# Sliding window went past the end of the functionĬurrent_file = idaapi.get_root_filename()į.write(" \n".format(current_file, ''.join(url)))Īt this stage, we can use the automation technique of running IDA in non-GUI mode and use the above script. If idc.GetMnem(v3) = 'lea' and idc.GetOpnd(v3, 0) = 'edi': If idc.GetMnem(v2) = 'pop' and idc.GetOpnd(v2, 0) = 'ecx': If idc.GetMnem(v1) = 'mov' and idc.GetOpnd(v1, 0) = 'esi': # Look for known markers indicating we're seeing the encoded strings If flags & FUNC_LIB or flags & FUNC_THUNK:ĭism_addr = list(idautils.FuncItems(func)) # Ignore THUNK (jump function) or library functons # Wait for auto-analysis to finish before running script The remaining functions will then be iterated through using a sliding window where we’ll inspect four instructions at a time, seeking the markers previously identified to determine if there are any matches:
To do so, we’ll iterate through every function IDA identifies, and proceed to ignore any functions marked as a jump function or belonging to a known library. We also notice that the same sequence of instructions are executed when this memcpy instruction takes place:įigure 1 Function containing encoded strings in CmstarĪrmed with this information, we can attempt to identify this sequence of instructions using IDAPython. One of the strings contains the domain or IP address that the malware will connect to, while the other contains the URI. Correlating across a few samples, we conclude that two encrypted strings are being stored into a variable using calls to memcpy. Knowing this, our next task is to identify where this data resides within a Cmstar sample.
We’ll be using these switches later on in the post. Additionally, the ‘-S’ switch specifies the IDAPython script that will be run upon execution.
In these examples, the ‘-c’ switch generates a new IDB file, even in the event one already exists. The following command-line examples demonstrate this technique being used in both OSX and Microsoft Windows.
IDA PRO DETECT A PARTICULAR DIALOG BOX WINDOWS
This particular switch will instruct IDA to run in autonomous mode, ensuring that no windows or dialog boxes are presented to the user. In order to do so, the user must run the IDA executable with the ‘-A’ switch. Many may be surprised to learn that IDA can be executed purely on the command-line without spawning a GUI. Using this technique, we’ll be able to process many samples very quickly without needing to manually open each file in a new instance of IDA and run the IDAPython script. Specifically, let's address how we’re going to load files into IDA without spawning a GUI, automatically run an IDAPython script, and extract the results. For this sixth installment, I’d like to discuss using IDA in a very automated way. In Part 5 of our IDAPython blog series, we used IDAPython to extract embedded executables from malicious samples.
0 kommentar(er)
