Researchers Released hrtng IDA Pro Plugin for Malware Analyst to Make Reverse Engineering Easy

The Global Research and Analysis Team (GReAT) has announced the release of hrtng, a cutting-edge plugin for IDA Pro, one of the most prominent tools for reverse engineering.

Designed specifically to enhance the efficiency of malware analysis, hrtng provides analysts with powerful features that automate and simplify the otherwise intricate tasks involved in dissecting malicious binaries.

The Evolution of hrtng

The journey of hrtng began in 2016 as a fork of the hexrays_tools plugin, originally developed by Milan Bohacek.

Under the leadership of Sergey Belov, an expert reverse engineer at GReAT, hrtng has undergone continuous upgrades to address the evolving challenges of malware analysis.

This includes integrating and updating functionalities from abandoned plugins to ensure compatibility with the latest versions of the IDA Pro SDK.

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

After years of internal use, the team shared this powerful tool with the global cybersecurity community.

The source code of hrtng, now available on GitHub under the GPLv3 license, allows researchers and analysts worldwide to utilize, modify, and build upon its capabilities.

Transforming Malware Reverse Engineering

Reverse engineering malware can be an arduous and time-intensive task, especially when faced with obfuscated assemblies, encrypted payloads, or elaborate anti-analysis techniques.

The hrtng plugin tackles these challenges head-on with a suite of innovative features aimed at streamlining the process.

Key Features of hrtng

1. Data Decryption Made Easy:
   Decrypting encrypted shellcode or data within a malware sample is now a matter of a few clicks. With hrtng, analysts can use the Decrypt Data feature to specify an encryption algorithm (such as XOR, RC4, or AES) and key, simplifying the extraction of readable content.

2. Handling Complex PE Formats:
   Malware often uses modified Portable Executable (PE) file formats to hinder analysis. hrtng enables the seamless application of PE structures and fields, ensuring analysts can correctly parse and analyze even tampered PE components.

3. API Hash Resolution:
   Many malware samples employ API hashing to obscure their interaction with the operating system. The plugin’s API Hashes Scan automatically detects and resolves these hashes, revealing the hidden API functions and adding helpful comments in IDA.

4. Obfuscated Code Decompilation:
   Obfuscation techniques, such as inserting junk instructions or deceptive conditional jumps, can confuse disassemblers. The Decompile Obfuscated Code feature efficiently removes such distractions, restoring clarity to the disassembled or decompiled code.
5. Code Signature Recognition:
   Leveraging an advanced alternative to IDA’s FLIRT tool, hrtng’s MSIG (based on decompiled code rather than disassembly) excels in recognizing function signatures, even in heavily obfuscated binaries.
6. Enhanced User Experience:
   The plugin simplifies navigation and readability with features like bracket highlighting for loops and conditional blocks, quick data type assignments, and robust integration with IDA scripts.

To showcase the power of hrtng, the team analyzed FinSpy, a sophisticated spyware program.

The plugin not only streamlined the decryption of the shellcode but also helped unpack a tampered PE payload, resolve API hashes, and tackle advanced obfuscation techniques like FinSpy’s virtualization-based code protection.

Tasks that typically require hours (or even days) of manual effort were reduced to a few automated steps with hrtng.

By releasing hrtng, the GReAT team has made an invaluable contribution to the cybersecurity community, as per the report by SecureList.

With its ability to automate labor-intensive processes and tackle complex malware techniques, the plugin empowers analysts to focus on critical aspects of their investigations.

As malware threats grow more sophisticated, tools like hrtng are poised to play a pivotal role in enhancing the effectiveness of digital forensics and threat intelligence efforts. 

Researchers are optimistic that hrtng will not only streamline their workflows but also inspire further innovation in the field of malware analysis.

By bridging the gap between efficiency and precision, this plugin could become a cornerstone in the arsenal of reverse engineers worldwide.

Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses