Adversaries are increasingly writing malware in programming languages such as Go, Rust, or Nim, because they present challenges to investigators using reverse-engineering tools designed to work best against the C family of languages.
It’s often difficult for reverse engineers examining non-C languages to differentiate between the malware author’s code and the language’s standard library code. In the vast majority of cases, Hex-Ray’s Interactive Disassembler (IDA) has the out-of-the-box capability to identify library functions or generate custom Fast Library Identification and Recognition Technology (FLIRT) signatures and solve the issue.
But for Nim, generating signatures is distinctly more difficult. Cisco Talos is excited to announce a new project to find an automated way to generate custom FLIRT signatures for IDA, which led to a talk at Recon.cx 2023 and a guest blog on Hex-Rays. This blog describes the technical details of our research.