sandsprite.com
Open in
urlscan Pro
199.195.116.32
Public Scan
URL:
http://sandsprite.com/blogs/index.php?uid=7&pid=152
Submission: On January 27 via manual from US — Scanned from DE
Submission: On January 27 via manual from US — Scanned from DE
Form analysis 2 forms found in the DOM
POST addC0mm4nt.php?pid=152&uid=7
<form method="post" action="addC0mm4nt.php?pid=152&uid=7">
<table width="550">
<tbody>
<tr>
<td colspan="2" align="center" class="t"> </td>
</tr>
<tr>
<td colspan="2" align="center" class="t">Leave Comment:</td>
</tr>
<tr>
<td colspan="2" height="10" valign="top"> </td>
</tr>
<tr>
<td><b>Name:</b></td>
<td><input type="text" size="45" name="sname" value="" maxlength="50"></td>
</tr>
<tr>
<td><b>Email: <i>(not shown)</i></b></td>
<td><input type="text" size="45" name="email" value="" maxlength="50"></td>
</tr>
<tr>
<td valign="top"><b>Message: <i>(Required)</i></b></td>
<td><textarea rows="10" cols="45" name="msg"></textarea></td>
</tr>
<tr>
<td valign="top"><b>Math Question: 5 + 86 = ? followed by the letter: K</b> </td>
<td><input type="text" name="barfy" maxlength="4"></td>
</tr>
<tr>
<td align="center" colspan="2"><input class="btn" type="submit" name="submit" value="Leave Comment"></td>
</tr>
</tbody>
</table>
</form>POST search.php
<form method="post" action="search.php" target="_blank">
<input type="hidden" value="7" name="uid">
<input style="width:75px" type="text" name="search"><input type="submit" value="->">
</form>Text Content
SCDBG DOWNLOAD
Author: David Zimmer
Date: 01.21.11 - 5:27am
scdbg is a shellcode analysis application built around the libemu emulation
library. When run it will display to the user all of the Windows API the
shellcode attempts to call.
What I wanted was a emulation version of sclog that I could be free to run
without worry on my dekstop.
Additions include:
140+ new api hooks, 9 new dlls, interactive debug shell, rebuilt PEB, support
for file format exploits, support for return address scanners, memory monitor,
report mode, dump mode, easily human readable outputs, log after xx
capabilities, directory mode, inline analysis of process injection shellcode and
more...
here log after step option (-las) shows exactly why shellcode is crashing:
it is trying to execute 2nd stage shellcode from stack loaded with a recv.
This shellcode could be run further with the -i interactive mode option.
The simplest command line you can use is:
* scdbg -f shellcode_file.sc
Where shellcode_file.sc is the raw shellcode in binary format.
An example of working with shellcode for a file format exploit might look like:
* scdbg -f shellcode.sc -fopen bad.doc_ -s -1 -i
In this case, the shellcode can scan for the open file handle, and actually
decode and extract the embedded executables dropping them to disk for you.
Docs & Resources:
* Online Manual
* Video Trainer 1 - General Use
* Video Trainer 2 - Asm and Debug shell
* some sample shellcode files - ./files/_sc_samples.zip (the google site block
mafia prevents me from including a direct link):
For Windows Users I have ported the library over to give a native compile using
Visual Studio 2008. This is the main development branch going forward.
Linux users should grab the GCC source below which can still be cross compiled.
(Windows cygwin users may also be interested in the GCC builds as they still
contain the graphing and original -getpc features)
The Visual Studio source repository also includes several other sub projects
such as tool to create -patch files as well as project to compile as __stdcall
DLL. This libemu dll is suitable for use with Visual Basic 6, C Sharp any other
language which can consume a standard Windows dll. Example projects are
available in the languages mentioned above.
Windows Native Source/Binaries (15 dlls, 297 hooks - current development branch)
* Change log
* Win32 Binaries
* https://github.com/dzzie/VS_LIBEMU
* git clone git://github.com/dzzie/VS_LIBEMU.git
*nix/Cygwin Source/Binaries (100 hooks - inactive)
The older gcc compatible and cross-compilable version is available here:
(tested with cygwin/gcc 3.4 & 4.3, RHEL 2.6/ gcc 4.1)
* win32 binaries
* https://github.com/dzzie/SCDBG
* git clone git://github.com/dzzie/SCDBG.git
Thanks again to Markus and Paul for releasing this very cool library!
Help screen below: (see scdbg -h for current options)
scdbg is an adaption of the libemu library and sctest project
Libemu Copyright (C) 2007 Paul Baecher & Markus Koetter
scdbg developer: David Zimmer
Compile date: Oct 16 2019 19:41:30
/f fpath load shellcode from file - accepts binary, %u, x, %x, hex blob
/api scan memory and try to find API table
/auto running as part of an automation run
/ba hexnum break above - breaks if eip > hexnum
/bp varies set breakpoint on file offset, virtual addr or api name (max 10)
/bs int break on step (shortcut for -las -vvv)
/b0 break if 00 00 add [eax],al
/cmd "string data" data to use for GetCommandLineA (use " to embed quotes)
/cfo CreateFileOverRide - if /fopen use handle else open real arg
/d dump unpacked shellcode
/dir folder process *.sc in supports: -r (1 report), -v (report mode), -u
/disasm int Disasm int lines (can be used with /foff)
/dump view hexdump (can be used with /foff)
/e int verbosity on error (3 = debug shell)
/findsc detect possible shellcode buffers (brute force) (supports -dump, -disasm)
/fopen file Opens a handle to for use with GetFileSize() scanners
/foff hexnum starts execution at file offset (also supports virtual addresses)
/h show this help
/hex show hex dumps for hook reads/writes (paged)
/hooks dumps a list all implemented api hooks
/i enable interactive hooks (file and network)
/las int log at step ex. -las 100
/laa hexnum log at address or api ex. -laa 0x401020 or -laa ReadFile
/lookup api shows the address of WinAPi function ex. -lookup GetProcAddress
/mm enabled Memory Monitor (logs access to key addresses)
/mdll Monitor Dll - log direct access to dll memory (hook detection/patches)
/min steps min number of steps (decimal) to trigger record in findsc mode (def 200)
/nc no color (if using sending output to other apps)
/noseh Disables support for seh and UnhandledExceptionFilter
/norw Disables display of read/write file hooks
/o hexnum base offset to use (default: 0x401000)
/patch fpath load patch file into libemu memory
/pad 0xVal add an extra 0xVal bytes to shellcode
/r show analysis report at end of run (includes -mm)
/redir ip:port redirect connect to ip (port optional)
/s int max number of steps to run (def=2000000, -1 unlimited)
/sigs show signatures (can be used with -disasm)
/t int MS to delay between steps (v1-2) or api (v0)
/temp folder use folder as temp path for interactive mode file writes
/u unlimited steps (same as -s -1)
/v verbosity, can be used up to 4 times, ex. /v /v /vv
/- /+ increments or decrements GetFileSize, can be used multiple times
/va 0xBase-0xSize VirtualAlloc memory at 0xBase of 0xSize
/raw 0xBase-fpath Raw Patch Mode: load fpath into mem at 0xBase (not PE aware)
/llo dllName-0xBase LoadLibrary Override: returns 0xBase for LoadLibrary/GetModuleHandle
/wbyte 0xBase-0xVal Write 8bit 0xValue at 0xBase (/wb shortcut supported)
/wint 0xBase-0xVal Write 32bit integer 0xValue at 0xBase
/wstr 0xBase-Str Write string at base ex. 0x401000-0x9090EB15CCBB or "0xBase-ascii string"
/dllmap show the name, base, size, and version of all built in dlls
/nofile assumes you have loaded shellcode manually with -raw, -wstr, or -wint
/bswap byte swaps -f and -wstr input buffers
/eswap endian swaps -f and -wstr input buffers
/xor 0xVal xor -f and -wstr input buffers with 1 - 4 byte keys
/conv path outputs converted shellcode to file (%u,x,bswap,eswap..)
/ida connects to last opened IDA instance on startup
/[reg] value sets init register value ex: -eax 0x20 -ebx 20 -ecx base -reg base
dbg>
? - help, this help screen, h also works
v - change verbosity (0-4)
g - go - continue with v=0
s - step, continues execution, ENTER also works
c - reset step counter
r - execute till return (v=0 recommended)
u - unassembled x instructions at address (default eip)
b - sets next free breakpoint (10 max)
m - reset max step count (-1 = infinate)
e - set eip (file offset or VA)
w - dWord dump,(32bit ints) prompted for hex base addr and then size
d - Dump Memory (hex dump) prompted for hex base addr and then size
x - execute x steps (use with reset step count)
t - set time delay (ms) for verbosity level 1/2
k - show stack
i - break at instruction (scans disasm for next string match)
f - dereF registers (show any common api addresses in regs)
j - show log of last 10 instructions executed
o - step over
; - Set comment in IDA if .idasync active
+/- - basic calculator to add or subtract 2 hex values
.bl - list set breakpoints
.bc - clear breakpoint
.api - scan memory for api table
.nop - nops out instruction at address (default eip)
.seh - shows current value at fs[0]
.segs - show values of segment registers
.skip - skips current instruction and goes to next
.reg - manually set register value
.dllmap - show dll map
.poke1 - write a single byte to memory
.poke4 - write a 4 byte value to memory
.lookup - get symbol for address
.symbol - get address for symbol (special: peb,dllmap,fs0)
.savemem - saves a memdump of specified range to file
.idasync - connect IDASrvr plugin and sync view at step or break.
.allocs - list memory allocations made
q - quit
--------------------------------------------------------------------------------
COMMENTS: (5)
On 01.23.16 - 3:47pm Dave wrote:
Note that the windows version of scdbg.exe looks to run ok under wine. the
gui_launcher.exe however will not.
On 10.18.17 - 5:44am Dave wrote:
if you hit a shellcode that has a legit opcode not supported you can try it
against the scdbg unicorn build which has merged the libemu Win32 env with the
Unicorn (QEMU) emulator. All the hooks are in place and working, but I have not
ported all of the command line options over yet.
You can read more about how this was done in my Writing a libemu/Unicorn
Compatability Layer Fireeye blog post.
On 10.16.19 - 8:19am Gabor Szappanos wrote:
Thank you for maintaining scdbg, it is an extremely useful tool. The hook of
ZwSetInformationProcess contains a bug. This line if(infoClass0x22){ I believe
should be if(infoClass0x22){
On 09.14.20 - 6:37pm tom wrote:
thank you
On 12.02.22 - 8:32pm Anonymous wrote:
Awesome!
Leave Comment: Name: Email: (not shown) Message: (Required) Math Question: 5 +
86 = ? followed by the letter: K
About Me
More Blogs
Main Site
Posts: (All)
2023 ( 2 ) 2022 ( 6 ) 2021 ( 4 ) 2020 ( 6 ) 2019 ( 6 ) 2017 ( 5 ) 2016 ( 4 )
2015 ( 6 ) 2014 ( 5 ) 2013 ( 9 ) 2012 ( 13 ) 2011 (19) Graphing ideas
.Net Hacking Old iDefense Releases BootLoaders hll shellcode
ActionScript Tips -patch fu scdbg ordinal lookup scdbg -api mode
Peb Module Lists scdbg vrs Process Injection GetProcAddress
Scanner scdbg fopen mode scdbg findsc mode scdbg MemMonitor
demo shellcodes scdbg download api hashs redux Api hash gen 2010
( 11 ) 2009 ( 1 )