As a reverse engineer/malware analyst, it is important to be able to write scripts to help automate your workflow. One example is to be able to write plug-ins for tools such as Ghidra that can aid in deobfuscating strings for a particular sample. In this example we will be recovering strings that have been obfuscated using the bitwise XOR operation. This example uses fairly simple techniques that will serve as an introduction to writing Python Plugins, and string deobfuscation routines. Code: https://github.com/comosedice2012/XOR-Decode-Strings-Ghidra-Plugin/blob/main/deobfuscate_ghidra_strings.pyOriginal sample and DLL: https://github.com/jstrosch/XOR-Decode-Strings-IDA-PluginAnalysis on Youtube: https://youtu.be/un8I6dfuDVQ Below is a sample of the obfuscated string pattern. The function…
Comments closedAuthor: Ryan Blevins
My name is Ryan Blevins and I reside in The Pacific Northwest. I like hiking, camping, photography, and generally being in the great outdoors (weather sort-of permitting). My education has begun by earning a BS in Cyber Security from Dakota State University. Professionally my interests are in threat intelligence, specifically, all things malware related.
Let’s look at an example of Excel 4.0 macros, which is an old technique that has made a recent comeback. Excel 4.0 macros were introduced in Excel version 4.0 in 1992. What makes theses macros so powerful, is you can run commands directly from these sheets in an Excel document. There is a long list of what you can do (https://d13ot9o61jdzpp.cloudfront.net/files/Excel%204.0%20Macro%20Functions%20Reference.pdf and https://0xevilc0de.com/excel-4-macros-get-workspace-reference/). How Do Excel 4.0 Macros Work? A simple example below pops the calculator, and prints some text. To do this, right click on the “sheet” tab at the bottom of the screen, click “insert”, and select “Excel…
Comments closedLet’s take a look at an example of a malicious Word document that has a password-protected VBA project. When looking at malware, it is a good idea to first verify the file type you are looking at. Many malware authors will purposely use deceptive file extensions to try to look as benign as possible. So, running the “file” command on the file, it is confirmed to be a Word document, as the extension suggests. Our next step is checking the streams for macros using oledump.py. The following three streams have macros in them, indicated by an uppercase “M”. Searching for…
Comments closed