Last active
July 29, 2021 08:54
-
-
Save herrcore/ec0a2ff0a173cc273bde02d2f6ad00ca to your computer and use it in GitHub Desktop.
IDA script to hide junk code for PYKSPA malware
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ################################################################################ | |
| ## | |
| ## Junk Hide for PYKSPA | |
| ## | |
| ## Author: @herrcore | |
| ## | |
| ## Hide junk code: | |
| ## mov al <something> | |
| ## mov al <something> | |
| ## mov al <something> | |
| ## mov al <something> | |
| ## | |
| ## | |
| ## Original idea and code from: | |
| ## https://gist.github.com/dperezmavro/e778ba259cc91f315eed | |
| ## | |
| ################################################################################ | |
| import idautils | |
| import idc | |
| hides = [] | |
| in_junk = 0 | |
| curr_pos = 0 | |
| junk_len = 0 | |
| for seg_ea in idautils.Segments(): | |
| for head in idautils.Heads(seg_ea, idc.SegEnd(seg_ea)): | |
| if idc.isCode(idc.GetFlags(head)): | |
| mnem = idc.GetMnem(head) | |
| end_junk = False | |
| if mnem == 'mov': | |
| op1 = idc.GetOpnd(head, 0) | |
| if op1 == 'al': | |
| junk_len += 1 | |
| if in_junk == 0: | |
| curr_pos = head | |
| in_junk = 1 | |
| else: | |
| end_junk = True | |
| else : | |
| end_junk = True | |
| if end_junk: | |
| if in_junk == 1 : | |
| in_junk = 0 | |
| if junk_len > 4: | |
| len_junk_block = 2 * junk_len | |
| hides.append([curr_pos,len_junk_block]) | |
| curr_pos = 0 | |
| junk_len = 0 | |
| for h in hides: | |
| print "hiding 0x%x - 0x%x" % (h[0], h[0]+h[1]) | |
| if h[1] > 1: | |
| idc.DelHiddenArea(h[0]) | |
| idc.HideArea(h[0],h[0]+h[1],'','','',0xEEFFFF) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment