what is inline resolving
In the world of malicious software, inline resolving APIs refer to a method used by malware authors to dynamically resolve and call functions from system libraries without directly importing them. This technique helps evade static analysis and detection mechanisms.
Instead of statically linking to the APIs, malware employs various tricks to resolve the function addresses at runtime. Here’s a simplified overview of how it works:
- The malware contains encrypted or obfuscated code that includes placeholders for API function names or hashes.
- During runtime, the malware decrypts or deobfuscates the relevant code section, allowing it to access the API placeholders.
- The malware then resolves the actual addresses of the required functions by dynamically parsing system libraries (e.g., kernel32.dll, advapi32.dll) or by manually walking the host process's Import Address Table (IAT).
- Once the malware has obtained the function addresses, it can invoke the APIs directly using function pointers or other techniques.
MY SAMPLE
while analyzing a sample of black matter ransomware I noticed that the imported table is few
doing more analysis, I reached this junk code ,It seems to be like imported things that we don’t know in sub_405A86
getting into this function, the result is being XOR-ed with that number :
USING HASHDB
so I will HASHDB plugin to do my analysis
- I will set the xor ed number to deal with based on it
2. I will hunt the algorithm that the malware uses
3. I will choose the algorithm which is add_ror13
4. I'm scanning for the IAT, then lookup which will rename the junked code to a specific API
I did it to all of the 14 imports and got the imports like that :
finally, I made every dword into a structure and renamed them, and referred to every unk_))))) to its structure to import the APIs in the code
like that:
Finally, all the APIs had been imported and we can prove that by checking the xrefs to them in the malware :
from that point, your analysis process will be easier.
sample : 22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6
