Malware Triage Tips: How To Stop Wasting Time in IDA On Packed Samples [ Twitch Clip ]

Рет қаралды 14,676

Күн бұрын

Пікірлер: 31

@d3f4rm 2 жыл бұрын

Cannot overemphasize the importance here. So many malware authors are not geniuses at all, they're throwing very simple malware into packing and obfuscation frameworks. So let's throw their stuff into tools as well. Always go from high-level to low because a malware author's bread and butter is wasting your time.

@OALABS 2 жыл бұрын

💯

@Marstighter 7 ай бұрын

very cool explanation. Nice talk about the API hammering. I also love the doggo[.]exe :)

@Coledebord2 2 жыл бұрын

Great video as always! You should do a video on TLS callbacks and how you deal with malware utilizing them for anti-debugging/reversing, etc.

@OALABS 2 жыл бұрын

I can maybe cover these at some point, but there is nothing special about them, they are just another entry point. I think these were only an issue when they were unknown back in the early days for RE, now pretty much every tool will automatically handle them.

@OALABS 2 жыл бұрын

lol yeh you have to configure the debugger for the sample you are debugging... I guess that's something we could cover... my personal workflow is unpack, then static analysis first, always, then debugging if I need to, but I guess this could get you if you were debugging first?

@OALABS 2 жыл бұрын

BTW, almost forgot, join our discord! Sounds like you guys would have some nice stuff to add discord.gg/oalabs.

@riskydissonance Жыл бұрын

The nose scratch counter made me buckle 🤣🤣

@davidechiappetta 2 жыл бұрын

many years ago I had made a debugger that with the help of the files dbg and pdb first version v.2 of the system files, I extracted the function names and the relative addresses of the import/export table from the PE I could put the breakpoints on all the API I wanted and filter the contents of the value pushed on the stack and the return values, to quickly study the functioning of these APIs (I never loved Python, even if I know well how it works under the hood, I prefer to do things myself in assembly or C) then over time I modified it and made sure to lock it if the pushed values were suspicious, (I also used it to see the function send and recv of the mswinsock, and with the help of a sniffer I discovered the servers where they connected )... at the time I remember that the only help we could have to do these things were the articles by Matt Pietrek, a hex editor and debugger for windows as w32dasm and SoftICE for the kernel ( that if used badly freeze the pc until reboot).... I wanted to add that as sandbox virtual machine for testing dll, exe or shellcode you can also use Unicorn with Libemu, they have been added hundreds of win32 API with about 15 dlls for Win; great tutorial this and others you have done for IDA Pro , I really enjoyed

@kaushikkumarbora 2 жыл бұрын

You are a good teacher

@RingZeroLabs 2 жыл бұрын

Great video showing fundamental concepts :)

@SaravanaKumar-qm7kj 2 жыл бұрын

You can check entropy with radare.. i usually check entropy whenever I analyse binary files using R2.

@OALABS 2 жыл бұрын

Lol! Radareee 🤣🤣🤣

@SaravanaKumar-qm7kj 2 жыл бұрын

@@OALABS i know why u r laughing 😂😂 just said.. pecheck tool is the easiest one to check entropy..

@spacewolfjr 2 жыл бұрын

Where does that "OOOF" sound effect come from? I needs it.

@OALABS 2 жыл бұрын

IDA Minecraft plugin XD

@shans2408 Жыл бұрын

I read all the comments just to see if anyone is talking about that sound. lol. I have a crazy imagination

@duckie4670 2 жыл бұрын

where is the oalabs Catalog on process injection ? link me please

@OALABS 2 жыл бұрын

By "catalogue" I just meant a collection of our old videos, before there was unpacme we made a lot of unpacking tutorials, here are a few: kzbin.info/www/bejne/q6nPoYWlm5aEjdU kzbin.info/www/bejne/fpe2gp95bJuSqZY kzbin.info/www/bejne/aoelh4CBmb5gr8k kzbin.info/www/bejne/aGWVhaFmfrFloKc kzbin.info/www/bejne/jaXLp5SeoaaMfLs kzbin.info/www/bejne/r526eqGFmLasaNU kzbin.info/www/bejne/h5i4nYOseqpnl9k kzbin.info/www/bejne/e5XGmYN7fdOintk kzbin.info/www/bejne/rZyzpKmPm6Zjbsk

@duckie4670 2 жыл бұрын

@@OALABS thank you. your work is amazing

@nikos4677 2 жыл бұрын

How does ida immediatly redirects you to main?. My ida has not signatures and it gets me to the entry point unless i have pdb

@OALABS 2 жыл бұрын

That is a good question! And I don't know the answer 😆 All versions of IDA I have used (including free) seem to jump to main if you are looking at an MSVC PE file. I think they have a signature for the MSVC entry point that seems to do the work, but that's just a guess kzbin.info/www/bejne/qabai3VpeqaSq5Y

@nordgaren2358 Жыл бұрын

@@OALABS the entry point is also listed in the peheader, isn't it? I guess you could manually go there, but idk if IDA does imagebase offsets or not. It's under the Image Optional Header, btw!

@jasonrobertcheney 2 жыл бұрын

I tried to use cape, but it keep refusing to upload a sample, states Account inactive and I just created it. Any ideas?

@jamesakaiz0124 2 жыл бұрын

hi can you make video for how to setup keypatch/keystone plugn please bro ?

@OALABS 2 жыл бұрын

Neat! I wasn't aware of this, I'm actually looking for a patching framework right now so this is a happy coincidence! I'll check it out and get back to you.

@jamesakaiz0124 2 жыл бұрын

@@OALABS ok bro