Without executing the malware, its hard to determine which function would be called by these indirect function calls.
To speed up our analysis we could now find a means to help us label the addresses of the in-direct function calls with the function names that it is referencing.
To do so we could use the following python script:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Author: Mark Lim | |
| #Version: 0.2 (01 May 2018) | |
| #Use while debugging target using IDAPro | |
| #locate list of function pointers | |
| #Make names of function pointers using strings of function names | |
| #FuncName without DLL prefix result in IDA recognizing the API functions and populate the parameter arguments. [Credits to @nullandnull] | |
| ea = SelStart() | |
| end = SelEnd() | |
| while ea < end: | |
| addr = idc.Dword(ea) | |
| FuncName_dll = idc.get_name(addr) | |
| try: | |
| FuncName = FuncName_dll.split('_')[1] | |
| except IndexError: | |
| FuncName = "NIL" | |
| print hex(ea),FuncName | |
| MakeDword(ea) | |
| idc.MakeNameEx(ea, FuncName, idc.SN_NOWARN) | |
| ea += 4 |
After running the script, we could see the address of the function pointers being renamed.
We will need to create a struct from the function pointers.
Finally, we could right click and label the in-direct function calls with the function that it is going to call.
I know I have left out a few steps like how to use IDAPro debugger, create a struct and details of the functions used in the script. Just leave me a comment or question if you need more details. :)
Thanks to @nullandnull's tweet reply, I have updated my script to support the following:
No comments:
Post a Comment