AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Ida Pro Virustotal Plugin5/5/2021
Second, its good practice not to put known malicious files on your PC: you just might execute them by mistake andor make your machine dirty (in terms of IOCs found on your machine).
Ida Pro Virustotal Plugin Code And AssortedAs malware reverse engineers who have to load malware, shellcode and assorted binaries into IDA on a daily basis, we decided to tackle this problem by creating an IDA plugin that loads a binary into IDA without writing it to disk.We have made this plugin publicly available for other researchers to use. In this post, well describe our Memory Loader plugins features, installation and usage. For example, a plugin can take all function entry points and mark them in the graph in red, making it easier to spot them. The plugin feature runs after the IDA database is initialized, meaning there is already a binary loaded into the database. These include loading files from a memory buffer (any source), loading files from zip files (encryptedunencrypted), and loading files from a URL. ![]() The temporary IDA db files will be deleted and you will be left with your IDA database file and no binary on the disk. The loader accepts specific zip format files (.zip). After accepting a zip file, it will display the zip files and allow you to choose the file you want to work with. After you select UrlLoader, you will be asked to enter a URL, and the file downloaded will be stored in a memory buffer. After you close the IDA window, you will be left with only the database file. Then IDA Pro will use the loader code and load the binary as if it was a local file. Your dllmain file is the file where the loader definition will be. For example, if you are loading a PE, the buildloaderslist should return PE.dll as one of the loading options. For each loader this function acts differently, so there is not much to say here. Using our Memory Loader plugin will enable you to reverse engineer malicious binaries without writing them to the disk. When working with malicious content in IDA Pro often a different environment is created for it, usually in a virtual machine. Copying the binary and setting up the machine for research every time you want to open IDA is time-expensive. The Memory Loader plugin will allow you to work from your machine in a safer and more productive way.
0 Comments
Read More
Leave a Reply. |