Sample Files

Consider the sample with the following SHA-256 hash: ``` 12d8bfa1aeb557c146b98f069f3456cc8392863a2f4ad938722cd7ca1a773b39 ``` It is a ransomware sample that uses API hashing. The task of this exercise is to: 1. identify and reverse engineer the API hashing routine, 2. compute a list of hashes for known API function symbols, 3. run a Ghidra script (you can find a template in the ZIP archive of this exercise) to fix all obfuscated API calls. For the second and third part, we offer a few suggested script templates, but if you feel sassy, just stop reading here and do everything yourself. At the bottom of this exercise is the code of a Ghidra script in Java that can be used to label a memory region containing API hashes with the corresponding function symbol names. It requires an input file that contains the correctly hashed API function names in the following format: ```json {"name": "LoadLibraryA", "hash": 849394733} {"name": "LoadLibraryW", "hash": 3980733} {"name": "DisableFirewallAndExecutePowerShellAsAdminW", "hash": 299239333} ``` In other words, each line is a JSON object with a `name` field set to the name of the function and the `hash` field set to the value of the corresponding API hash. To help generate such a file, we provide: - The script `get_pe_exports.py` for extracting exported function symbols from Windows DLLs - [a collection of Windows DLLs from the ReactOS project][dlls], and if don't want to run that script on the DLLs yourself, you can find `get_pe_exports.json` along with this exercise. [dlls]: https://mal.re/tmp/resources/react-os-dlls.zip