hrtng: A Powerful IDA Pro Plugin for Malware Reverse Engineering

Researchers from Kaspersky’s Global Research and Analysis Team have released a powerful new IDA Pro plugin called “hrtng,” designed to streamline and simplify the complex process of malware reverse engineering.

This open-source tool, now available on GitHub under the GPLv3 license, promises to be a game-changer for cybersecurity professionals and malware analysts worldwide.

hrtng is not just another plugin; it’s a comprehensive toolkit tailored specifically for dissecting complex malware samples. The plugin was initially developed by forking the hexrays_tools plugin by Milan Bohacek, with significant enhancements by Sergey Belov, a highly experienced reverse engineer.

Over the years, hrtng has evolved to include features that IDA Pro lacked, such as string decryption, decompiling obfuscated assemblies, and integrating capabilities from often abandoned plugins to ensure compatibility with the latest IDA SDK versions.

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

Key Features of hrtng

The hrtng plugin, which has been in development since 2016, offers a wide array of features tailored specifically for malware analysis:

String Decryption: The plugin can decrypt obfuscated strings commonly used by malware to hide suspicious content.

Decompilation of Obfuscated Assemblies: hrtng can decompile complex, obfuscated code, making it easier for analysts to understand the malware’s functionality.

API Hash Recognition: The plugin automatically identifies and labels API function hashes, a technique often used by malware to conceal its intentions.

Code Beautification: hrtng enhances code readability by highlighting brackets and enabling easy navigation between them.

MSIG Function Recognition: Unlike traditional FLIRT signatures, hrtng uses MSIG technology based on decompiled code, allowing for more robust function identification in heavily obfuscated binaries.

To demonstrate the plugin’s capabilities, Kaspersky researchers used hrtng to analyze a component of the sophisticated FinSpy spyware. The plugin proved invaluable in several key areas:

  1. Decrypting shellcode and dumping the payload
  2. Identifying and labeling API hashes
  3. Parsing and correcting malformed PE structures
  4. Removing junk code inserted to confuse disassemblers
  5. Decompiling and analyzing virtualization-based obfuscation

These tasks, typically requiring significant time and effort, were accomplished efficiently using hrtng’s automated features.

The release of hrtng is expected to impact the field of malware analysis significantly. The plugin allows analysts to focus on higher-level analysis and threat assessment by automating tedious and time-consuming tasks. This could lead to faster identification and mitigation of new malware threats.

hrtng is now freely available on GitHub and includes source code, binaries, and documentation. The Kaspersky team encourages the cybersecurity community to contribute to the project, which could lead to further enhancements and features.

As malware evolves in complexity, tools like hrtng become increasingly crucial in the ongoing battle against cyber threats. By open-sourcing this powerful plugin, Kaspersky is empowering the global cybersecurity community with advanced capabilities to combat sophisticated malware more effectively.

Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses

The post hrtng: A Powerful IDA Pro Plugin for Malware Reverse Engineering appeared first on Cyber Security News.