Most of the malware nowadays are using custom string decoding algorithm to hide the juicy strings that provide key information of sample. It will be great if we are able to decode all the string and add them in the code comment so that we can analyze is side-by-side and understand the malware better. As for this, I had wrote a Ghidra decoding script in Python for Qakbot.
Find the decryption algorithm
Based on the experience, malware will always declare certain function many times for its decoding routine.
After poking around with it, function FUN_10010eff seems have something juicy since it loads some hex number as parameter and it repeats many time in same order. Let’s check into it!
Understanding the algorithm
At first glance, the function is perform some decoding routine (Based on the XOR, for/while loop and some constant byte array found within the function).
When investigate further, it does really XOR something (XOR_1 & XOR_2).
At the end of the function, it really does some XOR operation between the XOR_1 and XOR_2.
As for how does the decoding functions works, I had annotated the decompiled code for better understanding.
Write the decryption script
Wrote a decoding script based on the highlighted decompiled code. Full script here.
After correctly implementing the decoding script, its time to merge it with the Ghidra API function so that those decoded strings can print out as comment in the assembly code page.
You could check out the references below for the basic Ghidra API function implementation and official Ghidra API webpage.
Here is the output of the decoding script. Now, you can see the decoded strings in the comment sections of the code. This will be very helpful for analyst to understand the sample much better ✌.
Unfortunately the Python Ghidra scripting only supports Python 2 only as it mainly depends on Jython (Python to Java). However, we can use ghidra_bridge to script in Python 3. If you are Java fans, you can directly use Java as your scripting language in Ghidra.
Hopefully it does help to those who are looking to Ghidra scripting. Cheers!
Deep Analysis of QBot Banking Trojan
QBot is a modular information stealer also known as Qakbot or Pinkslipbot. It has been active for years since 2007. It…
An Introduction To Code Analysis With Ghidra
This article describes an approach for using Ghidra to perform malicious code analysis. Ghidra is a free software…
Scripting Ghidra with Python
This post shortly gives a few examples to get started with scripting Ghidra using Python. look at the online API use…
Automating Ghidra - part 2
In the last Automating Ghidra post [/scripting-ghidra/] we looked at how we can script Ghidra to do some mundane…