Start
News
About libemu
compiling libemu
Gallery
Manpage
API
Hacking
Examples
nepenthes
honeytrap
HoneyBow
libemu
liblcfg
libemu - emulate x86 shellcodes
libemu provides basic x86 emulation including memory access and registers.
emu_new() is used to create a new emulation entity, use emu_free() to free all associated memory. emu_memory_get() , emu_logging_get() and emu_cpu_get() can be used to obtain pointers to different parts of the emulation. For errorhandling, use emu_errno() or emu_strerror() returning either a POSIX errno or a string describing the error. When writing extensions emu_errno_set() and emu_strerror_set() will come handy too.
The emu_memory is split up in pages, therefore there are functions to access the memory without taking care of page borders. emu_memory_read_byte() , emu_memory_read_word() , emu_memory_read_dword() , emu_memory_read_string() and emu_memory_read_block() can be used to read values from the emu memory. emu_memory_read_string() will allocate the required memory for the string within the emu_string provided by itself, as you won't be able to know the strings length, in all other cases, the pointer to the location has to provide enough space to write the data.
Once the emulation is created, code is written to the memory, we need to set the registers to the initial values, the cpuflags to the start values and EIP to the point where to start code execution. emu_cpu provides functions to access all registers, the flags and EIP for read and write. To access the 32bit registers use emu_cpu_reg32_get() and emu_cpu_reg32_set() where reg is one of eax, ecx, edx, ebx, esp, ebp, esi, edi. To access the 16bit registers use emu_cpu_reg16_get() and emu_cpu_reg16_set() with ax, cx, dx, bx, sp, bp, si, di as valid values for reg. In case of 8bit register access use emu_cpu_reg8_get() and emu_cpu_reg8_set() with al, cl, dl, bl, ah, ch, dh, bh as values for reg. Accessing the cpu's flags is possible using emu_cpu_eflags_get() and emu_cpu_eflags_set(). Accessing EIP can be done using emu_cpu_eip_set() and emu_cpu_eip_get(). Once everything is setup, parse the first instruction using emu_cpu_parse() , on success it will return 0, on failure use emu_strerror() to get a description of the error. If parsing was successfull, step the first instruction using emu_cpu_step().
If you want to detect shellcodes in buffers, use emu_shellcode_test() , the emu will copy the buffer to it's pages and try to detect a shellcode. If a possible shellcode gets detected, the guessed starting offset is returned, else -1.
To be able to run shellcodes using windows api, one has to provide parts of the windows process environment to the emulation, as well as some kind of emulation for the used api calls. emu_env_w32_new() will created a minimalistic process environment in e and using emu_env_w32_eip_check() after step allows you intercepting calls to exported api. If the return value of emu_env_w32_eip_check() is not NULL, the dll exports information is returned, including the calls name and hook. If you want to hook calls to api exports, use emu_env_w32_export_hook().