This repo contains the following miscellaneous tools to aid in your malware analysis.
This command line tool will assist in reverse engineering malware which dynamically resolves imports and stores them in global variables. It will read a target module from a running process and dump out a file that contains the RVA and API name for all the resolved APIs found in the module. The output is specifically made to be used with an associated Ghidra script in the "Ghidra Scripts" repo on AGDC Services github page, "Label_Dynamically_Resolved_Iat_Entries.py".
To use the tool, run the malware until all of the APIs are resolved. Then execute this tool in an elevated cmd prompt to dump out the labeled IAT. That output file can be read in by the "Label_Dynamically_Resolved_Iat_Entries.py" Ghidra script to transfer the resolved API names to a clean Ghidra database so that static analysis can be performed.
usage: Dump_Labeled_Iat_Memory.exe targetPID targetModuleBaseName outputFileName
targetPID: decimal PID of process to dump resolved IAT from
targetModuleBaseName: module base name inside target process to search
outputFileName: file name to store labeled IAT to
For a video demonstration of this tool, view the video "Automate Labeling Of Obfuscated APIs In Malware" on the AGDC Services channel of youtube, https://youtu.be/wYiPEDV9IAw
This tools will assist in reverse engineering malware which dynamically resolves imports and stores them in a structure on the heap or stack. It will scan a given memory range from a running process and dump out a C header file for either a structure or enum that contains all of the resolved APIs in the memory range. The output can then be read in by standard disassemblers such as Ghidra or Ida Pro so that the API enum / structure can be applied to the dynamically resolved APIs to allow static analysis to be completed.
To use the tool, run the malware until all of the APIs are resolved. Then, execute this tool in an elevated cmd prompt to dump out the labeled API structure. Use the built in capability to parse a C header file from your disassembler and then use the resulting API structure to label all structure offsets with the resolved API structure.
usage: Dump_Labeled_Api_Structure.exe targetPID startAddress endAddress outputType outputFileName
targetPID: decimal PID of process to dump API structure from memory
startAddress: hex address where API structure starts
endAddress: hex address where API structure ends
outputType: [-s | -e] to output either a structure or enum header file
outputFileName: file name to store the created header file to
For a video demonstration of this tool, view the video "Automate Labeling Of Obfuscated APIs In Malware" on the AGDC Services channel of youtube, https://youtu.be/wYiPEDV9IAw