Use Radare2 and Ruby to develop a malware configuration parser

Use Radare2 and Ruby to develop a malware configuration parser

 

 

Radare2 (an open-source reverse engineering platform) has received a lot of attention recently. Here I not only want to browse some documents, but also try to use Radare to traverse some code.

In 2014, GData released a White Paper on "TooHash action" and introduced a malware called "Cohhoc. Here, I am not going to dig into cohhoc. I can decode the C2 address in two steps. The URL is stored as a base64 string (bitshifted OR 'd ). Decode the URL string as a base64 decoding function.

 

The result data is transmitted to another decoding function, which uses many bitwise conversions for data decoding.

 

 

It is not difficult to create a parser for the malware, that is, to find the parser that can be thoroughly decoded from all strings. The only problem is to use an effective method to traverse binary data. The following are the releases of Radare2 and Ruby!

Radare2 allows scripts to run through its API r2pipe, and is also bound to many common languages. First, we need to get the decoded part and then start binary traversal.

require 'r2pipe'require 'json'require 'base64'def decode(config)        decode = Base64.decode64(config)        uri = ""        decode.each_byte do |b|                #shr dl,6                #shl al,2                #or dl,al                uri += (((b<<6)%0xff |(b>>2)%0xff)).chr        end        return uriend

 

The next step is to look for an example of a base64 string. We will make this step smaller.

r2p = R2Pipe.new("mal.exe")  #initialize the objectr2p.cmd('aaa')               #analyze all functionsfunctions = r2p.cmd('aflj')  #return the function lists in JSONfunc = JSON.parse(functions) #parse the JSON

JSON results contain information about all binary functions.

{        "offset"=>4214544,        "name"=>"entry0",         "size"=>42,         "cc"=>1,         "nbbs"=>1,         "calltype"=>"none",        "type"=>"fcn",         "diff"=>"NEW",        "callrefs"=>[                {"addr"=>4205024,                 "type"=>"C"}],        "datarefs"=>[4269968, 4269856, 4206032],         "codexrefs"=>[],        "dataxrefs"=>[],        "difftype"=>"new"}

 

The useful information is the function name, offset, and size. Now, with this information, we can traverse and break down functions to find push commands.

 

Func. each do | elem | # disassemble each function and return the JSON decomposition function and then return the JSON contents = JSON. parse (r2p. cmd ("comment J @ # {elem [" offset "]}") # iterate through the operations traversal operation contents ["ops"]. each do | operations | # is the operation a push? Is this a push operation? If operations ["type"]. eql? ("Push") # look for addresses being pushed find the push address next unless operations ["opcode"] = ~ /\ 0x/# grab the value being pushed captures the pushed value addr = operation ["opcode"]. split (""). last. hex # use radare "psz" to grab the string uses radare "psz" to capture the string str = r2p. cmd ("psz @ # {addr}") # uugly regex looking for base64 data Regular Expression for searching for base64 data if str = ~ /[0-9a-zA-Z \ + \ =] {10,}/# decode the string decoded_str = decode (str) # is the decode something that looks like a URL? Is the decoded URL like a URL? If decoded_str = ~ /[0-9a-zA-Z \. \-] {5,}/puts "Function # {elem ['name']}-# {str. chomp}-# {decoded_str} "end endend

 

Run this script and you will get the following results:

~$ ./cohhoc_radare.rb 7136ba78671c6c4d801957be8e768d444389a28471679a6ba713adf6b564784f
Function fcn.00403890 - 3ZWJtYWlsbiludGFybmV0c2VydmljZW4jb21 - webmail.intarnetservice.com
Function fcn.00403890 - oZWxwbjdlYm1haWxlcnNlcnZpY2VzbiNvbU= - help.webmailerservices.com

In less than 100 lines of code, we can find the encoding data, decode it, and push the function to the stack. Now you can concentrate on a function address.

Previously, I wrote a script for finding and decoding cohhoc encoding data. This script uses the Capstone binary and Ruby-bound Crabstone.

We hope that this article will show some useful features of Radare and Ruby. Thank you for reading this article!