Sample Files

The files that are available for download here are usually malware, please treat these files accordingly. Malicious samples are packed as zip or 7zip archives with the password infected.
[ /tmp/2021/malremote/tag4/]$ cat
Consider the sample with the following SHA-256 hash: ``` 12d8bfa1aeb557c146b98f069f3456cc8392863a2f4ad938722cd7ca1a773b39 ``` It is a ransomware sample that uses API hashing. The task of this exercise is to: 1. identify and reverse engineer the API hashing routine, 2. compute a list of hashes for known API function symbols, 3. run a Ghidra script (you can find a template in the ZIP archive of this exercise) to fix all obfuscated API calls. For the second and third part, we offer a few suggested script templates, but if you feel sassy, just stop reading here and do everything yourself. At the bottom of this exercise is the code of a Ghidra script in Java that can be used to label a memory region containing API hashes with the corresponding function symbol names. It requires an input file that contains the correctly hashed API function names in the following format: ```json {"name": "LoadLibraryA", "hash": 849394733} {"name": "LoadLibraryW", "hash": 3980733} {"name": "DisableFirewallAndExecutePowerShellAsAdminW", "hash": 299239333} ``` In other words, each line is a JSON object with a `name` field set to the name of the function and the `hash` field set to the value of the corresponding API hash. To help generate such a file, we provide: - The script `` for extracting exported function symbols from Windows DLLs - [a collection of Windows DLLs from the ReactOS project][dlls], and if don't want to run that script on the DLLs yourself, you can find `get_pe_exports.json` along with this exercise. [dlls]: