Awesome to hear that!! Thanks!

Nice!!

Hey so that's a great question, and we covered a bit of that in one of our older videos on unpacking GandCrab. Basically you look for other parts of the PE that aren't erased like the sections table and use that to guess where the sections should be... it's not as simple as it sounds but it def works if you are persistent.

Hey that's a great question. So the short answer is we just guessed since we assumed that the file would start at the the beginning of a 16byte offset so we chose the first 16byte offset of the first line that wasn't all null bytes. This also happens to be the beginning of the line since we have the hex editor adjusted to display 16byte lines. Though this was just a guess it usually works but if we get it wrong we actually have another tell we can use. So we know that at 0x3c from the MZ is a DWORD that will point to the PE header offset (where the PE bytes are). We can use this information to add or remove bytes until this equation becomes true.

Hey that's a great catch! So we always disable ASLR to just to make things easier when we are debugging. oalabs.openanalysis.net/2019/06/12/disable-aslr-for-easier-malware-debugging/ But you are definitely correct, if we hadn't disabled it we could not have guessed the address of the binary.

That's a great question! In many cases the malware developers will actually do that. This is why searching for the DOS string is just a trick that works some of the time. But it's worth trying because if it works you can save some time : )

@@OALABS Oh okay, I just find it funny that these developers forget about that kind of stuff. But yes its definetly worth

I'm not sure exactly what you mean by zero bytes but have code? Are there any hashes you could share? Do you mean the code is stored in an alternate data stream (ADS)? Usually the term "fileless malware" is used to refer to malware that stores itself in the registry (poweliks, kovter, etc) and uses in-memory injection. So nothing touches the disk as a file. I'm not sure if that's the same thing as what you are describing? Let me know and we can definitely do a video on it!

OALabs I may not be referring to the correct name then. They appear as having zero bytes. So they are stored on a server and sync up on the computer. Last night for example I was trying to put two files into VT and they were coming up as zero bytes so I couldn’t upload them. They are PE files, and may be hosted on an ASP. NET site. I’m using your videos to teach me how to reverse engineer but a lot of these I cannot even open. I do go into control panel and change mobsync settings (mind you I don’t even allow my mobile to sync with this but I cannot turn it off) to “allow all offline” and that helps with some files. Also what is ADS? This sounds interesting and yes I have tons of hashes. Unfortunately I cannot send you these files because technically they don’t exist on my machine. They are like ghosts but I do have the hashes of the ones with information inside. Here for example is a Virtual Shadow disk I found in my disk manager. “PersistentUserDisk.vhdx” www.joesandbox.com/analysis/212055/0/html I have a ton of hashes on VT under the name @secresearcher www.virustotal.com/bg/user/SECResearcher/ Some of the crazy files: www.virustotal.com/graph/SECResearcher/ Example of null byte files I’m talking about check out the comments section: www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/behavior/VirusTotal%20Box%20of%20Apples A file OPSWAT caught last night: metadefender.opswat.com/results#!/file/bzE5MDMxM0gxT2JLQXFMdlZTMTVkR05pZHVI/regular/sandbox/5e6479be561bbf69fb66d29d

Ok interesting, I'm still not clear on how you know these are executable files if they have zero bytes and they are hosted on a remote server? Wouldn't that just mean they are empty files? If I misunderstood and these file are local you could try checking if they have an alternate data stream. You can use a tool like docs.microsoft.com/en-us/sysinternals/downloads/streams to check the files. But if they are hosted on a server (not your host) then this won't be the case. The one file you mention (vhdx) is not an executable file, it's a container used to mimic a virtual disk docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831446(v%3Dws.11). There are multiple reasons you might see these temporary files, but none that I know to be malicious?

OALabs so I wouldn’t believe them to be malicious either except they take my admin rights, nor do I host a server, nor am I part of an enterprise etc etc. it just makes no sense. As for them being executables I’m pretty sure I just explained that incorrectly. They are files within the system that are unknown or are not supposed to be there. I’m not sure how much you read of the JoeSandbox file but it’s actually containing a file called DEMUL.EXE which is apparently a SegaDreamcast ROM? Like WTF? i never even put that in there. You have to understand this is a reformatted computer. Like I recently reformatted and have not even put any files inside. I’m not sure I understand it very well either but I’m trying to figure it all out. From what I can tell it replaces some of my other legitimate windows files with customized versions also. They are actual windows files but they have some bizarre stuff in them. What that is? Well that’s what I am trying to learn from you so I make sense to people like you who are more advanced. I love malware reverse engineering but I am at the very beginning of my studies and I only started researching because of this insanity on my computer. It’s what I want to do for the rest of my life though. It’s like a microbiologist working at a biological weapons lab but on computers. Just as interesting and a lot less mess lol

OALabs heads up tried to run streams and it won’t let me. Sigh. I’m at my wits end with this. It’s a $1200 Dell laptop that’s a year old. I can’t even run virtual box to work on my pentesting or reverse engineering. It’s super frustrating.

GuLoader is very unique ... first, it doesn't actually use the VB code to do an of the work, it just used it to redirect execution to embedded shell-code. Once in the shellcode there is another loader stage that is decrypted prior to the payload launching. It also had multiple anti-VM and anti-debugger features. I recommend checking out this excellent write up www.crowdstrike.com/blog/guloader-malware-analysis/

@@OALABS I was looking into sample 01a99da3e8056311a350ff3d19b6257f6cd4ee36 This has different anti debug or anti vm tricks. We can execute sample on mentioned blog but sample I am looking into it is not getting executed. I tried various sandbox. Technique is mentioned here www.joesecurity.org/blog/3535317197858305930 Could you please check it and explain it in short video whenever you get time.

The address in references is 1001604E, when i extract the bin, it extract the 10010000 address in memory map, but is different from the dump of the references.....

it seems that the payload is no written in memory....

Sorry dumped correctly! Amazing video fantastic you are awesome!