Libemu Installation, Configuration, and Usage

I recently installed Libemu, and I wanted to share how simple it is.

Libemu - Introduction

If you aren't familiar with Libemu, it is a library that performs x86 emulation and shellcode detection.

I've used it during my SLAE course as another method of shellcode analysis.

Installation

I performed these steps on a (mostly) clean Ubuntu installation, so you can probably skip some of them depending on your configuration.

First, I installed git, as it didn't come installed by default.

doyler@slae:~$ sudo apt-get install git
[sudo] password for doyler:
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:
  git-man liberror-perl
Suggested packages:
  git-daemon-run git-daemon-sysvinit git-doc git-el git-arch git-cvs git-svn git-email git-gui gitk gitweb
The following NEW packages will be installed:
  git git-man liberror-perl

... snip ...

Setting up git-man (1:1.7.9.5-1ubuntu0.3) ...
Setting up git (1:1.7.9.5-1ubuntu0.3) ...

Next, I cloned the Libemu repository.

doyler@slae:~$ git clone https://github.com/buffer/libemu
Cloning into 'libemu'...
remote: Counting objects: 4719, done.
remote: Total 4719 (delta 0), reused 0 (delta 0), pack-reused 4719
Receiving objects: 100% (4719/4719), 1.65 MiB, done.
Resolving deltas: 100% (3331/3331), done.

After that, I had to install the autoconf packages.

doyler@slae:~/libemu$ sudo apt-get install autoconf
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:
  automake autotools-dev m4
Suggested packages:
  autoconf2.13 autoconf-archive gnu-standards autoconf-doc libtool gettext
The following NEW packages will be installed:
  autoconf automake autotools-dev m4

... snip ...

Setting up m4 (1.4.16-2ubuntu1) ...
Setting up autoconf (2.68-1ubuntu2) ...
Setting up autotools-dev (20120210.1ubuntu1) ...
Setting up automake (1:1.11.3-1ubuntu2) ...
update-alternatives: using /usr/bin/automake-1.11 to provide /usr/bin/automake (automake) in auto mode.

With that complete, I thought I would be able to configure the tool(s). Unfortunately, I was still receiving some errors when attempting to run autoreconf.

doyler@slae:~/libemu$ autoreconf -v -i
Can't exec "libtoolize": No such file or directory at /usr/bin/autoreconf line 196.
Use of uninitialized value in pattern match (m//) at /usr/bin/autoreconf line 196.
autoreconf: Entering directory `.'
autoreconf: configure.ac: not using Gettext
autoreconf: running: aclocal
autoreconf: configure.ac: tracing
autoreconf: configure.ac: not using Libtool
autoreconf: running: /usr/bin/autoconf
configure.ac:47: error: possibly undefined macro: AC_PROG_LIBTOOL
      If this token and others are legitimate, please use m4_pattern_allow.
      See the Autoconf documentation.
autoreconf: /usr/bin/autoconf failed with exit status: 1

That said, after a bit of research, I discovered that this error was occurring because I was missing the libtool packages.

doyler@slae:~/libemu$ sudo apt-get install libtool
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:
  libltdl-dev
Suggested packages:
  libtool-doc gfortran fortran95-compiler gcj
The following NEW packages will be installed:
  libltdl-dev libtool

... snip ...

Setting up libltdl-dev (2.4.2-1ubuntu1) ...
Setting up libtool (2.4.2-1ubuntu1) ...

With the prerequisites finally installed, I ran configure to select the directory that I wanted to install to.

doyler@slae:~/libemu$ ./configure --prefix=/opt/libemu
checking for a BSD-compatible install... /usr/bin/install -c

... snip ...

config.status: executing depfiles commands
config.status: executing libtool commands

*** libemu configuration ***

debug                              : yes

bindings
- python                          : no

support
- cargos                          : no

Autoreconf worked this time, and setup the proper make files.

doyler@slae:~/libemu$ autoreconf -v -i
autoreconf: Entering directory `.'
autoreconf: configure.ac: not using Gettext
autoreconf: running: aclocal
autoreconf: configure.ac: tracing
autoreconf: running: libtoolize --install --copy
libtoolize: putting auxiliary files in `.'.
libtoolize: copying file `./config.guess'
libtoolize: copying file `./config.sub'
libtoolize: copying file `./install-sh'
libtoolize: copying file `./ltmain.sh'
libtoolize: Consider adding `AC_CONFIG_MACRO_DIR([m4])' to configure.ac and
libtoolize: rerunning libtoolize, to keep the correct libtool macros in-tree.
libtoolize: Consider adding `-I m4' to ACLOCAL_AMFLAGS in Makefile.am.
autoreconf: running: /usr/bin/autoconf
autoreconf: running: /usr/bin/autoheader
autoreconf: running: automake --add-missing --copy --no-force
configure.ac:90: installing `./compile'
configure.ac:8: installing `./missing'
src/Makefile.am: installing `./depcomp'
autoreconf: Leaving directory `.'

Finally, I ran make install and got the tools and libraries properly installed!

doyler@slae:~/libemu$ sudo make install
Making install in src
make[1]: Entering directory `/home/doyler/libemu/src'
Making install in functions
make[2]: Entering directory `/home/doyler/libemu/src/functions'

...

make[1]: Entering directory `/home/doyler/libemu'
make[2]: Entering directory `/home/doyler/libemu'
make[2]: Nothing to be done for `install-exec-am'.
test -z "/usr/lib/pkgconfig" || /bin/mkdir -p "/usr/lib/pkgconfig"
/usr/bin/install -c -m 644 libemu.pc '/usr/lib/pkgconfig'
make[2]: Leaving directory `/home/doyler/libemu'
make[1]: Leaving directory `/home/doyler/libemu'

Testing it Out

With everything configured and installed, it was time to test the tool out.

In this case, I used the included sctest tool, which can test shellcode.

This provides some awesome output about the status of registers, flags, and the application's system calls. It does so similarly to GDB, only in an emulator and without any manual commands or execution.

Libemu - Execution

Additionally, at the bottom of the emulation, is some even more valuable output. As you can see, the emulator performs some analysis on the system calls and their parameters, and provides this as some C pseudo-code! This is incredibly helpful if you wish to replicate or change a piece of shellcode, in addition to understanding it better.

int socket (
     int domain = 2;
     int type = 1;
     int protocol = 0;
) =  14;
int bind (
     int sockfd = 14;
     struct sockaddr_in * my_addr = 0x00416fc2 => 
         struct   = {
             short sin_family = 2;
             unsigned short sin_port = 23569 (port=4444);
             struct in_addr sin_addr = {
                 unsigned long s_addr = 0 (host=0.0.0.0);
             };
             char sin_zero = "       ";
         };
     int addrlen = 16;
) =  0;
int listen (
     int s = 14;
     int backlog = 0;
) =  0;
int accept (
     int sockfd = 14;
     sockaddr_in * addr = 0x00000000 => 
         none;
     int addrlen = 0x00000010 => 
         none;
) =  19;
int dup2 (
     int oldfd = 19;
     int newfd = 14;
) =  14;

... snip ...

int execve (
     const char * dateiname = 0x00416fb2 => 
           = "/bin//sh";
     const char * argv[] = [
           = 0x00416faa => 
               = 0x00416fb2 => 
                   = "/bin//sh";
           = 0x00000000 => 
             none;
     ];
     const char * envp[] = 0x00000000 => 
         none;
) =  0;

Libemu - Conclusion

While I haven't used it a lot yet, I plan on at least using the sctool a lot in the future.

Additionally, one of the exam requirements is to do analysis on some MSF shellcode. I can see myself utilizing this in addition to the standard ndisasm and GDB.

Let me know if you have any other uses for this tool, or any scripts that you've written using the library functionality!

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCP, eCPPT, eWPT, eWPTX, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Penetration Testing Consultant for Secureworks. His previous position was a Senior Penetration Tester for a major financial institution.

When he's not figuring out what cert to get next (currently GXPN) or side project to work on, he enjoys playing video games, traveling, and watching sports.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.