As a reverse engineer/malware analyst, it is important to be able to write scripts to help automate your workflow. One example is to be able to write plug-ins for tools such as Ghidra that can aid in deobfuscating strings for a particular sample. In this example we will be recovering strings that have been obfuscated using the bitwise XOR operation. This example uses fairly simple techniques that will serve as an introduction to writing Python Plugins, and string deobfuscation routines. Code: https://github.com/comosedice2012/XOR-Decode-Strings-Ghidra-Plugin/blob/main/deobfuscate_ghidra_strings.pyOriginal sample and DLL: https://github.com/jstrosch/XOR-Decode-Strings-IDA-PluginAnalysis on Youtube: https://youtu.be/un8I6dfuDVQ Below is a sample of the obfuscated string pattern. The function…
Comments closedMalware Discovery Reversing and Disruption
