You're reading from Ghidra Software Reverse Engineering for Beginners Analyze, identify, and avoid malicious code and potential threats in your networks and systems

Product type Paperback

Published in Jan 2021

Publisher Packt

ISBN-13 9781800207974

Length 322 pages

Edition 1st Edition

Tools

Ghidra

Concepts

Cybersecurity

Author (1):

A. P. David

View More author details

Table of Contents (20) Chapters

Preface

1. Section 1: Introduction to Ghidra

2. Chapter 1: Getting Started with Ghidra FREE CHAPTER

3. Chapter 2: Automating RE Tasks with Ghidra Scripts

4. Chapter 3: Ghidra Debug Mode

5. Chapter 4: Using Ghidra Extensions

6. Section 2: Reverse Engineering

7. Chapter 5: Reversing Malware Using Ghidra

8. Chapter 6: Scripting Malware Analysis

9. Chapter 7: Using Ghidra Headless Analyzer

10. Chapter 8: Auditing Program Binaries

11. Chapter 9: Scripting Binary Audits

12. Section 3: Extending Ghidra

13. Chapter 10: Developing Ghidra Plugins

14. Chapter 11: Incorporating New Binary Formats

15. Chapter 12: Analyzing Processor Modules

16. Chapter 13: Contributing to the Ghidra Community

17. Chapter 14: Extending Ghidra for Advanced Reverse Engineering

18. Assessments

19. Other Books You May Enjoy

Leave a review - let other readers know what you think

Deobfuscating malware samples using scripts

In the previous chapter, we showed how Alina injects shellcode into the explorer.exe process. We analyzed this by simply reading the strings, which is a quick, practical approach, but we can be more accurate in our analysis. Let's focus on some shellcode details.

The delta offset

When injecting code, it is placed in a position that is unknown at development time. As a consequence, the data cannot be accessed by using absolute addresses; instead, it must be accessed via relative positions. The shellcode retrieves the current address at runtime. In other words, it retrieves the EIP register.

The purpose of the EIP register in x86 architecture (32-bit) is to point to the next instruction to execute; so, it controls the flow of a program. It determines the next instruction to execute.

But, as the EIP register is controlled implicitly (by control-transfer instructions, interruptions, and exceptions), it cannot be accessed directly...