what is Junk ?
A malware writer can create a malware program and then by inserting junk code into it he can create 100 unique malware with the same functionality. And when you use encryption and runtime packaging, it makes it more difficult for an anti-virus scan engine to detect matching patterns in the malware code. Some Antivirus software uses sandboxing techniques to detect malicious functions in an obfuscated programs. But we should also understand that new malware is intelligent enough to detect a sandbox environment and they can change the behavior during runtime.
when i open malware file into IDA its show’s me a tiny size of data and large size of instructions,
code and data sections
i am sure at this point that this malware in packed and having a multiple junks inside the instructions, so when i open the graph view i notice that in code there are multiple
mov al instructions
in this code so properly it’s hard to hide all junk instructions manually, so we can use an IDA script to hide all unusual instruction
mov al instruction moves into
al that’s a lower bit of the register, I never seen this type of calls in a row because you would just be replacing the byte that you moved in the last call makes no sense, safe side we are hiding only more than 4
mov al instructions in a row
import idautils import idc hides =  in_junk = 0 curr_pos = 0 junk_len = 0 for seg_ea in idautils.Segments(): for head in idautils.Heads(seg_ea, idc.SegEnd(seg_ea)): if idc.isCode(idc.GetFlags(head)): mnem = idc.GetMnem(head) end_junk = False if mnem == 'mov': op1 = idc.GetOpnd(head, 0) if op1 == 'al': junk_len += 1 if in_junk == 0: curr_pos = head in_junk = 1 else: end_junk = True else : end_junk = True if end_junk: if in_junk == 1 : in_junk = 0 if junk_len > 4: len_junk_block = 2 * junk_len hides.append([curr_pos,len_junk_block]) curr_pos = 0 junk_len = 0 for h in hides: if h > 1: idc.DelHiddenArea(h) idc.HideArea(h,h+h,'','','',0xEEFFFF)
the script is going through all the sections and checks whether it contains
mov al instructions or if he found more than 4
mov instructions its hide that junk code.
- shortcut alt + F7 -> select script
- file -> script file… -> select script
as we can see script hide all the
move al instructions.
The Beginner’s Guide to IDAPython: https://leanpub.com/IDAPython-Book