Analyze JavaScript and VBScript Malware With x64dbg Debugger and API Hooking

  Рет қаралды 15,671

OALabs

OALabs

Күн бұрын

Пікірлер: 40
@huyvuquang2041
@huyvuquang2041 2 жыл бұрын
Amazing way to analyze jscript file. Love your vid
@MalwareAnalysisForHedgehogs
@MalwareAnalysisForHedgehogs 7 жыл бұрын
I never thought about analyzing JScript files this way. Thanks for the video! Good to have this technique in the back of my head. Btw, this is JScript, not JavaScript.
@OALABS
@OALABS 7 жыл бұрын
Ah you are right, I was lazy ... I should have been saying JScript. I wanted to say JavaScript in the title because a lot of people know this as "JavaScript" but I should have clarified in the video and used the right terminology : )
@ganeshkumargopinathan6375
@ganeshkumargopinathan6375 6 жыл бұрын
Best video for script debugging ! You guys are awesome!!!
@ganeshkumargopinathan6375
@ganeshkumargopinathan6375 6 жыл бұрын
Please can you tell me.... How to Find API and Dll used by Wscript to run our .js file? will procmon or API monitior could be helpful to trace ?
@mrexodia
@mrexodia 7 жыл бұрын
Minor correction about DLL breakpoints, they actually just break when a DLL is loaded and after that on the DLL entry point (and TLS callbacks if they exist). Another tip, you can use gflags.exe (included with windbg) and change the ImageFlags to launch x96dbg.exe when mscript or powershell is started. That way it will automatically attach the debugger to it :) You can also use the address view in the dump for a quick overview of a struct with its strings if the struct is pointer aligned. It is also possible to use the struct view to display more complex structs but this isn’t a great workflow yet :)
@OALABS
@OALABS 7 жыл бұрын
Whoa cool are you THE Duncan Ogilvie (mrexodia)??? If you are than many many thanks for all your work! ! These tips are great and thanks for the extra info on how the DLL breakpoints are set, I made a bad assumption due to the double break. I have recently been trying to force myself to use x64dbg so I can finally replace ollydbg but I'm still not super familiar with it. Keep those tips coming! : ))
@Ivo--
@Ivo-- 6 жыл бұрын
Great video as always. I really enjoy these, keep it up!
@witoldawacz6818
@witoldawacz6818 6 жыл бұрын
Awesome video! Just small comment, i agree with Ethereal X0R ... The analysts especially those from IR, must be sure of any possible callbacks/additional fallback IPs/domains, which could be missed if we use hooking etc. The hooking technique is extremely useful do for fast triage. Thanks again for the valuable content that you are producing.
@OALABS
@OALABS 6 жыл бұрын
Thanks! And absolutely you guys are right. If you just want to quickly rip out the C2 hooking is great but if you need to do a more in-depth analysis you are going to have to start deobfuscating the code. Also great point about the fallback domains, that is something Sean has talked about in some of our other tutorials... just because you get one domain with a sandbox doesn't mean it's the only one : ) A really good lesson for anyone doing IR and probably something I should have mentioned in this vid! Thanks again!
@fade242black
@fade242black 6 жыл бұрын
Great video of a cool technique. Keep up the great work!
@mr_fearless
@mr_fearless 7 жыл бұрын
Nicely done. Also good and useful overview of using x64dbg for this.
@shans2408
@shans2408 6 жыл бұрын
You are one awesome guy. I have been looking all over the net for malware analysts until now. Love your videos, keep uploading. Btw what if I manually look for shellexecute in the scripts and replace them with print?
@OALABS
@OALABS 6 жыл бұрын
Thanks so much! Also, you are absolutely correct, replacing interesting calls with a print statements is a great way to see what the malware is doing. However, it might be more time consuming if there are multiple layers of decoding because you will have to keep reading through each layer and adding the statements. For simpler scripts this will work but for more complex ones either using API hooks as we have shown, or in overriding the the actual method with your own code in the script are the quickest ways.
@justinrogers8096
@justinrogers8096 5 жыл бұрын
Awesome content, thank you.
@AnuragGawande
@AnuragGawande 4 жыл бұрын
Thanks for this cool video. Definitely will try it out. :)
@kumanish75
@kumanish75 2 жыл бұрын
amazing video
@kg1582
@kg1582 7 жыл бұрын
thanks for your share, how to download " malicious JavaScript " ,i can't find download button from malshare
@OALABS
@OALABS 7 жыл бұрын
To download the sample you will first need to register for a free account here: malshare.com/register.php They will provide you with an API key when you register that you can use to download the sample here: malshare.com/pull.php Just enter your API key and the sample hash 7616fd825e223fb6f7bfdc0c025a2cf0196b8959cad69eda959c21a7d31e71d5
@kg1582
@kg1582 7 жыл бұрын
👍
@SoftDatCLS
@SoftDatCLS 6 жыл бұрын
Great Job!!! very nice video bro
@chaitanyaghorpade8092
@chaitanyaghorpade8092 4 жыл бұрын
Tried executing it on 64 bit VM following same steps but on breakpoint it got stuck at sys32.dll entry point. So can anyone guide me regarding this issue ?
@salemarsm
@salemarsm 6 жыл бұрын
Amazing video... tnx!
@justreverseengineering836
@justreverseengineering836 Жыл бұрын
I see you do a lot of static analysis. Maybe something like dynamic analysis featuring the x64dbg would be cool 😎. Thanks
@stevestef07
@stevestef07 7 жыл бұрын
Great tutorial!
@artember1200
@artember1200 3 жыл бұрын
mind blown
@shell2673
@shell2673 6 жыл бұрын
thank you
@sathishds86ds
@sathishds86ds 5 жыл бұрын
Thanks for this videos.. I tried the same steps for vbs script and it fails. Could you please share me the steps for vbs
@sathishds86ds
@sathishds86ds 5 жыл бұрын
I mean the vba macro
@x-defenderlabs6101
@x-defenderlabs6101 5 жыл бұрын
thanks bro :")
@chinmay8954
@chinmay8954 7 жыл бұрын
Super helpful video, thanks a lot! :) How do you get around sleep-based evasions (using WScript.Sleep()) for example? Possible ways would be to hook into ws2_32.dll or using instrumentation to control those calls. Any other ideas which might be useful?
@OALABS
@OALABS 6 жыл бұрын
Thanks! This is a great question! So you are correct that the way I would proceed would be to maybe hook Kernel32 Sleep or maybe some other APIs used to delay execution and just return from the call immediately or change the sleep value to something smaller. I saw a good tip for this in another comment; in this video we show a very manual way of setting the hooks but if you just wanted to trace all the API calls to see if there was some sleep type call being made you could try API Monitor www.rohitab.com/apimonitor. This is a great tool for API tracing and once you have identified the APIs that you want to hook you could then go back to frida-wshoook or your debugger and implement the hook code.
@chinmay8954
@chinmay8954 6 жыл бұрын
Ah, I see. Thanks ! :D
@taedopalleb1373
@taedopalleb1373 5 жыл бұрын
This is amazing, love the vid and the concept of YT channel that analyzes code #PapaBless
@OALABS
@OALABS 5 жыл бұрын
Haha thanks!
Unpacking GlobeImposter Ransomware With x32dbg
23:27
OALabs
Рет қаралды 15 М.
Hilarious FAKE TONGUE Prank by WEDNESDAY😏🖤
0:39
La La Life Shorts
Рет қаралды 44 МЛН
БАБУШКА ШАРИТ #shorts
0:16
Паша Осадчий
Рет қаралды 4,1 МЛН
Jaidarman TOP / Жоғары лига-2023 / Жекпе-жек 1-ТУР / 1-топ
1:30:54
Unraveling a REMOTE ACCESS TROJAN (VBScript Deobfuscation)
31:20
John Hammond
Рет қаралды 163 М.
x64dbg Demo | CrackMe Challenges
46:33
stryker2k2
Рет қаралды 38 М.
JScript Deobfuscation - More WSHRAT (Malware Analysis)
1:02:01
John Hammond
Рет қаралды 59 М.
Sandbox Tricks For Faster Reverse Engineering
28:37
OALabs
Рет қаралды 10 М.
Malware Analysis - 3 ways to deobfuscate JScript and JavaScript malware
43:08
MalwareAnalysisForHedgehogs
Рет қаралды 2,7 М.
How to Do 90% of What Plugins Do (With Just Vim)
1:14:03
thoughtbot
Рет қаралды 911 М.
Malware Development: Processes, Threads, and Handles
31:29
Practical Malware Analysis Essentials for Incident Responders
50:49
RSA Conference
Рет қаралды 151 М.
Hilarious FAKE TONGUE Prank by WEDNESDAY😏🖤
0:39
La La Life Shorts
Рет қаралды 44 МЛН