Ghidra Basics – Manual Shellcode Analysis and Locating Function Calls

by Prapattimynk, Thursday, 30 November 2023 (6 months ago)
Ghidra Basics – Manual Shellcode Analysis and Locating Function Calls


Manual analysis of Cobalt Strike Shellcode with Ghidra. Identifying function calls and resolving API hashing.

In previous posts we decoded some Malicious scripts and obtained Cobalt Strike Shellcode.

After obtaining the Shellcode, we used SpeakEasy emulation to determine the functionality of the Shellcode. This is a great method, but it’s not ideal to rely on “automated” style tooling to determine functionality. Even if it works well.

In this post, we’ll delve deeper into a Cobalt Stike Shellcode file and analyse it without relying on emulators. All analysis will be done manually with either x32dbg and Ghidra.

Overview

Before we jump in, here’s a summary of the topics covered in this post

  • Obtaining the sample
  • Loading Into Ghidra and Manually Disassembling
  • Defining Functions to Fix Decompiler Issues.
  • Locating function calls via API hashing
  • Resolving Hashes With Google
  • Manually resolving Hashes with a debugger
  • Adding Comments Into Ghidra
  • Locating Resolved Hashes Using the Ghidra Graph View
  • Using Graph View to Identify API hash routines
  • Notes on Identifying Windows Structures (PEB,TEB etc)

Comments

Your email address will not be published. Required fields are marked *

Ads Blocker Image Powered by Code Help Pro

AdBlocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.