Struct creation results in random order of members

[targodan]

Introduction

I was analysing QakBot sample af6a9b7e7aefeb903c76417ed2b8399b73657440ad5f8b48a25cfe5e97ff868f when I came across this. In this sample (and probably more QakBot samples) the struct creation is particularly useful, as the resolved APIs are written to a contiguous array of function pointers. Modelling this as a struct will result in nice decompiled code.

Bug Description

Currently, the plugin will have a random order for the struct members when creating the struct of resolved APIs, which effectively randomizes the APIs during analysis. Needless to say, this makes the struct completely unusable for analysis.

Bug Reproduction

Assuming you don't want to build your own sample just to see this bug, you can use the QakBot sample I mentioned earlier.

1. Get a copy of the sample off VT or malware bazar.
2. Go to offset 0x180024dd0 and set the type there as int[83]
3. Select this location of memory and start the HashDB script
4. Enter the Hash Transformation X ^ 0xA235CB91 and the Hash Algorithm crc32
5. Go to Output Settings, choose a Data Type Name and select Generate Struct
6. Hit Query! and wait for completion
7. Check the resulting data type against the list of resolved APIs (sort the list by Location!) and you will see that the members are randomized

Expectation

The members of the resulting struct must be sorted by address of the hash.

I fixed it in a rather inelegant way. I'll open a pull request later, but take that more as a sanity check / PoC rather than a fix that should be merged as-is.