Patchwork: Stitching against malware families with IDA Pro
(tool for the talk at Spring9,

This repository contains the (unfinished) code for a tool I called patchwork.

In essence, I use a somewhat fixed / refurbished version of PyEmu along IDA to demonstrate deobfuscation of the different patterns found in the malware family Nymaim.

All credits and a big thank you for the original PyEmu go to Cody Pierce

Changes vs. the original PyEmu:

  • partially fixed the memory management of PyEmu to work more robustly, especially in IDA.
  • fixed some of the opcode handling that would break when encountering "rare" x86 instructions.
  • recompiled pydasm with Python 2.7 to have it out of the box compatible with the version found in the last couple versions of IDA.

Setup (deobfuscation proof of concept)

  • Copy the repo into some folder reachable from IDA.
  • Set the variable PYEMU_PATH in $idapatchwork/patchwork/ to the appropriate value.
  • Load $idapatchwork/patchwork/INFECTED/nymaim_2f3d6becf1e42614445816302a50d8e2.unp into IDA.
  • Execute $idapatchwork/

If you just want to benefit from my changes to PyEmu, take the first steps and then you probably want to check out the modified $idapatchwork/ and find your way on from there. Enjoy.