As part of this year’s Summer of Code, I programmed an extension for the shellcode detection and analysis library libemu. The main goal of the project was to increase the performance when executing shellcode, with the help of a virtualizer. Prior to this extension, libemu made use of a custom emulator, which supported only instructions mostly used in shellcode. With this extension, libemu utilizes a full-blown, completely functioning virtualizer, which executes code presumably the same way a real CPU does.
Hi all:
I have finished almost all the coding stuff of Project #1, now you can try out the new PHoneyC with shellcode/heapspray detection here:
http://code.google.com/p/phoneyc/source/browse/phoneyc#phoneyc/branches/phoneyc-honeyjs
Please feel free to report any bug or suggestion on shellcode/heapspray detection to me.
As Geng and his partner is still working on the DOM simulation of PHoneyC (Project #2), I will do more test and write an overall introduction to the ideas and structure of the new PHoneyC after merging in his final commit.
Mid-term Report on PHoneyC GSoC project 1 Introduction PHoneyC is a low-interaction honeyclient written by Jose Nazario. The
shellcode (SC for short) and heapspray (HS for short) detection module
for PHoneyC is listed on the GSoC this year and I feel lucky to be
chosen to implement it. This report is the main idea about how to
detect SC/HS in PHoneyC and how to build and run this version of
As libemu had it’s second release (0.2.0) lately, I’ll try to introduce it to the audience who did not hear about it yet.
libemu is a small library written in c offering basic x86 emulation and shellcode detection using GetPC heuristics. Intended use is within network intrusion/prevention detections and honeypots.
This post is split into four parts:
Practical libemu usecase, showing how it executes shellcode and which information we get from it Explanation of libemu and how it detects shellcode High level shellcode profiling and pre-requirements for this step API call hooking internals Example the input shellcode The shellcode was created using metasploit 3, it is a windows bindshell decrypted with a xor chain.