lobRunner - Immediately Investigate Shellcode Extricated During Malware Examination 2022
BlobRunner is a basic instrument to rapidly troubleshoot shellcode removed during malware examination.
BlobRunner designates memory for the objective document and leaps to the base (or offset) of the distributed memory. This permits an examiner to investigate into removed curios with insignificant above and exertion rapidly.
To utilize BlobRunner, you can download the accumulated executable from the deliveries page or construct your own utilizing the means underneath.
Building
Building the executable is straight forward and moderately easy.
Prerequisites
>Download and introduce Microsoft Visual C++ Fabricate Devices or Visual Studio
Fabricate Steps
>Open Visual Studio Order Brief
>Explore to the index where BlobRunner is looked at
>Construct the executable by running:
cl blobrunner.c
Building BlobRunner x64
Building the x64 adaptation is practically equivalent to above, however just purposes the x64 tooling.
>Open x64 Visual Studio Order Brief
>Explore to the catalog where BlobRunner is looked at
>Construct the executable by running:
cl/Feblobrunner64.exe/Foblobrunner64.out blobrunner.c
Utilization
To investigate:
>Open BlobRunner in your #1 debugger.
>Pass the shellcode document as the principal boundary.
>Add a breakpoint before the leap into the shellcode
>Step into the shellcode
BlobRunner.exe shellcode.bin
Investigate into record at a particular offset.
BlobRunner.exe shellcode.bin - - offset 0x0100
Troubleshoot into record and don't stop before the leap. Caution: Guarantee you have a breakpoint set before the leap.
BlobRunner.exe shellcode.bin - - nopause
Investigating x64 Shellcode
Inline gathering isn't upheld by the x64 compiler, so to help investigating into x64 shellcode the loader makes a suspended string which permits you to put a breakpoint at the string section, before the string is continued.
Remote Investigating Shell Masses (IDAPro)
The cycle is basically indistinguishable from investigating shellcode locally - with the exemption that the you want to duplicate the shellcode record to the far off framework. Assuming that the record is duplicated to a similar way you are running win32_remote.exe from, you simply have to utilize the document name for the boundary. Any other way, you should determine the way to the shellcode record on the far off framework.
Shellcode Tests
You can rapidly produce shellcode tests utilizing the Metasploit apparatus msfvenom.
Creating a straightforward Windows executive payload.
msfvenom - a x86 - - stage windows - p windows/executive cmd=calc.exe - o test2.bin
BlobRunner is a basic instrument to rapidly troubleshoot shellcode removed during malware examination.
BlobRunner designates memory for the objective document and leaps to the base (or offset) of the distributed memory. This permits an examiner to investigate into removed curios with insignificant above and exertion rapidly.
To utilize BlobRunner, you can download the accumulated executable from the deliveries page or construct your own utilizing the means underneath.
Building
Building the executable is straight forward and moderately easy.
Prerequisites
>Download and introduce Microsoft Visual C++ Fabricate Devices or Visual Studio
Fabricate Steps
>Open Visual Studio Order Brief
>Explore to the index where BlobRunner is looked at
>Construct the executable by running:
cl blobrunner.c
Building BlobRunner x64
Building the x64 adaptation is practically equivalent to above, however just purposes the x64 tooling.
>Open x64 Visual Studio Order Brief
>Explore to the catalog where BlobRunner is looked at
>Construct the executable by running:
cl/Feblobrunner64.exe/Foblobrunner64.out blobrunner.c
Utilization
To investigate:
>Open BlobRunner in your #1 debugger.
>Pass the shellcode document as the principal boundary.
>Add a breakpoint before the leap into the shellcode
>Step into the shellcode
BlobRunner.exe shellcode.bin
Investigate into record at a particular offset.
BlobRunner.exe shellcode.bin - - offset 0x0100
Troubleshoot into record and don't stop before the leap. Caution: Guarantee you have a breakpoint set before the leap.
BlobRunner.exe shellcode.bin - - nopause
Investigating x64 Shellcode
Inline gathering isn't upheld by the x64 compiler, so to help investigating into x64 shellcode the loader makes a suspended string which permits you to put a breakpoint at the string section, before the string is continued.
Remote Investigating Shell Masses (IDAPro)
The cycle is basically indistinguishable from investigating shellcode locally - with the exemption that the you want to duplicate the shellcode record to the far off framework. Assuming that the record is duplicated to a similar way you are running win32_remote.exe from, you simply have to utilize the document name for the boundary. Any other way, you should determine the way to the shellcode record on the far off framework.
Shellcode Tests
You can rapidly produce shellcode tests utilizing the Metasploit apparatus msfvenom.
Creating a straightforward Windows executive payload.
msfvenom - a x86 - - stage windows - p windows/executive cmd=calc.exe - o test2.bin
