That's a great tip! Definitely the fastest way to do it if you just want the config... also something that could potentially be automated : )

Already automated but my python code is too ugly to show :D

Is it open source? Are you on GitHub? I can contribute to your code to make it less ugly, lol. JK. But truly, if you are willing to share, I am open to contributions. :)

I'm small time malware analyst :) no github, pastebin etc. May be it's time to get one. Sharing is no problem, but may it's better not to have the internals of security tools visible to malware devs.

Belial Black i agree. Very true. Well GitLab might be good idea for malware analysts because one can host private repositories for free. In GitHub no freenprivate repos. :) Forgot to mention, @OALabs great video like always ;)

Hey that's a great idea! With the IDE when you rename a variable in one spot it will rename it throughout the code right? If that's the case it would really speed this up. Thanks again, and awesome to hear that you enjoy the videos : )

Yes. That's exactly what I am talking about. I have used it in some of my programming projects and they are really useful when you want to rename something but throughout the whole project!

Thanks for the feedback, glad you found it helpful : )

The entry point for an exe will be listed in the exports table in the PE. Most disassemblers will automatically identify this for you but you can always find it by looking in the exports. If the PE was compiled with VisualStudio (and is windowed app) then the export address will contain some setup code before calling WinMain but you should be able to spot the call pretty easily.

@@OALABS Thanks for your reply. I know that entry point is listed in export table. However, compilers often add their code before making a jmp or call to the applications' code.I find it difficult to determine where the real "interesting code is. Appreciate if you can provide hints/tips for it. thanks

Ah ok, this is a great question! So I remember when I was first starting out this was a big issue for me too, especially with malware that had been compiled with Visual Studio (as mentioned above). The compiler inserts a bunch of exception handling stuff and setup code as you have pointed out. One of the tricks I used starting out was to compile some simple code (opening and setting a registry key) with the free version of Visual Studio then I disassembled it in IDA and looked at the extra stuff that VS had added. I tried this for a few different compiler settings and project types to see the difference. After a while you can start to see a pattern of the VS code so you can mentally ignore it when you have to deal with real malware. This is a really good idea for a video and something we will probably cover this year, thanks!

Hey glad you found the video helpful! I haven't looked at the C2 communication for Adwind very closely. I think where I would start is looking at the unpacked decoy version that is dropped since it is much easier to deobfuscate that than trying to extract the real Adwind classes directly from memory. The decoy version may have some hints about how the C2 messages are built and sent? If you post a blog on your findings I would be very interested to read it! Good luck!

Hey this is a great question and something that we get asked about a lot. I'm not sure it would make a great video since a lot of the suggestions are just pointers to other resources but I can do my best to provide an outline here. I think this is going to be a long response so apologies in advance ... As far as the actual learning path there are so many different ways to approach this depending on what you are interested in and what motivates you. Personally I find that I learn a lot faster if that learning is tied to completing a specific task... it just seems to motivate me more, but it may not be the same for everyone. For me picking a single piece of malware and then working through it step by step until I could understand each component was how I learned most of the skills I use today. As for actually learning these skills there are some resources I can point you to (as well as some shameless plugs for our own videos). These are ordered to reflect the natural progression of learning from the basics up to full-on reverse engineering. Getting Malware Samples To Analyze kzbin.info/www/bejne/iXSth4pnep2XfKM Setting up a VM for analysis: oalabs.openanalysis.net/2018/07/16/oalabs_malware_analysis_virtual_machine/ or kzbin.info/www/bejne/p4iQfa2ii7aseck Setting up Network Analysis For Your VM kzbin.info/www/bejne/epuuo2CDjq6krtE Getting Started With Behavioural Analysis kzbin.info/www/bejne/pKCoo4J7fch0oJo Detecting Packed Malware kzbin.info/www/bejne/bnLcfmWipN9md7c kzbin.info/www/bejne/qqnRkqSAermHaMk What is a Packer kzbin.info/www/bejne/q6nPoYWlm5aEjdU How To Use a Sandbox kzbin.info/www/bejne/qHW0nptnrquKfbc Understanding PE Files kzbin.info/www/bejne/omeqm4hum9Jrqa8 kzbin.info/www/bejne/aYHGmKqBm8usqqs kzbin.info/www/bejne/mZSUpYtnqcSVgsk Getting Started With IDA kzbin.info/www/bejne/p3S0g36Clt9lpLM Windows APIs kzbin.info/www/bejne/fJitoYGppcmEhpI kzbin.info/www/bejne/m2LIm6urbqdjmsU x86 ASM Intro kzbin.info/www/bejne/b2nTkGmCaZllis0 kzbin.info/www/bejne/i367qIdtrJx7hdU kzbin.info/www/bejne/jZKrXpSnhpZojsk kzbin.info/www/bejne/n56Taqeai9OMrbM In addition to these videos there are also more formal recorded lectures here opensecuritytraining.info/Training.html. Personally I found them too dry to just sit through but that's probably more a reflection of my learning style and not the content. At some point I think Sean and I are going to create some proper online paid training workshops to cover the basics but until then this should get you started. I know I am missing a ton of other good resources so I would encourage everyone to leave a comment with their own favourite learning resources.

OALabs Thank you so much for your guidance. It really looks like that is what i needed, plus i do also see the correlation between topics above and the pathway to learn reverse engineering. I certainly appreciated it.

Thanks for the interesting sample to look at!

We actually made a whole video about this : )) kzbin.info/www/bejne/eZq9ZndsrNF8qNk

Ah sorry I must have missed explaining that my host host is OSX and the VM I am using is Windows7. When I need to run tools in a unix-type environment I switch back to my host. For example, running the bash commands. If you don't have an OSX or Linux host you can simply create a second Linux VM using a free copy of Ubuntu releases.ubuntu.com/16.04/ and use that VM for the bash commands etc.

Thank you for your reply!

Awesome! Post any tips you have in the comments, this is the best place for them to help others!

I'm not sure I'll be of much help here as there could be a lot of things that are changed between the environments ... I guess the first thing to check is use ProcessMonitor to see if there is a second process created at all... If there is no process created at all then that might indicate some other issue. If there is a process created but your breakpoint is simply not hit you could try breakpoints on other create process calls farther up the chain (this shouldn't be the issue though). And you could just double check that you are in 64bit mode and not hooking wow64 stuff by accident. Off the top of my head I can't think of anything else obvious though... maybe someone reading this has some suggestions?

Thanks for replying:) I really appreciate your suggestions. long live to you and to your channel my friend:)

This is actually fairly uncommon for malware but if you have a sample that you can send us the hash for we will definitely add it to the list.

crackmes.one/ : )