![]() ![]() To start to work with this data, we’re going to look at patching the information in IDA Pro manually. However, even if IDA Pro had disassembled the data, the disassembled instructions would not match the instructions being executed in WinDbg because the values starting at this location were changed when the malware unpacked itself. The data at this offset was not disassembled by IDA Pro when analyzing the original, packed malware sample. When we used the Python script to patch the malware sample, we reset the entry point of the program to this address. Recall from the last blog post that this address is called the original entry point of the malware sample. This means the learning curve is not as bad as it could have been if IDA Pro had setup a scripting language from scratch.Ī screenshot of the IDA Pro disassembly view of the malware sample at offset 0x40614C is shown below. You will only need to use IDA Pro’s Python API when you need to do something IDA Pro specific. This is a pretty nice thing because you can use standard Python functions for doing things like opening and reading files. Python scripts can be used to automate tasks in IDA Pro. In this post, we’re going to take a look at using IDA Pro’s scripting capabilities to achieve the same thing. Finally, we used a Python script to “patch” the original malware sample so we could analyze the unpacked malware with IDA Pro. writemem WinDbg command to output the unpacked data into a file. In the previous post, we had paused execution of the malware sample at a point where the malware had “unpacked” itself. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |