Shellcode Detection Tool

Recently i got a chance to visit a link that is sent by one of my friend. It claims to detect shellcode in a file. So i decided to look into it because the original author didn’t share any technical details.

1) ShellDetect by Amit Malik (http://securityxploded.com/shell-detect.php)

The technique used in this tool is very simple. It reads the data from the file and try to run it. If the shellcode calls any LoadLibrary() function then it will report that it found a shellcode. This tool actually hooks the LoadLibrary() API and return SUCCESS if the hook is hit. There are lot of missing stuff in this tool. As the author mentioned in the webpage, don’t try to run it in your development machine. It actually RUNS the shellcode.

                                   image

2) OfficeMalScanner (www.offensivecomputing.net)

I looked into one more tool(OfficeMalScanner) that looks for “shellcode” in the binary. It actually does pattern matching. More than that it can do many things like XOR key search and multiple levels. It does not run the shellcode.

FS:[30h] (Method 1)
    Look for any one of the following 6 patterns
        64h, A1h, 30h, 00h, 0, 0, 0, 0
        64h, 8Bh, 1Dh, 30h, 0, 0, 0, 0
        64h, 8Bh, 0Dh, 30h, 0, 0, 0, 0
        64h, 8Bh, 15h, 30h, 0, 0, 0, 0
        64h, 8Bh, 35h, 30h, 0, 0, 0, 0
        64h, 8Bh, 3Dh, 30h, 0, 0, 0, 0

FS:[30] (Method 2)
    Look for the following pattern
        6Ah, 30h , xxh , 64h, 8Bh

FS:[30] (Method 3)
    Look for the following pattern
        33h, xxh, xxh, B3h, 64h, 8Bh

FS:[00h] (Method 4)
    Look for any one of the following pattern:
        64h, A1h, 000, 0, 0, 0, 0, 0
        64h, 8Bh, 1Dh, 0, 0, 0, 0, 0
        64h, 8Bh, 0Dh, 0, 0, 0, 0, 0
        64h, 8Bh, 15h, 0, 0, 0, 0, 0
        64h, 8Bh, 35h, 0, 0, 0, 0, 0
        64h, 8Bh, 3Dh, 0, 0, 0, 0, 0

API-Hashing signature found
    Look for any one of the following pattern:
        74h, xxh, C1h, xxh, 0Dh, 03h
        74h, xxh, C1h, xxh, 07h, 03h

API-Name string found
    UrlDownloadToFile
    GetTempPath
    GetWindowsDirectory
    GetSystemDirectory
    WinExec
    ShellExecute
    IsBadReadPtr
    IsBadWritePtr
    CreateFile
    CloseHandle
    ReadFile
    WriteFile
    SetFilePointer
    VirtualAlloc
    GetProcAddr
    LoadLibrary

Function prolog
    Look for any one of the following pattern:
        55h, 8Bh, 0ECh, 83h, 0C4h
        55h, 8Bh, 0ECh, 81h, 0ECh
        55h, 8Bh, 0ECh, EBh
        55h, 8Bh, 0ECh, E8h
        55h, 8Bh, 0ECh, E9h

PUSH DWORD[]/CALL[]
    0FFh, 75h, xxh, 0FFh, 55h

FLDZ/FSTENV [esp-12] signature
    0D9h, 0EEh, 0D9h, 74h, 24h, 0F4h, 0, 0

CALL next/POP signature
    Look for any one of the following pattern:
        0E8h, 0, 0, 0, 0, 58h, 0, 0
        0E8h, 0, 0, 0, 0, 59h, 0, 0
        0E8h, 0, 0, 0, 0, 5Ah, 0, 0
        0E8h, 0, 0, 0, 0, 5Bh, 0, 0
        0E8h, 0, 0, 0, 0, 5Eh, 0, 0
        0E8h, 0, 0, 0, 0, 5Fh, 0, 0
        0E8h, 0, 0, 0, 0, 5Dh, 0, 0

Advertisements
This entry was posted in Reversing, Shellcode and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s