Boring rainy day, I decided to fill some spare time writing my first IDA plugin. I have never tried before but I have to admit it’s a powerful tool after all.
The idea of the plugin comes from a malware I was analysing in these days, it’s packed… As the name suggests the plugin reveals imports of a dumped process. It will come in handy when you need to analyze a dump without rebuilding the file using an external tool.
The plugin could be bugged, it seems to work fine with simple packers but I didn’t test it too much. I don’t want to test the plugin for days (I don’t have to sell it :p), I’ll just use the plugin and when a bug will come out I’ll try to fix it.
Usage: put the plugin inside IDA plugin directory and to run the plugin hit ALT+Z.
Here is a screeshot. As you can see the plugin creates a new window filled with revealed imports.
Click to enlarge
You are welcome to send me a note about one or more bug.
Download the plugin from here
Lately a lot of malwares are using rootkit techniques. Private and antivirus companies are trying to develop tools against malwares but, despite the fact that most of the techniques are well documented around the net, only a few companies are getting positive results. This particular malware is a perfect example because when it came out only a few tools were able to recognize its nasty operations. Don’t know what you think but that’s sound a little bit strange for me.
The malware, named Nailuj by some antivirus companies, is composed of 3 files: VideoAti0.exe, VideoAti0.dll and VideoAti0.sys. I won’t talk about all the files, but will focus my attention on only one, the sys file. This malware represents a nice target for those who want to approach a malware for the very first time because it uses well-known techniques, such as hiding files and hooking functions. Nothing hard once you have dealt with them at least once. In addition, the sys file is compiled in debug mode and every operation performed by the malware is documented inside the code. Yes, every time it does something it reveals its success or failure, printing out a comment using DbgPrint function. This is really useful because you know what it will do before starting to analyze the code, not so bad. Do you want something more for your first malware analysis?
Want to read more? Click here to download the entire article in pdf format. It’s free :-p