Address
304 North Cardinal St.
Dorchester Center, MA 02124
Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM
I recently installed Libemu, and I wanted to share how simple it is.
Libemu – Introduction
If you aren’t familiar with Libemu, it is a library that performs x86 emulation and shellcode detection.
I’ve used it during my SLAE course as another method of shellcode analysis.
Installation
I performed these steps on a (mostly) clean Ubuntu installation, so you can probably skip some of them depending on your configuration.
First, I installed git, as it didn’t come installed by default.
doyler@slae:~$ sudo apt-get install git [sudo] password for doyler: Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: git-man liberror-perl Suggested packages: git-daemon-run git-daemon-sysvinit git-doc git-el git-arch git-cvs git-svn git-email git-gui gitk gitweb The following NEW packages will be installed: git git-man liberror-perl ... snip ... Setting up git-man (1:1.7.9.5-1ubuntu0.3) ... Setting up git (1:1.7.9.5-1ubuntu0.3) ...
Next, I cloned the Libemu repository.
doyler@slae:~$ git clone https://github.com/buffer/libemu Cloning into 'libemu'... remote: Counting objects: 4719, done. remote: Total 4719 (delta 0), reused 0 (delta 0), pack-reused 4719 Receiving objects: 100% (4719/4719), 1.65 MiB, done. Resolving deltas: 100% (3331/3331), done.
After that, I had to install the autoconf packages.
doyler@slae:~/libemu$ sudo apt-get install autoconf Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: automake autotools-dev m4 Suggested packages: autoconf2.13 autoconf-archive gnu-standards autoconf-doc libtool gettext The following NEW packages will be installed: autoconf automake autotools-dev m4 ... snip ... Setting up m4 (1.4.16-2ubuntu1) ... Setting up autoconf (2.68-1ubuntu2) ... Setting up autotools-dev (20120210.1ubuntu1) ... Setting up automake (1:1.11.3-1ubuntu2) ... update-alternatives: using /usr/bin/automake-1.11 to provide /usr/bin/automake (automake) in auto mode.
With that complete, I thought I would be able to configure the tool(s). Unfortunately, I was still receiving some errors when attempting to run autoreconf.
doyler@slae:~/libemu$ autoreconf -v -i Can't exec "libtoolize": No such file or directory at /usr/bin/autoreconf line 196. Use of uninitialized value in pattern match (m//) at /usr/bin/autoreconf line 196. autoreconf: Entering directory `.' autoreconf: configure.ac: not using Gettext autoreconf: running: aclocal autoreconf: configure.ac: tracing autoreconf: configure.ac: not using Libtool autoreconf: running: /usr/bin/autoconf configure.ac:47: error: possibly undefined macro: AC_PROG_LIBTOOL If this token and others are legitimate, please use m4_pattern_allow. See the Autoconf documentation. autoreconf: /usr/bin/autoconf failed with exit status: 1
That said, after a bit of research, I discovered that this error was occurring because I was missing the libtool packages.
doyler@slae:~/libemu$ sudo apt-get install libtool Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: libltdl-dev Suggested packages: libtool-doc gfortran fortran95-compiler gcj The following NEW packages will be installed: libltdl-dev libtool ... snip ... Setting up libltdl-dev (2.4.2-1ubuntu1) ... Setting up libtool (2.4.2-1ubuntu1) ...
With the prerequisites finally installed, I ran configure to select the directory that I wanted to install to.
doyler@slae:~/libemu$ ./configure --prefix=/opt/libemu checking for a BSD-compatible install... /usr/bin/install -c ... snip ... config.status: executing depfiles commands config.status: executing libtool commands *** libemu configuration *** debug : yes bindings - python : no support - cargos : no
Autoreconf worked this time, and setup the proper make files.
doyler@slae:~/libemu$ autoreconf -v -i autoreconf: Entering directory `.' autoreconf: configure.ac: not using Gettext autoreconf: running: aclocal autoreconf: configure.ac: tracing autoreconf: running: libtoolize --install --copy libtoolize: putting auxiliary files in `.'. libtoolize: copying file `./config.guess' libtoolize: copying file `./config.sub' libtoolize: copying file `./install-sh' libtoolize: copying file `./ltmain.sh' libtoolize: Consider adding `AC_CONFIG_MACRO_DIR([m4])' to configure.ac and libtoolize: rerunning libtoolize, to keep the correct libtool macros in-tree. libtoolize: Consider adding `-I m4' to ACLOCAL_AMFLAGS in Makefile.am. autoreconf: running: /usr/bin/autoconf autoreconf: running: /usr/bin/autoheader autoreconf: running: automake --add-missing --copy --no-force configure.ac:90: installing `./compile' configure.ac:8: installing `./missing' src/Makefile.am: installing `./depcomp' autoreconf: Leaving directory `.'
Finally, I ran make install and got the tools and libraries properly installed!
doyler@slae:~/libemu$ sudo make install Making install in src make[1]: Entering directory `/home/doyler/libemu/src' Making install in functions make[2]: Entering directory `/home/doyler/libemu/src/functions' ... make[1]: Entering directory `/home/doyler/libemu' make[2]: Entering directory `/home/doyler/libemu' make[2]: Nothing to be done for `install-exec-am'. test -z "/usr/lib/pkgconfig" || /bin/mkdir -p "/usr/lib/pkgconfig" /usr/bin/install -c -m 644 libemu.pc '/usr/lib/pkgconfig' make[2]: Leaving directory `/home/doyler/libemu' make[1]: Leaving directory `/home/doyler/libemu'
Testing it Out
With everything configured and installed, it was time to test the tool out.
In this case, I used the included sctest tool, which can test shellcode.
This provides some awesome output about the status of registers, flags, and the application’s system calls. It does so similarly to GDB, only in an emulator and without any manual commands or execution.
Additionally, at the bottom of the emulation, is some even more valuable output. As you can see, the emulator performs some analysis on the system calls and their parameters, and provides this as some C pseudo-code! This is incredibly helpful if you wish to replicate or change a piece of shellcode, in addition to understanding it better.
int socket (
int domain = 2;
int type = 1;
int protocol = 0;
) = 14;
int bind (
int sockfd = 14;
struct sockaddr_in * my_addr = 0x00416fc2 =>
struct = {
short sin_family = 2;
unsigned short sin_port = 23569 (port=4444);
struct in_addr sin_addr = {
unsigned long s_addr = 0 (host=0.0.0.0);
};
char sin_zero = " ";
};
int addrlen = 16;
) = 0;
int listen (
int s = 14;
int backlog = 0;
) = 0;
int accept (
int sockfd = 14;
sockaddr_in * addr = 0x00000000 =>
none;
int addrlen = 0x00000010 =>
none;
) = 19;
int dup2 (
int oldfd = 19;
int newfd = 14;
) = 14;
... snip ...
int execve (
const char * dateiname = 0x00416fb2 =>
= "/bin//sh";
const char * argv[] = [
= 0x00416faa =>
= 0x00416fb2 =>
= "/bin//sh";
= 0x00000000 =>
none;
];
const char * envp[] = 0x00000000 =>
none;
) = 0;
Libemu – Conclusion
While I haven’t used it a lot yet, I plan on at least using the sctool a lot in the future.
Additionally, one of the exam requirements is to do analysis on some MSF shellcode. I can see myself utilizing this in addition to the standard ndisasm and GDB.
Let me know if you have any other uses for this tool, or any scripts that you’ve written using the library functionality!
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!
He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.
This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here. As an Amazon Associate, I earn from qualifying purchases.
One comment
Leave a Reply
This site uses Akismet to reduce spam. Learn how your comment data is processed.
[…] use the following guide to install libemu within our Ubuntu VM, https://www.doyler.net/security-not-included/libemu-installation and proceed to analyse the shellcode with the following […]