Tuesday, January 14, 2025
HomeCyber Security NewsResearchers Released hrtng IDA Pro Plugin for Malware Analyst to Make Reverse...

Researchers Released hrtng IDA Pro Plugin for Malware Analyst to Make Reverse Engineering Easy

Published on

The Global Research and Analysis Team (GReAT) has announced the release of hrtng, a cutting-edge plugin for IDA Pro, one of the most prominent tools for reverse engineering.

Designed specifically to enhance the efficiency of malware analysis, hrtng provides analysts with powerful features that automate and simplify the otherwise intricate tasks involved in dissecting malicious binaries.

The Evolution of hrtng

The journey of hrtng began in 2016 as a fork of the hexrays_tools plugin, originally developed by Milan Bohacek.

Under the leadership of Sergey Belov, an expert reverse engineer at GReAT, hrtng has undergone continuous upgrades to address the evolving challenges of malware analysis.

This includes integrating and updating functionalities from abandoned plugins to ensure compatibility with the latest versions of the IDA Pro SDK.

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

After years of internal use, the team shared this powerful tool with the global cybersecurity community.

The source code of hrtng, now available on GitHub under the GPLv3 license, allows researchers and analysts worldwide to utilize, modify, and build upon its capabilities.

Transforming Malware Reverse Engineering

Reverse engineering malware can be an arduous and time-intensive task, especially when faced with obfuscated assemblies, encrypted payloads, or elaborate anti-analysis techniques.

The hrtng plugin tackles these challenges head-on with a suite of innovative features aimed at streamlining the process.

Key Features of hrtng

  1. Data Decryption Made Easy:
    Decrypting encrypted shellcode or data within a malware sample is now a matter of a few clicks. With hrtng, analysts can use the Decrypt Data feature to specify an encryption algorithm (such as XOR, RC4, or AES) and key, simplifying the extraction of readable content.
Decryption made easy
  1. Handling Complex PE Formats:
    Malware often uses modified Portable Executable (PE) file formats to hinder analysis. hrtng enables the seamless application of PE structures and fields, ensuring analysts can correctly parse and analyze even tampered PE components.
  1. API Hash Resolution:
    Many malware samples employ API hashing to obscure their interaction with the operating system. The plugin’s API Hashes Scan automatically detects and resolves these hashes, revealing the hidden API functions and adding helpful comments in IDA.
API Hash Resolution
  1. Obfuscated Code Decompilation:
    Obfuscation techniques, such as inserting junk instructions or deceptive conditional jumps, can confuse disassemblers. The Decompile Obfuscated Code feature efficiently removes such distractions, restoring clarity to the disassembled or decompiled code.
  2. Code Signature Recognition:
    Leveraging an advanced alternative to IDA’s FLIRT tool, hrtng’s MSIG (based on decompiled code rather than disassembly) excels in recognizing function signatures, even in heavily obfuscated binaries.
  3. Enhanced User Experience:
    The plugin simplifies navigation and readability with features like bracket highlighting for loops and conditional blocks, quick data type assignments, and robust integration with IDA scripts.

To showcase the power of hrtng, the team analyzed FinSpy, a sophisticated spyware program.

The plugin not only streamlined the decryption of the shellcode but also helped unpack a tampered PE payload, resolve API hashes, and tackle advanced obfuscation techniques like FinSpy’s virtualization-based code protection.

Tasks that typically require hours (or even days) of manual effort were reduced to a few automated steps with hrtng.

By releasing hrtng, the GReAT team has made an invaluable contribution to the cybersecurity community, as per the report by SecureList.

With its ability to automate labor-intensive processes and tackle complex malware techniques, the plugin empowers analysts to focus on critical aspects of their investigations.

As malware threats grow more sophisticated, tools like hrtng are poised to play a pivotal role in enhancing the effectiveness of digital forensics and threat intelligence efforts. 

Researchers are optimistic that hrtng will not only streamline their workflows but also inspire further innovation in the field of malware analysis.

By bridging the gap between efficiency and precision, this plugin could become a cornerstone in the arsenal of reverse engineers worldwide.

Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Google’s “Sign in with Google” Flaw Exposes Millions of Users’ Details

A critical flaw in Google's "Sign in with Google" authentication system has left millions...

Hackers Attacking Internet Connected Fortinet Firewalls Using Zero-Day Vulnerability

A widespread campaign targeting Fortinet FortiGate firewall devices with exposed management interfaces on the...

Critical macOS Vulnerability Lets Hackers to Bypass Apple’s System Integrity Protection

Microsoft Threat Intelligence has uncovered a critical macOS vulnerability that allowed attackers to bypass...

CISA Released A Free Guide to Enhance OT Product Security

To address rising cyber threats targeting critical infrastructure, the U.S. Cybersecurity and Infrastructure Security...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Google’s “Sign in with Google” Flaw Exposes Millions of Users’ Details

A critical flaw in Google's "Sign in with Google" authentication system has left millions...

Hackers Attacking Internet Connected Fortinet Firewalls Using Zero-Day Vulnerability

A widespread campaign targeting Fortinet FortiGate firewall devices with exposed management interfaces on the...

Critical macOS Vulnerability Lets Hackers to Bypass Apple’s System Integrity Protection

Microsoft Threat Intelligence has uncovered a critical macOS vulnerability that allowed attackers to bypass...