unicorn engine integration for shikata ga nai decoding

While working on proper interpretation of shellcode payloads from [1] we found some shikata ga nai-encoded payloads. Using Unicorn Engine we attempt to unpack this first layer to reach the actual shellcode. For now this only works partially due to one or more suspected bugs in Unicorn Engine's support for self-modifying code [2]. [1]: http://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/ [2]: unicorn-engine/unicorn#820
jbremer · May 27, 2017 · 9fb6003 · 9fb6003
1 parent 351d789
commit 9fb6003
Show file tree

Hide file tree

Showing 10 changed files with 121 additions and 0 deletions.
diff --git a/cuckoo/common/shellcode.py b/cuckoo/common/shellcode.py
@@ -0,0 +1,77 @@
+# Copyright (C) 2017 Cuckoo Foundation.
+# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
+# See the file 'docs/LICENSE' for copying permission.
+
+import logging
+import unicorn
+import unicorn.x86_const as x86
+
+log = logging.getLogger(__name__)
+
+archs = {
+    "x86": unicorn.UC_ARCH_X86,
+}
+
+modes = {
+    32: unicorn.UC_MODE_32,
+}
+
+class UcX86(unicorn.Uc):
+    @property
+    def esp(self):
+        return self.reg_read(x86.UC_X86_REG_ESP)
+
+    @esp.setter
+    def esp(self, value):
+        self.reg_write(x86.UC_X86_REG_ESP, value)
+
+class ShellcodeX86(object):
+    def __init__(self, arch, mode, sc=None):
+        self.emu = UcX86(arch, mode)
+        self.addr = None
+        self.sc = sc
+        self.init()
+
+    def init(self):
+        pass
+
+    def map_memory(self, addr=0x1000, memsize=2*1024*1024):
+        self.addr = addr
+        self.emu.mem_map(addr, memsize)
+        self.emu.mem_write(addr, self.sc)
+        self.emu.esp = addr + memsize / 2
+
+    def run(self, addr=None, end=0, count=None):
+        try:
+            self.emu.emu_start(addr or self.addr, end, count=count)
+        except unicorn.UcError as e:
+            log.error("Error emulating shellcode: %s", e)
+
+class ShikataX86(ShellcodeX86):
+    def init(self):
+        self.bblcount = 0
+        self.start = None
+        self.emu.hook_add(unicorn.UC_HOOK_BLOCK, self.hook_block)
+
+    def hook_block(self, uc, addr, size, user_data):
+        if not size:
+            return
+
+        self.bblcount += 1
+        if self.bblcount == 2:
+            self.start = addr
+            return False
+
+    def result(self):
+        start = self.start or self.addr
+        return self.emu.mem_read(start, len(self.sc) - start + self.addr)
+
+def Shellcode(arch="x86", mode=32, sc=None, cls=ShellcodeX86):
+    # TODO For now only 32-bit x86 shellcode is supported.
+    return cls(archs[arch], modes[mode], sc)
+
+def shikata(sc):
+    s = Shellcode(sc=sc, cls=ShikataX86)
+    s.map_memory()
+    s.run(count=0x1000)
+    return str(s.result())
diff --git a/setup.cfg b/setup.cfg
@@ -6,6 +6,7 @@ testpaths = tests
 norecursedirs = tests/darwin
 django_find_project = false
 python_paths = . cuckoo/web
+xfail_strict = true
 
 [aliases]
 test = pytest
diff --git a/setup.py b/setup.py
@@ -177,6 +177,7 @@ def do_setup(**kwargs):
         "python-magic==0.4.12",
         "sflock>=0.2.12, <0.3",
         "sqlalchemy==1.0.8",
+        "unicorn==1.0.0",
         "wakeonlan==0.2.2",
     ],
     extras_require={

diff --git a/tests/files/shellcode/shikata/1.bin b/tests/files/shellcode/shikata/1.bin
@@ -0,0 +1,2 @@
+���}"���t$�[)ɱZ1k���kr��c}z��:c�m�繁8�)Lb]��TP#V���Ӗgޕ�G��Px��h�?��G>ض��90�!U٭Ռ�"r0�:��I��J	qvފ��xw����TZ����?7�������:�Ğ������Ɋ*;eE�ݴ�S�CN5��#etj��,��;V���
+vFF�x�~Ex�~yJ�L������G����)�F*�zyu)L-/������hW��ZT\��{6���W[������rP�P��$�=��8qb�U}9������(=�~H=�~U}��@��|�.~e���J69��^+Ei|���A?�{F�����+Y�h[/2id���;!|����Fe��u����1l�

diff --git a/tests/files/shellcode/shikata/2.bin b/tests/files/shellcode/shikata/2.bin
diff --git a/tests/files/shellcode/shikata/3.bin b/tests/files/shellcode/shikata/3.bin
diff --git a/tests/files/shellcode/shikata/4.bin b/tests/files/shellcode/shikata/4.bin
@@ -0,0 +1,4 @@
+��m`p���t$�X)ɱN1pp��܏��4�VmĲ߈��٥�όI��$��
+Jkjmel�M�������U�F�Jf�4���0���*D��4��U�y]d���g}m���`ٺ3s����a{�a��7�3����ž
+7a<�1]���bǣIǃI�z�R�������zK+�ʬDS�bL��2�>~����N�o/���}�+�}D��k�����'�zH#e����qvB�wFxA�z�ф��_bڍ	<r7�㸎�#2=B��HP�3
+K�!��:��uA��ٺ0E�.�1���J���*���4�]���2b�;mDS�XT��"��

diff --git a/tests/files/shellcode/shikata/5.bin b/tests/files/shellcode/shikata/5.bin
diff --git a/tests/files/shellcode/shikata/6.bin b/tests/files/shellcode/shikata/6.bin
diff --git a/tests/test_shellcode.py b/tests/test_shellcode.py
@@ -0,0 +1,36 @@
+# Copyright (C) 2017 Cuckoo Foundation.
+# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
+# See the file 'docs/LICENSE' for copying permission.
+
+import pytest
+
+from cuckoo.common.shellcode import Shellcode, shikata
+
+class TestShikata(object):
+    def setup(self):
+        self.sc = Shellcode()
+
+    def shikata(self, filename):
+        return shikata(
+            open("tests/files/shellcode/shikata/%s" % filename, "rb").read()
+        )
+
+    def test_unicorn100_good(self):
+        assert self.shikata("1.bin").startswith("\xfc\xe8\x82")
+        assert self.shikata("3.bin").startswith("\xfc\xe8\x82")
+        assert self.shikata("4.bin").startswith("\xfc\xe8\x82")
+
+    @pytest.mark.xfail
+    def test_unicorn100_bad1(self):
+        assert self.shikata("2.bin").startswith("\xfc\xe8\x82")
+
+    @pytest.mark.xfail
+    def test_unicorn100_bad2(self):
+        assert self.shikata("5.bin").startswith("\xfc\xe8\x82")
+
+    @pytest.mark.xfail
+    def test_unicorn100_bad3(self):
+        assert self.shikata("6.bin").startswith("\xfc\xe8\x82")
+
+    def test_infinite_loop(self):
+        assert shikata("\xeb\xfe") == "\xeb\xfe"
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		��}"��t$�[)ɱZ1k��kr��c}z��:c�m�繁8�)Lb]��TP#V��Ӗgޕ�G��Px��h�?��G>ض��90�!U٭Ռ�"r0�:��I��J qvފ��xw��TZ��?7��:�Ğ��Ɋ*;eE�ݴ�S�CN5��#etj��,��;V��
		vFF�x�~Ex�~yJ�L��G��)�F*�zyu)L-/��hW��ZT\��{6��W[��rP�P��$�=��8qb�U}9��(=�~H=�~U}��@��\|�.~e��J69��^+Ei\|��A?�{F��+Y�h[/2id��;!\|��Fe��u��1l�
Expand Down