[Mal Series #17] Binary Emulation with Qiling Framework

Using Qiling to automate WinApi hash finding tasks and also did a lazy quick win against stack string obfuscation.

Before working on that, make sure download the requirement dlls and registries into your work folder (e.g. ~/qiling/examples/rootfs/x86_windows)

You can get the collector script 📜 here :

Basically, in order to work with the emulation, it is better to identify:
✔ Desired section of the code that will be execute by the tool (e.g. hashing algorithm)
✔ Getting its start and end address which then will put them into ql.run for execution later
✔ Identify any arguments/registry (eax/ql.reg.eax, ebp/ql.reg.ebx etc.)/stacks that needs to will be needed by the code.

In the case below, we have to insert to string into the memory address as the function read to the pointer of the passed argument instead of literal string.

We have to use ql.mem.mapand ql.mem.string to create a available memory region and insert data into it once it has been created.

Once we had all the things that needed by the emulation, then create a function to extract the export function of common Windows DLL, (e.g. Kernel32.dll, Advapi.dll etc) then it can combine with the emulation code before to become a hash finder. Python library, pefile helps a lot in this case 😉.

Ohh… wait… how do I get these hashes from the sample? Checkout the link here. It’s a Ghidra hash extractor based on the sample btw. 🙌

For the 2nd one, stack string obfuscation, in this case it stores all of the strings in one large chunk of memory. So for ez win, just create a function to hook on the memory address where all the stack string has been pushed into the memory.

Lazy way to retrieve all the stack string

Extra ✌ (Analysis on In-memory malware downloader, similar with SystemBC shellcode loader)

Found that Qiling was very easy to use and looking forward to utilize it to do sumz fun stuffz in the future (●'◡'●).

Sample can be found in the analysis report below 👍.




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store