Merge pull request #1098 from HackTricks-wiki/update_Evolving_Tactics_of_SLOW_TEMPEST__A_Deep_Dive_Into_20250711_124156

carlospolop · web-flow · commit e95a73ddfaea · 2025-07-13T04:42:46.000+02:00
Evolving Tactics of SLOW#TEMPEST A Deep Dive Into Advanced M...
diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md
@@ -169,7 +169,98 @@ If the files of a folder **shouldn't have been modified**, you can calculate the
 
 When the information is saved in logs you can **check statistics like how many times each file of a web server was accessed as a web shell might be one of the most**.
 
-{{#include ../../banners/hacktricks-training.md}}
+---
+
+## Deobfuscating Dynamic Control-Flow (JMP/CALL RAX Dispatchers)
+
+Modern malware families heavily abuse Control-Flow Graph (CFG) obfuscation: instead of a direct jump/call they compute the destination at run-time and execute a `jmp rax` or `call rax`.  A small *dispatcher* (typically nine instructions) sets the final target depending on the CPU `ZF`/`CF` flags, completely breaking static CFG recovery.
+
+The technique – showcased by the SLOW#TEMPEST loader – can be defeated with a three-step workflow that only relies on IDAPython and the Unicorn CPU emulator.
+
+### 1. Locate every indirect jump / call
+
+```python
+import idautils, idc
+
+for ea in idautils.FunctionItems(idc.here()):
+    mnem = idc.print_insn_mnem(ea)
+    if mnem in ("jmp", "call") and idc.print_operand(ea, 0) == "rax":
+        print(f"[+] Dispatcher found @ {ea:X}")
+```
+
+### 2. Extract the dispatcher byte-code
+
+```python
+import idc
+
+def get_dispatcher_start(jmp_ea, count=9):
+    s = jmp_ea
+    for _ in range(count):
+        s = idc.prev_head(s, 0)
+    return s
+
+start = get_dispatcher_start(jmp_ea)
+size  = jmp_ea + idc.get_item_size(jmp_ea) - start
+code  = idc.get_bytes(start, size)
+open(f"{start:X}.bin", "wb").write(code)
+```
+
+### 3. Emulate it twice with Unicorn
+
+```python
+from unicorn import *
+from unicorn.x86_const import *
+import struct
+
+def run(code, zf=0, cf=0):
+    BASE = 0x1000
+    mu = Uc(UC_ARCH_X86, UC_MODE_64)
+    mu.mem_map(BASE, 0x1000)
+    mu.mem_write(BASE, code)
+    mu.reg_write(UC_X86_REG_RFLAGS, (zf << 6) | cf)
+    mu.reg_write(UC_X86_REG_RAX, 0)
+    mu.emu_start(BASE, BASE+len(code))
+    return mu.reg_read(UC_X86_REG_RAX)
+```
+
+Run `run(code,0,0)` and `run(code,1,1)` to obtain the *false* and *true* branch targets.
+
+### 4. Patch back a direct jump / call
+
+```python
+import struct, ida_bytes
+
+def patch_direct(ea, target, is_call=False):
+    op   = 0xE8 if is_call else 0xE9           # CALL rel32 or JMP rel32
+    disp = target - (ea + 5) & 0xFFFFFFFF
+    ida_bytes.patch_bytes(ea, bytes([op]) + struct.pack('<I', disp))
+```
+
+After patching, force IDA to re-analyse the function so the full CFG and Hex-Rays output are restored:
+
+```python
+import ida_auto, idaapi
+idaapi.reanalyze_function(idc.get_func_attr(ea, idc.FUNCATTR_START))
+```
+
+### 5. Label indirect API calls
+
+Once the real destination of every `call rax` is known you can tell IDA what it is so parameter types & variable names are recovered automatically:
+
+```python
+idc.set_callee_name(call_ea, resolved_addr, 0)  # IDA 8.3+
+```
+
+### Practical benefits
+
+* Restores the real CFG → decompilation goes from *10* lines to thousands.
+* Enables string-cross-reference & xrefs, making behaviour reconstruction trivial.
+* Scripts are reusable: drop them into any loader protected by the same trick.
+
+---
 
+## References
 
+- [Unit42 – Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques](https://unit42.paloaltonetworks.com/slow-tempest-malware-obfuscation/)
 
+{{#include ../../banners/hacktricks-training.md}}
