1. Daniel Plohmann
  2. IDApatchwork



Patchwork: Stitching against malware families with IDA Pro (tool for the talk at Spring9, https://spring2014.gdata.de/spring2014/programm.html)

This repository contains the (unfinished) code for a tool I called patchwork.

In essence, I use a somewhat fixed / refurbished version of PyEmu along IDA to demonstrate deobfuscation of the different patterns found in the malware family Nymaim.

All credits and a big thank you for the original PyEmu go to Cody Pierce

Changes vs. the original PyEmu:

  • partially fixed the memory management of PyEmu to work more robustly, especially in IDA.
  • fixed some of the opcode handling that would break when encountering "rare" x86 instructions.
  • recompiled pydasm with Python 2.7 to have it out of the box compatible with the version found in the last couple versions of IDA.

Setup (deobfuscation proof of concept)

  • Copy the repo into some folder reachable from IDA.
  • Set the variable PYEMU_PATH in $idapatchwork/patchwork/config.py to the appropriate value.
  • Load $idapatchwork/patchwork/INFECTED/nymaim_2f3d6becf1e42614445816302a50d8e2.unp into IDA.
  • Execute $idapatchwork/run.py.

If you just want to benefit from my changes to PyEmu, take the first steps and then you probably want to check out the modified $idapatchwork/idapyemu.py and find your way on from there. Enjoy.