While evaluating the problems of shellcode emulation providing proxied api hooks, we came to the conclusion it might be damn dangerous as one could write shellcode which scanning for vulnerable systems to spread. Just when this was said, we rememberd a worm which sent (and still sends) shellcode to scan for vulnerable system and infect them, the good old sqlslammer, a single udp packet which created a lot of havoc in 2003. As the worm is plain assembler, and just some hundred bytes long, we decided to give it a ride on libemu. After faking three IAT entries it worked, and here is the result:

(click for large version)
For those who want to print the graph, here is a vertical version.