https://github.com/REW-sploit/REW-sploit

Emulate and Dissect MSF and *other* attacks
https://github.com/REW-sploit/REW-sploit

blueteam cobaltstrike defense emulation malware-analysis metasploit

Last synced: 3 months ago
JSON representation

Emulate and Dissect MSF and *other* attacks

• Host: GitHub
• URL: https://github.com/REW-sploit/REW-sploit
• Owner: REW-sploit
• License: agpl-3.0
• Created: 2021-06-16T13:47:41.000Z (over 3 years ago)
• Default Branch: main
• Last Pushed: 2024-02-28T08:33:22.000Z (8 months ago)
• Last Synced: 2024-06-06T22:47:48.280Z (5 months ago)
• Topics: blueteam, cobaltstrike, defense, emulation, malware-analysis, metasploit
• Language: Python
• Homepage:
• Size: 2.26 MB
• Stars: 135
• Watchers: 5
• Forks: 23
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

• awesome-hacking-lists - REW-sploit/REW-sploit - Emulate and Dissect MSF and *other* attacks (Python)

README

        




# REW-sploit

Need help in analyzing  Windows shellcode or attack coming from **Metasploit Framework** or **Cobalt Strike** (or may be also other malicious or obfuscated code)? Do you need to automate tasks with simple scripting? Do you want help to decrypt **MSF** generated traffic by extracting keys from payloads?

**REW-sploit** is here to help Blue Teams!

Here a quick demo:

[](https://asciinema.org/a/ln8tkJH7bOhACFRMdnPmk2i1o)

An introduction to the tool has been registered at **Insomni'hack 2022**:

https://www.youtube.com/watch?v=-sjM0k0hvMU

## Install

Installation is very easy. I strongly suggest to create  a specific Python Env for it:

```

# python -m venv /rew-sploit

# source /rew-sploit/bin/activate

# git clone https://github.com/REW-sploit/REW-sploit.git

# cd REW-sploit

# pip install -U setuptools

# pip install -r requirements.txt

# ./apply_patch.py -f

# ./rew-sploit

```

If you prefer, you can use the Dockerfile. To create the image:

```

docker build -t rew-sploit/rew-sploit .

```

and then start it (sharing the `/tmp/` folder):

```

docker run --rm -it --name rew-sploit -v /tmp:/tmp rew-sploit/rew-sploit

```

You see an `apply_patch.py` script in the installation sequence. This is required to apply a small patch to the `speakeasy-emulator` (https://github.com/fireeye/speakeasy/) to make it compatible with `REW-sploit`. You can easily revert the patch with `./apply_patch.py -r` if required.

Optionally, you can also install Cobalt-Strike Parser:

```

# cd REW-sploit/extras

# git clone https://github.com/Sentinel-One/CobaltStrikeParser.git

```

**NOTE**: from version `0.4.2` I switched to use the latest commit of `Speakeasy-Emulator` instead of the stable release. If you want to use the stable release, use

```

pip install -r requirements_stable.txt

```

## Standing on the shoulder of giants

`REW-sploit` is based on a couple of great frameworks, `Unicorn` and `speakeasy-emulator` (but also other libraries). Thanks to everyone and thanks to the OSS movement!

## How it works

In general we can say that whilst Red Teams have a lot of tools helping them in "automating" attacks, Blue Teams are a bit "tool-less". So, what I thought is to build something to help Blue Team Analysis.

`REW-sploit` can get a shellcode/DLL/EXE, emulate the execution, and give you a set of information to help you in understanding what is going on. Example of extracted information are:

- API calls

- Encryption keys used by **MSF** payloads

- decrypted 2nd stage coming from **MSF**

- Cobalt-Strike configurations (if [CobaltStrike parser is installed](https://github.com/Sentinel-One/CobaltStrikeParser))

You can find several examples on the current capabilities here below:

- [RC4 Keys Extraction](https://asciinema.org/a/ln8tkJH7bOhACFRMdnPmk2i1o?speed=2)

- [RC4 Keys Extraction + PCAP 2nd stage decryption](https://asciinema.org/a/TfrcYnCaCuCPGVhaeq0wkEyag?speed=2)

- [ChaCha Keys Extraction](https://asciinema.org/a/01oMaPMG0BmLkPhXkIMNvSO4c?speed=2)

- [Meterpreter session Decryption (no RSA)](https://asciinema.org/a/Q8zZ8Ri7ZPzpBOZRTh9eZpzWi?speed=2)

- [Cobalt-Strike beacon Emulation](https://asciinema.org/a/ps4VdIqY71W786j9lOAz9taOp?speed=10)

- [Cobalt-Strike config Extraction](https://asciinema.org/a/1hGjmn9hgx5i2CAZFePpbaI70?speed=5)

- [Debugging options](https://asciinema.org/a/kIhOo2jKjOBTcxh8VrU0UzkXi)

- [Dumping Threads](https://asciinema.org/a/5SeKKodDXl79vceM7eXjsQJil?speed=2)

- [Dumping Memory Allocations](https://asciinema.org/a/MCWCt3phS9L9YABCeDnUd3poF)

## Donut support

You know for sure the [Donut](https://github.com/TheWover/donut) package, able to create PIC from EXE, DLL, VBScript and JScript.

`Donut`, in order to evade detection, uses a API exports enumeration based on hashes computed on every API name, as many PIC do. This is very CPU intensive (especially in an emulated environment like `REW-sploit`). 

So, I implemented a sort of shortcut (changed from 0.3.3 release) to unhook some of the slowest parts of emulation when a `Donut` stub is detected.

Also, in order to be able to correctly complete the emulation, you need to give to `Speakeasy` the DLL to get the complete exports. To do it copy the following DLLs

```

kernel32.dll

mscoree.dll

ole32.dll

oleaut32.dll

wininet.dll

```

in the `Speakeasy` folder `winenv/decoys/amd64` and/or `winenv/decoys/x86` (see [Speakeasy](https://github.com/fireeye/speakeasy#readme) README for details). If you don't need them, don't leave the DLLs there, in other case they can slow down emulation.

For `Donut` 1.0 you may want to add even the following DLLs

```

combase.dll

shell32.dll

ntdll.dll

```

##  EgeBalci/sgn

This [Shikata Ga Nai](https://github.com/EgeBalci/sgn.git) implementation works just fine most of the times. In some cases it fails with an `invalid read`, so I implemented `Fixup #4` for it. 

## Anti-debug

A new command `emulate_antidebug` has been added from version `0.4`: this should help in identifying antidebug tricks used in teh analyzed code, so that you can patch it when executing in a real debug environment. This is an example of what has been implemented:

```

[#] Call to QueryPerformanceCounter() at 0x414049

[#] IsDebuggerPresent() at 0x4157e7

[#] CheckRemoteDebuggerPresent() at 0x415828

[#] Suspect NtQueryInformationProcess() at 0x4158b3

[#] Suspect NtQuerySystemInformation() at 0x415a22

[#] Direct access to PEB!BeingDebugged at 0x415a6a

[#] Direct access to PEB!NtGlobalFlag at 0x415a9e

[#] Suspect access to HeapBase (may be used to access Flags and ForceFlags) at 0x415b17

[#] GetProcAddress() of CRSS.EXE at 0x415b75

[#] Exclusive CreateFileA() on current process at 0x415bc4

[#] Call to GetLocalTime() at 0x415bfd

[#] Call to GetSystemTime() at 0x415c20

[#] Call to GetTickCount() at 0x415c52

[#] Call to QueryPerformanceCounter() at 0x415ca6

[#] Call to timeGetTime() at 0x415cd7

[#] Call to VirtualProtect() on "Return Address" at 0x4120b9

```

## Dumping functions

The `emulate_payload` command has 3 options to dump content of several artifacts:

```

  -T, --thread          Dump CreateThread API content from lpStartAddress

  -W, --writefile       Dump WriteFile API content

  -M, --writemem        Dump VirtualAlloc API allocated content

```

With these options you can dump the content of memory areas or files during emulation. For example the `--writemem` option allows to dump all the allocated memory when accessed in read or execution (for example with a JMP in the area); a common behavior of malicious code is to allocate memory, decrypt it and then execute or use it to do additional things. This option allows to get this content after decryption.

## A couple of words about performance

Obviously emulation slows down everything. Moreover, hooking every instruction in order to interact with the execution, make things even slower. In general this works fine with small shellcode, but have some issues with complex code. That's why I added an option to **turn off** hooking to speed up execution:

```

emulate_payload -P  -U 0

```

In this way you can get a picture of what the emulated code is doing (with API tracking), but nothing else will be done (no fixups, no key extractions, etc). If you specify something different than `0` the hooking will be re-enabled when the `IP` (instruction pointer) will reach the specified address (fixups will be applied from the same address).

## Fixups

In some cases emulation was simply breaking, for different reasons. In some cases obfuscation was using some techniques that was confusing the emulation engine. So I implemented some ad-hoc fixups (you can enable them by using `-F` option of the `emulate_payload` command). Fixups are implemented in `modules/emulate_fixups.py`. Currently we have

Unicorn issue #1092:

```

    #

    # Fixup #1

    # Unicorn issue #1092 (XOR instruction executed twice)

    # https://github.com/unicorn-engine/unicorn/issues/1092

    #               #820 (Incorrect memory view after running self-modifying code)

    # https://github.com/unicorn-engine/unicorn/issues/820

    # Issue: self modfying code in the same Translated Block (16 bytes?)

    # Yes, I know...this is a huge kludge... :-/

    #

```

FPU emulation issue:

```

    #

    # Fixup #2

    # The "fpu" related instructions (FPU/FNSTENV), used to recover EIP, sometimes

    # returns the wrong addresses.

    # In this case, I need to track the first FPU instruction and then place

    # its address in STACK when FNSTENV is called

    #

```

Trap Flag evasion:

```

    #

    # Fixup #3

    # Trap Flag evasion technique

    # https://unit42.paloaltonetworks.com/single-bit-trap-flag-intel-cpu/

    #

    # The call of the RDTSC with the trap flag enabled, cause an unhandled

    # interrupt. Example code:

    #        pushf

    #        or dword [esp], 0x100

    #        popf

    #        rdtsc

    #

    # Any call to RDTSC with Trap Flag set will be intercepted and TF will

    # be cleared

    #

```

Too few values on stack:

```

    #

    # Fixup #4

    # Stack too small (not enough values stored)

    # 

    # Some obfuscator/evasion technique try to access some values on the stack

    # (like for example SGN https://github.com/EgeBalci/sgn.git):

    #

    #     cmovne ax, word ptr [esp + 0xfa]

    #

    # In this case the emulation fails with an "invalid_read" since ESP is too

    # close to the top of the stack. This creates some 'fake' values.

    #

```

## Customize YARA rules

File `modules/emulate_rules.py` contains the **YARA** rules used to intercept the interesting part of the code, in order to implement instrumentation. I tried to comment as much as possible these sections in order to let you create your own rule (please share them with a pull request if you think they can help others). For example:

```

#

# Payload Name: [MSF] windows/meterpreter/reverse_tcp_rc4

# Search for  : mov esi,dword ptr [esi]

#               xor esi,0x

# Used for    : this xor instruction contains the constant used to

#               encrypt the lenght of the payload that will be sent as 2nd

#               stage

# Architecture: x32

#

yara_reverse_tcp_rc4_xor_32 = 'rule reverse_tcp_rc4_xor {                \

                               strings:                                  \

                                   $opcodes_1 = { 8b 36                  \

                                                  81 f6 ?? ?? ?? ?? }    \

                               condition:                                \

                                   $opcodes_1 }'

```

## Issues

Please, open Issues if you find something that not work or that can be improved. Thanks!