scdbg -api mode

Author: David Zimmer
Date: 05.25.11 - 7:44pm

Added a new feature to scdbg tonight that is kind of interesting. the -api mode will scan memory looking for cached API addresses.

This feature can be useful if the shellcode is crashing, or if exits early, (maybe it didnt find the right file handle etc..). With this option, you can get more of an idea of what its capabilities are. You can also detect usused API which I have seen on occasion and which hint at previous functionality used by the shellcode author.

The scans will start with the main code body, then try stack memory if nothing is found. It will also scan any memory allocs. Scans are attempted for each byte alignment, looking for the last api called. At least one API must have been called to attempt the scan.

Scanning main code body for api table...
Scanning stack for api table start=12fdbc sz=c
Scanning runtime memory alloc 0  base=60000, sz=28

        Found Api table at: 60000
        table is eax based
                [x + 0] = GlobalAlloc
                [x + 4] = LoadLibraryA
                [x + 8] = URLDownloadToCacheFileA
                [x + 12] = keybd_event

Scanning main code body for api table... Found Api table at: 401347 [x + 0] = GetModuleHandleA [x + 4] = GetTempPathA [x + 8] = CreateProcessInternalA [x + 12] = LoadLibraryA [x + 16] = GetProcAddress [x + 20] = ExitProcess [x + 24] = GetCurrentThreadId [x + 28] = Sleep [x + 32] = VirtualProtect [x + 36] = CreateFileA [x + 40] = GetFileSize [x + 44] = CreateFileMappingA [x + 48] = WriteFile [x + 52] = CloseHandle [x + 56] = SetFilePointer [x + 60] = MapViewOfFile [x + 64] = UnmapViewOfFile [x + 68] = EnumWindows [x + 72] = GetClassNameA [x + 76] = GetWindowThreadProcessId [x + 80] = DestroyWindow [x + 84] = MessageBeep [x + 88] = URLDownloadToFileA

I havent uploaded the new binary to the zip or pdfstreamdumper downloads yet, but you can always get the latest directly off of github

One other unrelated note, Shellcode_2_exe received a small update the other day to accept a new shellcode format. You can now paste in raw ActionScript decompiled source (from SoThink or Trillix Decompilers) where it is building up the shellcode buffer at runtime using this.writeInt(xxx)

Comments: (0)

Leave Comment:
Email: (not shown)
Message: (Required)


About Me
More Blogs
Main Site
64bit IDA Plugins
Twitter Feed
anterior lines
misc news/updates
Decoders again
CDO.Message Breakpoints
SysAnalyzer Updates
SysAnalyzer and Site Updates
crazy decoder
ida js w/dbg
flash patching #2
JS Graphing
packet reassembly
Delphi IDA Plugin
scdbg IDA integration
API Hash Database
Winmerge plugin
IDACompare Updates
Guest Post @ hexblog
TCP Stream Reassembly
SysAnalyzer Updates
Apilogger Video
Shellcode2Exe trainer
scdbg updates
IDA Javascript w/IDE
Rop Analysis II
scdbg vrs ROP
flash patching
x64 Hooks
micro hook
jmp api+5 *2
SysAnalyzer Updates
InjDll runtime config
C# Asm/Dsm Library
Shellcode Hook Detection
Updates II
Java Hacking
Windows 8
Win7 x64
Graphing ideas
.Net Hacking
Old iDefense Releases
hll shellcode
ActionScript Tips
-patch fu
scdbg ordinal lookup
scdbg -api mode
Peb Module Lists
scdbg vrs Process Injection
GetProcAddress Scanner
scdbg fopen mode
scdbg findsc mode
scdbg MemMonitor
demo shellcodes
scdbg download
api hashs redux
Api hash gen
Retro XSS Chat Codes
Exe as DLL
Olly Plugins
Debugging Explorer
Attach to hidden process
JS Refactoring
Asm and Shellcode in CSharp
Fancy Return Address
PDF Stream Dumper
Malcode Call API by Hash
WinDbg Cheat Sheet
GPG Automation