Baby’s First Malware Config Parser: Mini-Course w/ dnSpy+CyberChef+Python

Рет қаралды 8,576

Күн бұрын

Пікірлер: 37

@jeFF0Falltrades 2 жыл бұрын

Hi everyone, and thanks so much for watching! I will be putting Corrections into the comments since the description has limited space. Right off the bat upon uploading, I noticed there are a couple of spots in the video where I mention this parser is written "without the help of external libraries": This is incorrect. I had mentally blanked on the fact that the cryptography library we use for AES decryption is NOT a built-in but rather requires separate installation (pip install cryptography) I don't really want to spend the time editing these and re-encoding this enormous file at this point just to fix those remarks, but I did want to issue a correction here. The repo and code comments have also been updated. Apologies, but I hope it doesn't take away from the rest of the course - enjoy! EDIT: 16FEB2022 - I updated the script in GitHub to use a slightly different method of printing the JSON output, making it easier to pretty-print multiple decrypted configs in one go, instead of just dumping them one-by-one as written in the video. Check out the GitHub repo for the updated code! EDIT: 11APR2024 An updated and more robust version of this parser has been published! See kzbin.info/www/bejne/r6DdZWeHgMqSaNE This repository and video are still very valuable for those learning malware analysis and tool automation, but the Rat King Parser is considered more stable for production use.

@andreymramornov9226 Жыл бұрын

Not sure why, but this 6h tutorial was THE thing to restore my faith in humanity. Thanks and looking forward to more vids.

@jeFF0Falltrades Жыл бұрын

And this comment was the thing for me - Thank you and thanks for watching!

@MindfulEnergies3 Жыл бұрын

Fantastic tutorial, thank you for your effort putting this together. I coded along and took me 2 days to complete with small redesign (external decoder class) but it was an absolute pleasure following you on this long journey! The biggest gotcha that I spend a lot of time on was block size calculation and it did made me to read PKCS7 implementation to arrive to the same conclusion so glad this happened, it was really educational, thanks again Jeff!

@jeFF0Falltrades Жыл бұрын

First of all, fantastic job not only following along but improving upon it and giving it your own spin! That’s incredible! I appreciate you coming back and sharing as this is why I continue to upload videos - Thank you for watching and never stop learning! More coming very soon :-)

@neeravdaskrishna7004 2 жыл бұрын

Time Stamps 0:00 : Intro 3:11 : Important Notes 4:53 : Downloading/Exploring ASyncRAT 15:35 : Introducing dnSpy 24:34 : Extracting Configuration Values with dnSpy 36:29 : Configuration Parsing with CyberChef 37:56 : Replicating the ASyncRAT AES256 Decryption Routine 1:17:55 : Recap and Saving Our CyberChef Recipe 1:23:48 : Preview of Our Finished Python Parser 1:25:48 : Creating Our Python Parser Runner Program 1:45:26 : Detour: Class vs Instance Variables 1:52:59 : Feeding Data to Our Parser 2:03:23 : In-Depth Analysis of ASyncRAT’s Configuration 2:12:10 : Detour: Endianness 2:15:08 : Detour: RVAs vs VAs vs Offsets 2:37:11 : Review/Pseudocoding Our Parser’s Functionality 2:40:38 : Building an Address Map of the Config 3:00:43 : Helper Function: get_string_from_offset() 3:15:15 : Reconstructing the Table Map 3:19:22 : Extracting the “m_maskvalid” Value 3:25:24 : Helper Function: get_stream_start() 3:28:08 : Helper Function: get_metadata_header_offset() 3:36:40 : Calculating Table Row Size and Number of Rows 3:49:32 : Extracting the Field Table 3:56:12 : Helper Function: get_table_start() 4:11:31 : Translating Config Addresses to Values 4:15:04 : Helper Function: strings_rva_to_strings_val() 4:20:00 : Helper Function: us_rva_to_us_val() 4:33:32 : Creating an AES Decryptor Class 4:36:49 : Helper Function: get_aes_metadata_flag() 4:46:01 : Extracting the AES Key and Block Size 4:53:56 : Extracting the AES Iterations Value 4:58:04 : Extracting the AES Salt Value 4:58:50 : Detour: FieldRVA Table and Static Arrays 5:04:41 : Detour: String-Derived AES Salt Values 5:22:09 : Helper Function: decode_bytes() 5:27:26 : Helper Function: get_aes_salt_ldtoken_method() 5:32:33 : Helper Function: field_id_to_field_rva() 5:39:01 : Helper Function: field_rva_to_offset() 5:49:35 : Deriving the AES Key 6:04:56 : Implementing AES256 Decryption 6:09:52 : Decrypting the Configuration 6:17:34 : Reporting the Parsed Config in JSON 6:19:46 : Troubleshooting/Lots of Suspense 6:22:38 : Great Success 6:23:22 : ASyncRAT YARA Rule for Hunting 6:23:48 : Parsing Multiple Samples 6:25:10 : Great Job and Thank You!

@ЗахарБельтюков 2 жыл бұрын

So happy to see you made new video! Keep going, you are doing great!

@jeFF0Falltrades 2 жыл бұрын

Thank you so much! It was a big investment of work, but I really enjoyed making this one, and hope to continue. Thanks for watching!

@saultube44 Жыл бұрын

Massive Thanks, for the massive 6 hrs long Tutorial

@jeFF0Falltrades Жыл бұрын

Thanks for watching it! (And definitely okay to take it in small chunks 😂)

@saultube44 Жыл бұрын

@@jeFF0Falltrades Oh yeah, my butt will be most thankful 😁 Also, lots to unroll and test there. I really like these Code Safaris

@memoriasIT 2 жыл бұрын

What an amazing youtuber I found today love both videos!!

@jeFF0Falltrades 2 жыл бұрын

Thank you so much for the kind words - I truly hope you enjoyed and learned something from both! Hope to do more soon!

@不说-f7y 2 жыл бұрын

Thanks for sharing this amazing video! But is there a little mistake in 2:48:00? 0x7000000f => little endian => 0f 00 00 70? not f0?

@jeFF0Falltrades 2 жыл бұрын

No problem! And you are correct but I actually put a note in that piece of the video in post - Do you see it? It flashes up for a few seconds. That’s what I get for recording these so late at night hahaha

@不说-f7y 2 жыл бұрын

@@jeFF0Falltrades Haha, respect your great work! And I see that note. But it seems also error in note? The note is f0 00 00 70, not 0f 00 ...😆

@jeFF0Falltrades 2 жыл бұрын

@@不说-f7y Oh yeah, I see what you mean. Yeah what I wrote in the note is the correct address anyway - I totally messed it up writing it down haha.

@不说-f7y 2 жыл бұрын

@@jeFF0Falltrades Haha, looking forward to seeing more of your great works.☺

@jeFF0Falltrades 2 жыл бұрын

@@不说-f7y Thank you and thanks for watching - also thanks for keeping vigilant on the mistakes and letting me know because most of the time at least a few slip through post.

@visionnight6480 Жыл бұрын

Ty you.

@jeFF0Falltrades Жыл бұрын

Thanks for watching!

@orgozlan323 2 жыл бұрын

awesome, thank you !

@jeFF0Falltrades 2 жыл бұрын

Thanks for watching!

@omniasoliman5228 2 жыл бұрын

what do I need to write a parser for another malware family like Vidar malware, or any other malware? after watching almost the whole video I still can't write a parser for another malware. I hope you can help me ASAP. ♥

@jeFF0Falltrades 2 жыл бұрын

Hi, Omnia! Writing a parser typically follows the same steps we see in this video, but can depend heavily on the type of malware, what programming language it was written in, and how it conceals and loads its configuration. Typically, the workflow works as follows: 1. Identify the data points that are configured in the malware (C2 host, ports, version, etc.) 2. Study the malware (using static or dynamic tools like debuggers and disassemblers) to identify where and how these data points are loaded by the malware (this is the most time-consuming step, as every malware family has different ways of concealing its configuration and extracting it for use) 3. Write down (in very basic terms) the steps the malware takes to load the configuration 4. Try to programmatically extract each piece of the config based on these steps (I find it helps to test 1 at a time) 5. Combine these steps into a parsing script or program once each step is tested thoroughly with multiple samples Each family of malware is unique, but this general workflow will apply to nearly all malware configuration parsers. It’s also important to note that Vidar, in particular, tends to be a malware family that downloads its configuration from a remote source (e.g. it sends out a network call to pull down its config from a forum post somewhere), so it could be challenging to write a parser that works statically for such malware families, but this is only something I’ve seen through other analyses of Vidar and may not apply to every sample. Good luck and hope this helps!

@wuspoppin6564 2 жыл бұрын

Your videos look like you've already made videos before, idk why. They're kinda too good haha. So, have you? just curious

@jeFF0Falltrades 2 жыл бұрын

So…yes. In a past life, I had a partnered channel (unrelated to this kind of stuff) that I shut down because I didn’t have the time and energy to dedicate to it. I started this one so I could begin fresh, doing things I wanted to do, on my own time, without the pressure I used to have to grind out “meh” content to just keep partnership and engagement. And it’s been a wonderful decision for me so far :-). Also - I’m super happy to hear that the quality is seen as good or even decent! In exchange for doing less frequent videos, I try my best to put out stuff that’s worth people’s time. Thank you and astute observation haha!

@miak911 2 жыл бұрын

Genius Thank you

@jeFF0Falltrades 2 жыл бұрын

Thanks for watching, but watch a little more and you’ll see I’m no genius 😉. Hope you enjoy!

@TonTruong 2 жыл бұрын

Thank for share

@jeFF0Falltrades 2 жыл бұрын

Thanks for watching!

@micheallovis5369 2 жыл бұрын

Can You Make A game Trainer For Me For a Price If yes how can we get in Touch thanks

@antoniocs8873 2 жыл бұрын

I'm coming from your last video, which was quite interesting to watch, but I jump into this one and it's 6h? Ouch. You know you can create playlists right? Could be a lot better for you, simpler to make and more views (more adsense?)

@jeFF0Falltrades 2 жыл бұрын

Sure, but to me, this one made more sense to keep together in one video since each section builds on each other; It was actually a bit easier to edit that way as well. And this channel isn’t monetized anyway, so I didn’t really care to play the Adsense games; This is just for folks who need a true step-by-step. Thanks for watching!

@antoniocs8873 2 жыл бұрын

@@jeFF0Falltrades Ok... but it's 6h, multiple small videos will be a lot easier to digest and also to keep track of relevant information, but ok cool, I guess you have your way of doing things.

@erectlocution 2 жыл бұрын

@@jeFF0Falltrades Plus you've taken the time to put in the chapters. It's easier as a user to shuffle back to refresh after being away from the material than to find which of the videos in the playlist the user left off in. I mean, it's your call, but I appreciate the single long video format.

@jeFF0Falltrades 2 жыл бұрын

Yeah that’s actually a big reason I went that route as well: Not only is it easier for me to do chapters in post all in one go, but I - as a viewer - like to have an easy way to bookmark progress without remembering which video I’m on. But that said, I do appreciate hearing all the opinions on this; It’s easy enough to try different things with new videos to see what feels best. Thanks for watching and for the feedback!