Malware Hexorcism with IDA Pro — by Nico Brulez
Updated: Jan 1, 2021
SINCON 2020 Conference Workshop Track
Day 1 (2 Jan 2021)
@ Workshop Room
This workshop focuses on a few tricks using IDA Pro for malware analysis.
There are two parts to this workshop.
Part 1. IDA Python & IDA Pro Debugger
For this, we will work on the KPOT infostealer and show how we can write a script to locate all the calls to decryption functions, set breakpoints on those calls and trigger a python function.
The end result is a comment in front of each decrypting function calls with the decrypted string.
As a side example, We will see how to set breakpoints and add Python handlers via the user interface as well. This can be useful when you want to gather information dynamically prior to static analysis.
Part 2. Static Analysis Tricks + Appcall Feature (How to call functions inside the malware from IDA Python)
We are going to see static analysis of shellcode and presenting a few tricks to make the code easier to read and follow.
Even though the analysis will be done statically, we are going to talk about the Appcall feature which allows us to call specific functions inside of a software.
This will be used only to resolve function names which are imported by hash, and we will write simple Script to do so.
Familiar with Reverse Engineering, Assembly Language, IDA Pro and Python.
This is not for beginners, but it is not hard either.
About Nicolas Brulez
NICOLAS BRULEZ is the founder of HEXORCIST, a company that specializes in providing reverse engineering and malware analysis training. Prior to that, he worked for eight years in the Global Research and Analysis Team at Kaspersky.
Over the past 20 years, Nicolas has authored numerous articles and papers on reverse engineering and virus analysis. He is also a co-author of the Armadillo Protection system.
He was an instructor at the first RECON conference in 2005 and is still teaching there 15 years later. As well as RECON, Nicolas has presented at Pacsec, ToorCon, SSTIC, Virus Bulletin, Hacker Halted, RuxCon, TakeDownCon, and Pacsec.