![]() #Push 100 push 40 push 30 pop eax pop eax pop eax codeWhat if you have several blobs of data you need decoded/decompressed? Wouldn’t it be great if you could take the assembly code directly from the malware’s decompression/decoding routine, put it in a compiler such as Visual Studio, compile it to a dynamic link library (DLL), and then call into it using your favorite scripting language such as Python? This blog will show a technique that can be used to achieve just this. While all these approaches are good and will provide you the desired answers they can be somewhat time consuming. You can run the malware and dump memory segments (dump strings on each sample afterwards), debug the malware in a debugger, place hooks on decryption/decompression routines and dump return vales, static analysis, etc. There are several different approaches one can take to decrypt/decompress data from malware. I simply need to answer the question: This data is a configuration file that is used by the malware to do XYZ or I simply don’t know what this data is (I don’t like to give this answer, but it happens). I am often tasked with understanding: What is the blob of data that is used by the malware?Īnswering the “what” is always the challenging part and I usually don’t have a lot of time to fully reverse some crypto routine. As a malware analyst and reverse engineer, I am often faced with reversing some type of cryptography algorithm or decompression routine that can take hours, days, months, or even years to fully understand. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |