In IDA Pro, an analyst can also highlight the necessary data in the hex view, and right-click ‘Save As’ in order to extract this data. Alternatively, if the file is stored in a resource section, they could use a utility such as CFFExplorer to extract the resource. They could dynamically run the sample and break after the file is written/extracted. When such a situation arises, malware analysts have a few options. Some examples include attaching these files in the file’s overlay, including them as a PE resource, or storing them in a buffer within the malware. Malware will often store embedded executables in a number of ways.
* only x86 binaries have been properly tested.We continue our series on using IDAPython to make things easier for reverse-engineers by tackling a problem malware analysts deal with on an almost daily basis: extracting embedded executables. Optionally, one can specify context during step 2 to improve symbolic analysis, this is especially helpful in larger functions with many variables or function calls.
Optionally (and very experimentally), patch any resulting unreachable code with NOP instructions, to hopefully simplify the function's graph view and decompilation output. Let angr perform a rudimentary concrete trace through the function by pressing ' concrete trace.' or manually mark code-blocks to include in the analysis.Ĭlick the ' along trace' button to start opaque predicate detection on the currently marked basic-blocks. Make sure the cursor is located within a function. In general, the workflow with Drop is is follows: The source code of the program seen in that video can be found in the demo folder. The following video shows Drop in action on a simple function containing the opaque predicate 7*x*x-1 != y*y. Make sure the 32-bit Python 2.7 executable directories are in your PATH: It is assumed that (32-bit) Python 2.7, pip and easy_install are installed, as they come with IDA 6.95. Currently, IDA 7.0 and 64-bit Python are not supported. Other operating systems are not tested an will require a different installation procedure.
This assumes a 64-bit Windows 7 installation with IDA 6.95.
See the Installation section below for instructions on how to install these dependencies. In order to make installation easier, some of these have been provided as Python. It is therefore recommended you save your database before performing any heavy analysis.īecause of the instable nature of the APIs provided by angr and its components, Drop requires a very specific version of each to be installed.