scdbg fopen mode
Author: David Zimmer
Date: 03.08.11 - 4:58pm
Added a new option to scdbg the other day that allows it to work with file format shellcode that scans for open file handles using GetFileSize().
When ReadFile is called the -fopen mode allows the shellcode to actually access data within the target file. If you add the -i interactive mode as well, then the retrieved (and probably decoded) buffers are then written to disk as a randomly named tmp file when a write api is called.
All in all pretty painless capture of decoded and dropped executables!
$ ./sctest -f test.sc -fopen bad.pdf -s -1 -i fopen(bad.pdf) = 4d565c Loaded 312 bytes from file test.sc Initilization Complete.. Interactive Hooks enabled Max Steps: -1 Using base offset: 0x401000 401083 GetFileSize(4) = 2031b 401112 GlobalAlloc(sz=2031b) = 60000 401118 SetFilePointer(hFile=4, dist=0, FILE_BEGIN) 401132 ReadFile(hFile=4, buf=60000, numBytes=2031b) 401147 CreateFile(x.exe) Interactive mode local file: /tmp/WHhUmhtM 401158 WriteFile() 401176 WinExec(x.exe) Couple other updates include: exe - added hooks for SetFilePointer, ReadFile, strstr, strtoul, FreeLibrary, GlobalFree, GetCurrentProcess, TerminateProcess /bp and /laa now accept api names to break at dll - enabled support for TEST A8 and A9 (seems ok but need more testing..)updated binaries and source uploaded.