> For the complete documentation index, see [llms.txt](https://blog.giulioginesi.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://blog.giulioginesi.com/malware-analysis/manipulating-shellcode-for-emulation.md). # Manipulating Shellcode for Emulation It is not uncommon, when performing malware analysis, to come across many different types of shellcode usually encrypted and obfuscated. Sooner or later in the analysis journey, you will end up having to manipulate such shellcode and you would then want to transform it into a more analyzable format. Suppose that during your analysis you found the following shellcode in a highly obfuscated embedded macro and that it is encrypted, byte by byte, using the key `0xde 0xad 0xbe 0xef`. What I would normally do is extract the shellcode and try to decrypt it in python, in this case, it is very quick and straightforward to do using the following snippet: ```python shellcode = [...] key = [0xde, 0xad, 0xbe, 0xef] decoded = shellcode for k in key: for s in range(0, len(shellcode)): decoded[s] = decoded[s]^k ``` This will leave us with the decrypted shellcode inside the `decoded` array. We can take this one step forward and save the array to a file so that it can be used and manipulated in other programs. This can be achieved by expanding the above code snippet with the following lines: ```python file.open("output.bin", 'wb') file.write(bytes(decoded)) file.close() ``` We now can open the saved shellcode in rizin, ida or your favourite tool and begin our analysis. However, the quickest and easiest way of extracting information from the shellcode is by attempting to emulate it. Two projects can be used for this, one is [qiling](https://github.com/qilingframework/qiling) and the other one is [speakeasy](https://github.com/mandiant/speakeasy). Qiling is a topic for another blogpost, while speakeasy is simple and straightforward. It can be used both as a standalone executable as well as a python library, when using the latter we can write our own parser for the report which will allow us to extract some fairly rich and interesting information. The following is an example script that will decode the shellcode and emulate it returning a brief report as an output. ```python import speakeasy shellcode = [159, 132, 188, 241, 218, 255, 224, 251, 86, 6, 214, 121, 17, 235, 147, 123, 19, 73, 54, 33, 73, 54, 161, 201, 222, 102, 73, 13, 50, 37, 182, 242, 195, 85, 62, 23, 242, 135, 88, 31, 99, 91, 42, 49, 72, 208, 126, 162, 97, 217, 200, 248, 169, 46, 120, 114, 200, 1, 70, 235, 236, 0, 58, 50, 33, 166, 3, 249, 116, 231, 68, 143, 63, 8, 24, 91, 119, 196, 137, 44, 9, 24, 239, 226, 5, 32, 151, 71, 213, 212, 43, 69, 10, 95, 235, 101, 186, 40, 128, 189, 59, 253, 148, 75, 79, 193, 171, 180, 229, 178, 252, 193, 251, 82, 13, 22, 87, 159, 189, 155, 165, 216, 58, 0, 208, 210, 120, 253, 39, 225, 3, 25, 161, 241, 160, 234, 17, 21, 16, 62, 135, 158, 26, 203, 131, 184, 126, 206, 68, 179, 123, 71, 171, 87, 202, 31, 140, 115, 146, 196, 237, 226, 62, 106, 205, 48, 218, 23, 119, 123, 201, 2, 203, 128, 209, 110, 149, 22, 29, 163, 106, 230, 117, 176, 25, 212, 218, 42, 246, 152, 83, 181, 1, 233, 180, 10, 217, 81, 212, 244, 222, 161, 252, 62, 138, 241, 106, 150, 243, 154, 170, 27, 38, 118, 161, 143, 143, 128, 187, 5, 248, 146, 191, 4, 105, 31, 89, 58, 25, 79, 246, 251, 201, 239, 166, 147, 195, 224, 217, 128, 43, 43, 182, 107, 196, 197, 238, 199, 189, 128, 165, 182, 66, 91, 192, 181, 201, 169, 48, 123, 62, 220, 34, 172, 89, 34, 251, 109, 204, 34, 145, 105, 154, 117, 9, 116, 191, 189, 214, 139, 234, 190, 209, 116, 175, 182, 170, 67, 57, 186, 196, 175, 233, 58, 213, 249, 163, 58, 189, 153, 211, 105, 152, 225, 13, 218, 53, 116, 242, 138, 230, 211, 154, 116, 16, 23, 69, 139, 51, 103, 66, 119, 197, 64, 235, 31, 53, 17, 203, 159, 95, 145, 155, 247, 168, 190, 20, 55, 80, 21, 61, 31, 219, 244, 207, 254, 220, 208, 146, 98, 220, 211, 74, 81, 167, 88, 172, 86, 88, 177, 201, 87, 88, 185, 47, 104, 142, 128, 89, 175, 78, 179, 86, 154, 243, 146, 60, 224, 100, 224, 40] key = [0xde, 0xad, 0xbe, 0xef] decoded = shellcode for k in key: for s in range(0, len(shellcode)): decoded[s] = decoded[s]^k file = open("output.bin", 'wb') file.write(bytes(decoded)) file.close() import speakeasy def formatter(report): for entry_point in report["entry_points"]: apis = entry_point["apis"] print("Function Calls:") for api in apis: print("\t{} \n\t\t|_ {}".format(api["api_name"], api["args"])) try: network_events = entry_point["network_events"] except: network_events = False if (network_events): print("Network Traffic:") for d in network_events["dns"]: print("Dns Query: {}".format(d)) for t in network_events["traffic"]: try: data = t["data"] except: data = False print("\tAddress: {}:{} Type: {} Data: {}".format(t["server"], t["port"], t["type"], data)) se = speakeasy.Speakeasy() module = se.load_shellcode("output.bin", "x86") se.run_shellcode(module) report = se.get_report() formatter(report) ``` The output is the following ![](/files/ZHPc6tZgIN1Y4h9pSxtV) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://blog.giulioginesi.com/malware-analysis/manipulating-shellcode-for-emulation.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.