Now the question remains, what the functions sub_407110() and sub_405210() are doing to yield library- and function names. The pointer to the IAT is located at dword_42A648 and the 383 x-refs to this address which we saw in the beginning are mostly calls to this IAT. It is now obvious that our mysterious buffer of 0x208 bytes is actually an IAT which is stored on the heap. Putting it all together, our structure is defined as follows:ĭWORD offsetForDecryptionImportNamesArrayStart ĭWORD offsetForDecryptionImportNamesArrayEnd The fourth DWORD of the structure is used in line 15, 16 and 20 and points to a list of offsets, which is used to calculate the address to store the imported functions, with the base of our previously allocated 0x208 bytes array. The third DWORD of the structure is used to mark the end of the list of the second DWORD in the for-loop in line 16. The second DWORD of the structure is used in line 14, 16, 18 and 21 and contains a list of hints to function names used in GetProcAddress(). Its first DWORD contains a hint to a string used in LoadLibraryW() in line 12 and 13. The argument called “hModule” by IDA is a pointer to a structure. Within sub_40C8C0() Hexrays’ decompiler shows the following picture: This call is done 8 times in a loop as you can see in line 21 to 27. Note that stru_42A058 holds a pointer to a structure which we will get to know in the following function, as it is an argument for the function call to sub_40C8C0(). The buffer is modified in the same function with a call to sub_40C8C0(). Looking at the x-refs of this address, we can find out in which context it is written to:ĭecompiling the function sub_402D30 () shows that dword_42A648 points to a buffer of 0x208 bytes (or 129 DWORDs). Yet, the first line of the decompiled wWinMain() shows lots of function calls relative to the address stored at dword_42A648. If you put the unpacked binary in IDA, you can see that Trickbot has several imported functions: Also Vitali Kremez explained the string obfuscation of a Trickbot sample at Obfuscated Import Address Table A similar, but more in-depth analysis from Hasherezade can be found at in conjunction with the tutorial on. Some intersections with this article can be found in the work of Michał Praszmo at, where some of the obfuscation features are touched. With a malware as wide spread and publicly known as Trickbot, there is already a lot of research.
Ida pro tutorial for beginners code#
In this post we will look at several obfuscation and anti-analysis techniques used by the malware Trickbot, based on the sample 8F590AC32A7C7C0DDFBFA7A70E33EC0EE6EB8D88846DEFBDA6144FADCC23663A from mid of December 2018.Īfter analyzing and understanding the obfuscation techniques, we will take care of deobfuscating the malware with IDA Python in order to make the code easier to analyze in Hexrays’ decompiler. When analyzing malware, one often has to deal with lots of tricks and obfuscation techniques.
0 kommentar(er)
