Analyzing and debugging shellcode is a common task when performing malware analysis, exploit development and reverse engineering. SClauncher is a utility written in C to help with this task. It provides for easy debugging and the creation of portable executable (PE) files. The creation of PE files eases reversing tasks by allowing the analysis of shellcode from tools designed for PE files. In this article, we'll explore how to get started with this tool.
You can find SCLauncher at https://github.com/jstrosch/sclauncher or available in the FLARE-VM as part of it's default set of installed utilities. You can also find a video on #YouTube to walk you through the process!
Finding Some Shellcode
To get started, we'll need to find some shellcode. While there are many places to do so, this article will use shellcode that simply opens an instance of calculator (i.e. pop calc) using WinExec. This shellcode can be found on Exploit DB.
Exploit-DB provides the assembly that represents the shellcode's logic, as well as the binary content in a hex-array. To use this shellcode, the byte values in the hex-array will need to be converted to their binary value. CyberChef is handy tool to help with this conversion. By copying out the hex-values (everything between the double-quotes from the payload array) the operation From Hex can be used. The replace operation can also be used to remove any unnecessary characters, such as the newlines, tabs or double-quotes.
The output can now be saved as a file, this is what will be used with SCLauncher.
Working with SCLauncher
SClauncher is designed to be simple to use and includes built-in usage information accessible through the -h argument.
C:\> SCLauncher -h
The most novel contribution this tool makes is it's ability to produce PE files from shellcode.
Producing PE Files from Shellcode
Producing PE files essentially wraps the shellcode into the .text section of a new PE file. SCLauncher also adjusts any necessary sizes of the section as well as the file itself. The address of entry is either defined as the beginning of the section, or at an offset defined by an argument value. Finally, since shellcode often needs to write to the same memory it is located, the .text section permissions will be read, write and execute.
The goal with creating a PE file is to use another utility to analyze the shellcode. For example, using IDA Pro (free), Ghidra or a debugger to work with the shellcode as you would a regular PE file. This can not only help simplify analysis, but also allow for a broader category of tools for analysis.
To create a PE file, the only argument required is -pe and -f. The PE argument tells SCLauncher to create a PE file from the shellcode found in the file located in the path provided via the -f argument. PE file creation has two optional arguments. -64 will create a x64 bit PE file and -ep adjusts the entry point the number of bytes supplied as this value.
C:\> SCLauncher -f=popcalc_x64.bin -pe -64
Since the shellcode for this demo is 64-bit, the -64 argument will be used. This creates a file with the name sc_output_x64.exe, which can now be analyzed or even executed directly. The following screenshot shows the shellcode as disassembled using IDA Pro free.
Using SCLauncher for Debugging
SCLauncher's other primary purpose is to facilitate debugging of shellcode. To that end, there are a few more options available.
Argument | Purpose |
-bp | Insert a software breakpoint (0xCC) at entry point location |
-ep | Adjust the entry point offset by N bytes |
-pause | Pause execution of utility before shellcode execution (to attach debugger |
-bp will insert a breakpoint at the entry point of the shellcode. Doing this through the utility prevents the need to set breakpoint(s) once attache with a debugger. If you want to simply run the shellcode you will want to avoid adding any breakpoints, as this will cause an interrupt and without a debugger attached, the program will crash.
-ep adjusts the entry point, similar to when creating a PE file. This argument takes a single value which represents the number of bytes to adjust the entry point to. This adjustment is from the base of the shellcode. If you use -bp in conjunction with -bp, the shellcode will be adjusted to add the breakpoint byte at the entry point, increasing the shellcode size by 1 byte.
-pause pauses execution of SCLauncher before the shellcode is executed. This is a common pattern as it allows time for a debugger to be attached. If this argument is not used, SCLauncher will need to be launched from the debugger directly, rather than from a command line and a debugger attached to the process.
Attaching a Debugger
To use SCLauncher from a command line and attach a debugger, use the -pause option. -ep can also be used if the entry point is not the beginning of the shellcode. -bp will set a breakpoint at the entry. Please note that there are two versions of SClauncher, 32 and 64 bit. To debug shellcode, the version that matches the architecture of the shellcode must be used. The 64-bit version of SCLauncher is called SCLauncher64.
C:\> SCLauncher64 -f=popcalc_x64.bin -pause -bp
SClauncher will provide the process ID (PID) to attach to. Once the debugger is attached, resume execution in the debugger then return to this window and press the enter key.
If a breakpoint was set, once SCLauncher's execution is resumed it will be caught in the debugger.
Debugging Directly Through a Debugger
Debugging directly through the debugger simply means that SCLauncher and any necessary arguments must be set in the debugger itself.
Please note that if you are using the FLARE-VM, you will need to specify the direct path to SCLauncher and not the shim. You may also have to provide a full path to the shellcode. Once the necessary arguments are defined, debugging can commence.
Conclusion
SCLauncher is a utility to help with your shellcode analysis. You can find it on Github at https://github.com/jstrosch/sclauncher as well as in the FLARE-VM as part of the default set of utilities.