Sample Files

The files that are available for download here are usually malware, please treat these files accordingly. Malicious samples are packed as zip or 7zip archives with the password infected.

[imp@mal.re /tmp/2022/malremote/day4/]$ cat exercise13.md

Consider the sample with the following SHA-256 hash: ``` f65eeb136e23d06b54b15834ad15d4bcd2cd51af9e8c134da32da02bdcb68996 ``` Your task is to write a script that emulates instructions using the [EmulatorHelper] class, in order to extract the stack strings. The goal is not a fully automated script, but rather one where the user selects a sequence of instructions to be emulated. It is recommended to use the memory write tracking feature built into Ghidra's emulator, see the [enableMemoryWriteTracking] and [getTrackedMemoryWriteSet] methods. After obtaining a string from emulated memory, add a comment to the beginning of the emulated code area. There is already a script called [EmuX86DeobfuscateExampleScript] that illustrates well how to use the emulator; note however, that since we use memory write tracking, you do not necessarily have to set up the stack manually. [EmulatorHelper]: https://mal.re/api/ghidra/app/emulator/EmulatorHelper.html [enableMemoryWriteTracking]: https://mal.re/api/ghidra/app/emulator/EmulatorHelper.html#enableMemoryWriteTracking(boolean) [getTrackedMemoryWriteSet]: https://mal.re/api/ghidra/app/emulator/EmulatorHelper.html#getTrackedMemoryWriteSet() [EmuX86DeobfuscateExampleScript]: https://github.com/NationalSecurityAgency/ghidra/blob/master/Ghidra/Features/Base/ghidra_scripts/EmuX86DeobfuscateExampleScript.java