Malops Aurat mini write-up

I've been doing a couple of challenges from malops.io ; These have been pretty fun so far, giving a good brush-up on commonly used malware techniques. I thought I'd write notes on AURAT, their difficult challenge. SHA256 for AURAT is 9d4600b440a7c730737f83de7188cc68e83124a10934c3d280610b8709084859

First, when chucking this into IDA , we're asked if we want to open it in 16/32 or 64 bit mode. That's interesting... Detect-it easy doesn't detect a valid PE File but a binary. We open it in HXD and see the MZ header is missing. We're also missing the "PE" magic value and there's a bunch of garbage added to the file. Below is a screenshot of the file

Here is what a properly formated file looks like:

I had to fix this PE manually. First adding the MZ magic bytes then using IMHex's PE parser , I compared a known good PE to this one. I mostly had to change where the coff pointer in the DOS header points to and change the file signature to PE. We end up with something that looks like this:

We can now open this up in IDA and navigate to the entrypoint.

The decompiler code shows something interesting:

BOOL __stdcall DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
  void (__fastcall *v3)(const char *); // rax
  __int64 v4; // rdx
  __int64 v5; // r8
  void (__fastcall *v6)(_QWORD, _QWORD, char *, void *, _DWORD, _QWORD); // rbx
  __int64 v7; // rax

  if ( fdwReason == 1 )
  {
    v3 = (void (__fastcall *)(const char *))sub_180001000(449530704, fdwReason, lpvReserved);
    v3("DLL_PROCESS_ATTACH");
    v6 = (void (__fastcall *)(_QWORD, _QWORD, char *, void *, _DWORD, _QWORD))sub_180001000(644231116, v4, v5);
    v7 = sub_180004071();
    v6(0, 0, (char *)sub_180003F60 + v7 - (_QWORD)sub_180004071, &unk_18001C9F0, 0, 0);
  }
  return 1;
}

sub_180001000 is passed some kind of hash and it's xrefd A LOT:

This screams API Hash resolution. sub_180001000 calls a PEB walking function that returns the base address of the second entry in the InLoadOrderModuleList:

Commented, we get:

mov rax, 30h
mov rax, gs:[rax]        ; TEB
mov rax, [rax+60h]       ; PEB
mov rax, [rax+18h]       ; PEB->Ldr (PEB_LDR_DATA)
mov rax, [rax+10h]       ; InLoadOrderModuleList (LIST_ENTRY)
mov rax, [rax]           ; first entry  (usually the EXE)
mov rax, [rax]           ; second entry (usually kernel32.dll for aurat)
mov rax, [rax+30h]       ; LDR_DATA_TABLE_ENTRY->DllBase
retn

The hashing function is pretty classic. One key giveaway is the below for loop:

        for ( i = *v9; *v9; i = *v9 )
        {
          ++v9;
          hash = i + 33 * hash;
        }

This looks a lot like djb2 a pretty common string hashing algorithm. Googling djb2 hash, Gemini outputs a toy snippet:

unsigned long int djb2(const unsigned char *str) {
    unsigned long int hash = 5381; // Initial value
    int c;
    while ((c = *str++)) { // Loop through each character
        hash = ((hash << 5) + hash) + c; // hash * 33 + c
    }
    return hash;
}

This looks super similar! Only difference is the init 5381 value which seems to be 0 in our malware's export resolver. We can now rewrite this in python and hash all exports in kernel32.dll with this algorithm. We can then update our calls accordingly and use IDA's change callee address manually if we want these calls to look nice in IDA. Here is an example of annotation using IDA and me using the "change callee address on the call rax to "make it look nice":

On the above, we see another importhashResolver that works pretty similarly to the first. This one is for ntdll and has a hardcoded hash. We can go through the code and see a couple more import hash resolvers. I modified my ida script to bruteforce function hashes for all of these and add comments when we had a known hash:

import idaapi
import ida_bytes
import ida_funcs
import ida_ua
import ida_xref
import ida_name
import ida_lines
import ida_search
import ida_idaapi 
import ida_ida
import ida_segment
import ida_kernwin
import idautils
import ida_idp
import pefile
import os

KERNEL32_PATH = r"C:\Windows\System32\kernel32.dll"
WS2_32_PATH = r"C:\Windows\System32\ws2_32.dll"
MSVCRT_PATH = r"C:\Windows\System32\msvcrt.dll"
ADVAPI32_PATH = r"C:\Windows\System32\advapi32.dll"
NTDLL_PATH = r"C:\Windows\System32\ntdll.dll"
HASH_REG = ida_ua.o_reg
HASH_REG_NAME = "ecx"
REG_SIZE = 4

def djb2_0(s):
    h = 0
    for c in s.encode("ascii"):
        h = (h * 33 + c) & 0xffffffff
    return h

def load_hashes(dll_path):
    if not os.path.exists(dll_path):
        raise RuntimeError(f"{os.path.basename(dll_path)} not found")
    pe = pefile.PE(dll_path)
    hash_map = {}
    for exp in pe.DIRECTORY_ENTRY_EXPORT.symbols:
        if not exp.name:
            continue
        name = exp.name.decode()
        h = djb2_0(name)
        hash_map.setdefault(h, []).append(name)
    print(f"Loaded {len(hash_map)} unique hashes for {os.path.basename(dll_path)}")
    return hash_map

def annotate_calls(resolver_ea, hash_map, fixed_hash=None):
    dll_name = [k for k in hash_maps if hash_maps[k] == hash_map][0]  # Get DLL name from hash_maps
    min_ea = ida_ida.inf_get_min_ea()
    max_ea = ida_ida.inf_get_max_ea()
    xrefs = idautils.CodeRefsTo(resolver_ea, 0)
    count = 0
    for call_ea in xrefs:
        # If fixed_hash, use it; otherwise look backwards for "mov ecx, imm"
        hash_val = fixed_hash
        if hash_val is None:
            ea_back = call_ea
            for _ in range(50):  # Increased range for safety
                ea_back = ida_bytes.prev_head(ea_back, min_ea)
                insn = ida_ua.insn_t()
                if not ida_ua.decode_insn(insn, ea_back):
                    break
                if insn.itype == idaapi.NN_mov:
                    op0, op1 = insn.ops[0], insn.ops[1]
                    if op0.type == HASH_REG and op0.dtype == idaapi.dt_dword and ida_idp.get_reg_name(op0.reg, REG_SIZE) == HASH_REG_NAME and op1.type == ida_ua.o_imm:
                        hash_val = op1.value & 0xffffffff  # Assuming 32-bit hash
                        print(f"Found hash 0x{hash_val:08X} for call at {hex(call_ea)}")
                        break
        if hash_val is None:
            print(f"No hash found for call at {hex(call_ea)}")
            continue
        names = hash_map.get(hash_val)
        if not names:
            print(f"No API name found for hash 0x{hash_val:08X} at {hex(call_ea)}")
            continue
        api_name = names[0]  # Take first if multiple collisions
        print(f"Resolved hash 0x{hash_val:08X} to {dll_name}!{api_name} at {hex(call_ea)}")
        # Comment the resolver call
        ida_bytes.set_cmt(
            call_ea,
            f"Resolve {dll_name}!{api_name} (hash=0x{hash_val:08X})",
            False
        )
        # Find the indirect call (call reg) shortly after
        ea = ida_bytes.next_head(call_ea, max_ea)
        indirect_call_ea = None
        for _ in range(100):
            if ea == ida_idaapi.BADADDR:
                break
            if idaapi.is_call_insn(ea):
                insn2 = ida_ua.insn_t()
                if ida_ua.decode_insn(insn2, ea):
                    op = insn2.ops[0]
                    if op.type != ida_ua.o_near:  # indirect if not direct
                        indirect_call_ea = ea
                        print(f"Found indirect call at {hex(ea)} for {dll_name}!{api_name}")
                        ida_bytes.set_cmt(
                            ea,
                            f"call {dll_name}!{api_name}",
                            False
                        )
                        ida_lines.add_extra_line(
                            ea,
                            True,
                            f"call {dll_name}!{api_name}"
                        )
                        break
            ea = ida_bytes.next_head(ea, max_ea)
        if not indirect_call_ea:
            print(f"[-] No indirect call found after resolver call at {hex(call_ea)}")
        else:
            count += 1
    print(f"Annotated {count} resolver call sites for {dll_name}")

def main():
    global hash_maps
    hash_maps = {
        "kernel32": load_hashes(KERNEL32_PATH),
        "ws2_32": load_hashes(WS2_32_PATH),
        "msvcrt": load_hashes(MSVCRT_PATH),
        "advapi32": load_hashes(ADVAPI32_PATH),
        "ntdll": load_hashes(NTDLL_PATH),
    }
    resolvers = [
        (0x180001000, "kernel32", None),
        (0x180001850, "ws2_32", None),
        (0x1800012D0, "msvcrt", None),
        (0x180001430, "advapi32", None),
        (0x1800010B0, "ntdll", 663637877),
    ]
    for ea, dll, fixed_hash in resolvers:
        if dll not in hash_maps:
            print(f"Invalid DLL name: {dll}")
            continue
        annotate_calls(ea, hash_maps[dll], fixed_hash)
    ida_kernwin.refresh_idaview_anyway()
main()

After that, the rest of the challenge becomes pretty easy (just reading code/disassembly) and I don't want to spoil everything. Best of luck :)