MalwareTech – Strings Everywhere (Eng)

Hi Again H4x0rs!

Im bringing you my latest insanity . Im Learning Malware analysis, You know, Spare time + a Little bit of craziness  and a bit of genius (@ValthekOn) and people supporting and pushing me to break all that used to frighten me and VOILA! Another bunny trying to learn reversing . Before I start special thanks to my blog-mate @naivenom for its assembler posts they´ve been really Handy in this adventure.

 

You dont know what am I speaking about? => TRY THIS

 

Lets start with the topic. I discovered the Malwaretech Blog rime ago and inside it, some challenges to learn how to analyze and reverse malware and I thoght… OK, WHY NOT?

But before continuing, and to set everybody on who is  Malwaretech the blog owner:

 

At present he is facing some trials in USA…. Hero? Villain? Make your own opinion, I do have mine.

In this article we´ll speak about the first 3 challenges called Strings. Yes, they are easy ones but they must be solved to gain accuracy and to loose that scaring sensation when we are facing IDA  (In my case IDA NOOB  because i nearly didnt know how the hell to open it)

Rules are simple:

  • Do not execute de Binary File
  • Dont use a debugger
  • Enjoy learning
  • All the challenge files are packed with the “MalwareTech” password

And to make things easyer this are the Utils we´re gonna use:

  1. Microsoft Windows 7 x64 Virtual Machine (Yes x64 in other case Ida wont Work)
  2. IDA Free edition 
  3. Radare 
  4. Ghidra 
  5. Strings  de Systernals
  6. Resource Hacker

 

As an introduction to refresh some concepts in order to be understood (yes this is not a new chinesse dialect) We´re gonna study some anatomy (You filthy …remember that  with that putrid hand you tuch your mamma!) Im speaking about binary anatomy.

After the executable headers, any binary has some important sections that are of great relevance in order to analyze malware. @Roskyfrosky forgive me if I make mistakes (It is my firs time=P)

  • .text => Contains the executable code fo the binary. Normally has Read and Execute permissions (R-X) and in case it has Write permission the antivirus systems tend to loose their mind cataloging it as MALWARE because  this indicates that something weird is happening with the executable and it could have auto-modify code.
  • .rdata => Is the Import / Export information of the program . In this section are stored the considered NON MUTABLE strings .As a curiosity any program exports at least a thing, MAIN. These are global Access data so they can be accessed from any part of the program during its execution.
  • .data => Is the global data of the aplication which are modificable during its execuiton. Usually this section has the program variables.
  • .rsrc => Is the section in which the program resources are listed (Cursors,Icons, Images, Forms, Menus…) But if we are speaking about malware, take care of this section because it could hold a secondary malicious binary inside.

If you want to enhance your knowledge about this topic I sugest to give a try to @naivenoms ASM and reversing saga . Just because it is a MUST to know some basic ASM instructions to know what we are doing. But lets refresh some concepts we´ll encounter during this adventure.

 

  • MOV =>  It allows to copy or insert data between registry, memory or data.
  • SHL   => Shift the bits of the operand destination to the left, by the number of bits specified in the count operand
  • XOR   => Ssets the resultant bit to 1, if and only if the bits from the operands are different. 
    • Resultant
      1 1 0
      1 0 1
      0 1 1
      0 0 0
  • INC      => Adds 1 to the destination operand.
  • OR        => The bitwise OR operator returns 1, if the matching bits from either or both operands are one
    • Resultant
      1 1 1
      1 0 1
      0 1 1
      0 0 0


HANDS ON BABY!

Strings 1

 

 

 

Strings 2

 

 

Strings 3

I hope this article helps to quit that scaring sensation to the Malware Analysis as happened to me in the past and if this is of your interest , to continue accompanying me in this dark and dangerous voyage  into the deepest and darkest waters of the Computer science.  But before saying Bye bye, special thanks to @Luigy0x18, who made a great work with Radare to offer you another point of view to solve this challenges.

 

A great Hug to all !and if you have any doubts dont hesitate and contact us in: https://t.me/Fwhibbit 

«Thanks to those who in the darkest moment brought light»

2 comentarios en «MalwareTech – Strings Everywhere (Eng)»

    1. Hi Muhammad,

      Sorry for the delayed answer!

      It depends on the tool you want to use some of them are both system compatible but there are some that are only native for Windows or for Linux. In this case we used Windows for IDA Free and Ghidra and Linux For Radare. Besides, Strings tool is both compatible.

      Nevertheless if you are interested on malware analysis in a easy way and without difficulties I encourage you to keep reading us because we are going to follow this particular topic in further articles.

      Hope this answer helps you and thanks for reading us!

Los comentarios están cerrados.