Shellcode & RE / sc_log

sc_log

Note: Due to AV detections, this tool is now its own download: Source & binary on sandsprite.

sc_log lets malcode analysts quickly get an overview of unknown shellcode functionality by actually executing it inside a minimal sandbox built on API hooking.

VM only. It is not recommended to run unknown payloads outside of VMware-type environments. By using this tool you take responsibility for any results. It is not guaranteed to be safe.

Several sample shellcode payloads (*.sc) are provided in the application's home directory.

Actual run log of the program with the recv_file.sc sample:

Reading the log

Return addresses shown are relative to the shellcode offset. If you use /dump to get decoded opcodes, these offsets will be directly after the call that led to the API call.
A --- in the return-address field means the API was called from outside the shellcode buffer.
No entry in the return-address field denotes an sc_log info message (yellow row).