{
	"id": "1e342c89-29f7-4ae0-80f1-025380d5af8f",
	"created_at": "2026-04-06T00:13:09.659547Z",
	"updated_at": "2026-04-10T03:21:31.516159Z",
	"deleted_at": null,
	"sha1_hash": "0a7f64eb7fc1927016a30a5ce1e55b3d2de3678a",
	"title": "Weekend Project: A Custom IDA Loader Module for the Hidden Bee Malware Family — Möbius Strip Reverse Engineering",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 43036,
	"plain_text": "Weekend Project: A Custom IDA Loader Module for the Hidden\r\nBee Malware Family — Möbius Strip Reverse Engineering\r\nBy Rolf Rolles\r\nPublished: 2018-09-02 · Archived: 2026-04-05 18:42:09 UTC\r\nGiven that custom loaders are the only variety of IDA plugin that I haven't yet written, this seemed like a nice\r\nsmall-scope project for the weekend to round out my knowledge. My very minor contribution with this entry is the\r\nIDA custom loader for the Hidden Bee format, which can be found on my GitHub. The IDAPython code requires\r\nthat Ero Carrera's pefile module be installed, say via pip. \r\nHidden Bee\r\nIn brief, the Hidden Bee malware family distributes payloads in a customized file format, which is a majorly\r\nstripped-down version of the PE file format. You can see all of the details in hasherezade's write-up. I did no\r\noriginal malware analysis for this project; I merely read her blog entry, figured out how to convert the details into\r\na loader plugin, and then debugged it against the sample links she gave. As usual, Chris Eagle's The IDA Pro\r\nBook, 2nd Edition was useful. Some details about the loader API have changed with the IDA 7.x API port, but\r\nHex-Rays' porting guide was informative, and the loader examples in the IDA 7.1 SDK have also been ported to\r\nthe newest API.\r\nIDA Loader Modules in Brief\r\nAn IDA loader module is simply an IDA plugin with a well-defined interface. IDA loader modules will be called\r\nwhen loading any file into IDA. They have two primary responsibilities: \r\n1. Given access to the bytes of a file, determine whether the file is of a format that the loader module can\r\nhandle. Every IDA loader module must export a function named accept_file for this purpose. This function\r\nreturns 0 if it can't recognize the file format, or a non-zero value if it can.\r\n2. If the file type can be loaded by the module, and the user chooses to use this module to load the file,\r\nperform the actual loading process e.g. creating segments within the IDB, copying bytes out of the file into\r\nthe segments, processing relocations, parsing imports, adding entrypoints, and so on. Every IDA loader\r\nmodule must export a function named load_file for this purpose.\r\nBoth of these functions take as input an \"linput_t *\" object that behaves like a C FILE * object, which supports\r\nseeking to specified positions, reading byte arrays out of the file, and so on. Since Hidden Bee's format includes\r\nrelocations, I chose to implement a third, optional IDA loader module function: move_segm. This function will be\r\ncalled by the IDA kernel when the user requests that the database be relocated to another address.\r\nWriting a Loader Module for Hidden Bee\r\nhttps://www.msreverseengineering.com/blog/2018/9/2/weekend-project-a-custom-ida-loader-module-for-the-hidden-bee-malware-family\r\nPage 1 of 2\n\nAfter reading the aforementioned write-up, I figured that the only difficulties in loading Hidden Bee images in\r\nIDA would be A) that the Hidden Bee customized header specifies API imports via hash rather than by name, and\r\nB) that it includes relocation information. Relocations and import lookup via hash are simple enough conceptually,\r\nbut the precise details about how best to integrate them with IDA are not obvious. Sadly, I did not feel confident in\r\nthese tasks even after reading the loader module examples in the SDK. Four out of the five hours I spent on this\r\nproject were reverse engineering %IDADIR%\\loaders\\pe.dll -- the loader module for the PE file format --\r\nfocusing in particular on its handling of relocations and imports. As expected, the results are idiosyncratic and I\r\ndon't expect them to generalize well. \r\nImports\r\nFor dealing with the imports by hash, hasherezade's toolchain ultimately generates a textual file with the addresses\r\nof the import hash names and their corresponding plaintext API string. Then, she uses one of her other plugins to\r\ncreate repeating comments at the addresses of the import hash DWORDs. Instead, I wanted IDA to show me the\r\nimport information the same way it would in a normal binary -- i.e., I wanted IDA to set the proper type signature\r\non each import. I figured this might be difficult, but after a few hours reverse engineering the virtual functions for\r\nthe pe_import_visitor_t class (partially documented in %IDASDK%\\ldr\\pe\\common.hpp), it turns out that all you\r\nhave to do to trigger this functionality is simply to set the name of the DWORD to something from a loaded type\r\nlibrary.\r\nHere's a screenshot showing IDA successfully applying the type information to the APIs:\r\nRelocations\r\nFor the IMAGE_REL_BASED_HIGHLOW relocations common in PE files, each can ultimately be processed via\r\nstraightforward translation of the relocation information into IDA's fixup_data_t data structures, and then passing\r\nthem to the set_fixup API. The SDK examples did not give a straightforward idea of what I needed to do to handle\r\nPE IMAGE_REL_BASED_HIGHLOW relocations properly, so I reverse engineered pe.dll to figure out exactly\r\nwhat needed to happen with the relocations. (Fortunately, reverse engineering IDA is trivial due to the availability\r\nof its SDK.) If you wish, you can see the results in the do_reloc function. Don't ask me to explain why it works;\r\nhowever, it does work.\r\nHere's a before and after comparison of rebasing the database from base address 0x0 to base address 0x12340000.\r\nNote particularly that the red underlined bytes change. Before:\r\nSource: https://www.msreverseengineering.com/blog/2018/9/2/weekend-project-a-custom-ida-loader-module-for-the-hidden-bee-malware-fami\r\nly\r\nhttps://www.msreverseengineering.com/blog/2018/9/2/weekend-project-a-custom-ida-loader-module-for-the-hidden-bee-malware-family\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.msreverseengineering.com/blog/2018/9/2/weekend-project-a-custom-ida-loader-module-for-the-hidden-bee-malware-family"
	],
	"report_names": [
		"weekend-project-a-custom-ida-loader-module-for-the-hidden-bee-malware-family"
	],
	"threat_actors": [],
	"ts_created_at": 1775434389,
	"ts_updated_at": 1775791291,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0a7f64eb7fc1927016a30a5ce1e55b3d2de3678a.pdf",
		"text": "https://archive.orkl.eu/0a7f64eb7fc1927016a30a5ce1e55b3d2de3678a.txt",
		"img": "https://archive.orkl.eu/0a7f64eb7fc1927016a30a5ce1e55b3d2de3678a.jpg"
	}
}