IDC Python - Executing external programs from IDA
IDA, the Interactive Disassembler, is well known tool. It also comes in Freeware version, however, there are several limitations. For example, it is known, that IDA Freeware doesn’t support IDA Python, scripting language which brings the best from the IDA and from the Python world. For scripting, IDA Freeware supports only IDC, a “toy” [2] C-like language. In past I was wondering if it is possible to run Python even from IDA Freeware, Recently I played little bit more with IDC and I found a way how to pass data from IDA to external Python, and get back results to the IDA.
Fluorescence Call Highlighter and IDC Plugins
Few weeks ago, I saw somewhere on the Internet question about IDA Freeware compatibility with the Fluorescence plugin. And because this plugin is written in IDAPython and IDAPython isn’t officially supported by IDA Freeware, also this plugin isn’t compatible.
However, when I checked what this plugin does, it turns out that it is very simple - its purpose is to highlight call instructions. So as an exercise I re-created IDC script with similar feature, and moreover, I also created plugin version of IDC Fluorescence.
GandCrab String Decryption Update
Introduction In the post about GandCrab String Decryption I use very simple heuristic for identifying the function for string decryption. Because this kind of funtion is usually heavily used, I made an assumption that the scting decryption function is the most used function in our sample. This assumption is correct for GandCrab v5.1 DLL files, but it turns out that it is not true for GandCrab v5.2 and v.53. EXE samples.
GandCrab String Decryption
Introduction In the last arcitle about Ursnif campaign have been presented the ursnif powershell downloader, which was also able to download the GandCrab payload. This payload was injected as DLL library into the running process and during the last analysis I have extracted it. Now, it is time to look more closely at this GandCrab sample.
Obfuscated strings After a quick look at the disassembly we can notice many calls to one particular function, in our case named by IDA as sub_10009E69.