer Fireeye blog post.

Leave Comment:
Email: (not shown)
Message: (Required)
Math Question: 7 + 70 = ? followed by the letter: X 

About Me
More Blogs
Main Site
vbdec dbg updates
vb6 PCode NOP
vb6 API and call backs
how pcode works Pt1
Reversing PCode Args
VB6 PCode Disassembly
VB6 PCode Debugger
UConnect Disable Cell Modem
IDA python over IPC
dns wildcard blocking
64bit IDA Plugins
anterior lines
misc news/updates
Decoders again
CDO.Message Breakpoints
SysAnalyzer Updates
SysAnalyzer and Site Updates
crazy decoder
ida js w/dbg
flash patching #2
JS Graphing
packet reassembly
Delphi IDA Plugin
scdbg IDA integration
API Hash Database
Winmerge plugin
IDACompare Updates
Guest Post @ hexblog
TCP Stream Reassembly
SysAnalyzer Updates
Apilogger Video
Shellcode2Exe trainer
scdbg updates
IDA Javascript w/IDE
Rop Analysis II
scdbg vrs ROP
flash patching
x64 Hooks
micro hook
jmp api+5 *2
SysAnalyzer Updates
InjDll runtime config
C# Asm/Dsm Library
Shellcode Hook Detection
Updates II
Java Hacking
Windows 8
Win7 x64
Graphing ideas
.Net Hacking
Old iDefense Releases
hll shellcode
ActionScript Tips
-patch fu
scdbg ordinal lookup
scdbg -api mode
Peb Module Lists
scdbg vrs Process Injection
GetProcAddress Scanner
scdbg fopen mode
scdbg findsc mode
scdbg MemMonitor
demo shellcodes
scdbg download
api hashs redux
Api hash gen
Retro XSS Chat Codes
Exe as DLL
Olly Plugins
Debugging Explorer
Attach to hidden process
JS Refactoring
Asm and Shellcode in CSharp
Fancy Return Address
PDF Stream Dumper
Malcode Call API by Hash
WinDbg Cheat Sheet
GPG Automation