Writing scripts using the Java programming language
As you know from the previous chapter, Alina malware incorporates shellcode that is injected into the explorer.exe
process. If you want to deobfuscate the shellcode Kernel32 API function calls, then you will need to identify call instructions. You will also need to filter the functions in order to get only what you need, and finally, of course, you will need to perform the deobfuscation:
01. Function fn = getFunctionAt(currentAddress); 02. Instruction i = getInstructionAt(currentAddress); 03. while(getFunctionContaining(i.getAddress()) == fn){ 04. String nem = i.getMnemonicString(); 05. if(nem.equals("CALL")){ 06. Object[] target_address = i.getOpObjects(0); 07. if(target_address[0].toString().equals("EBP")){ 08. ...