scdbg -api mode
Author: David Zimmer
Date: 05.25.11 - 7:44pm
Added a new feature to scdbg tonight that is kind of interesting. the -api mode will scan memory looking for cached API addresses.
This feature can be useful if the shellcode is crashing, or if exits early, (maybe it didnt find the right file handle etc..). With this option, you can get more of an idea of what its capabilities are. You can also detect usused API which I have seen on occasion and which hint at previous functionality used by the shellcode author.
The scans will start with the main code body, then try stack memory if nothing is found. It will also scan any memory allocs. Scans are attempted for each byte alignment, looking for the last api called. At least one API must have been called to attempt the scan.
Scanning main code body for api table... Scanning stack for api table start=12fdbc sz=c Scanning runtime memory alloc 0 base=60000, sz=28 Found Api table at: 60000 table is eax based [x + 0] = GlobalAlloc [x + 4] = LoadLibraryA [x + 8] = URLDownloadToCacheFileA [x + 12] = keybd_event
I havent uploaded the new binary to the zip or pdfstreamdumper downloads yet, but you can always get the latest directly off of github
One other unrelated note, Shellcode_2_exe received a small update the other day to accept a new shellcode format. You can now paste in raw ActionScript decompiled source (from SoThink or Trillix Decompilers) where it is building up the shellcode buffer at runtime using this.writeInt(xxx)