As a reverse engineer/malware analyst, it is important to be able to write scripts to help automate your workflow. One example is to be able to write plug-ins for tools such as Ghidra that can aid in deobfuscating strings for a particular sample. In this example we will be recovering strings that have been obfuscated using the bitwise XOR operation. This example uses fairly simple techniques that will serve as an introduction to writing Python Plugins, and string deobfuscation routines. Code: https://github.com/comosedice2012/XOR-Decode-Strings-Ghidra-Plugin/blob/main/deobfuscate_ghidra_strings.pyOriginal sample and DLL: https://github.com/jstrosch/XOR-Decode-Strings-IDA-PluginAnalysis on Youtube: https://youtu.be/un8I6dfuDVQ Below is a sample of the obfuscated string pattern. The function…
Comments closedCategory: Reverse Engineering
About Qbot Qbot (also known as Qakbot) is an information stealer that has been active since 2007. It was originally used as a banking trojan, but has since been updated to steal credentials from other sites as well that are not financial. Qbot has also been observed being used for a variety of different types of activities, including distributing ransomware. Recently, Qbot has been distributed through spam email campaigns. Specifically, a URL is sent through an email. This URL belongs to a compromised WordPress site controlled by the attacker. This URL is redirected to a malicious PHP script that loads…
Comments closed