Hey Dan, that's a great question! So the answer is yes, but it would probably have been more work... so in this case they are doing some process injection so if we dumped the process that the code was injected into it would definitely have contained the PE that we dumped out. However, depending on how they injected it (the part we don't care about in the video) we may have had to do extra work to fix up the dumped PE (fixing the IAT, fixing the PE header, etc.) By dumping the PE at the earliest point in the injection process (before it has even been injected) we get a closer representation of what the original packed sample looked like and thus we have to do less work to fix it. It's great that you asked about this because looking back I don't think we ever mentioned that principal in any of our tutorials... dump as early as possible, with some exceptions ; )

This is actually such a good question I've decided to pin it. Thanks again for the contribution!

Thanks for the detailed and quick response! Definitely brought up some good points, and also inspired me to try it myself. A pinned comment on your channel is going straight to the top of my CV :)

Thanks very much! Glad you enjoyed the tutorial : )

Hey that's a good technique too especially if it's modified UPX so there is some obfuscation in the stub and the jmp is hard to locate. In this case it's not modified so the jmp is super easy to spot (as we demonstrated). For heavily modified stuff a third trick is to just remove the X properties on the PE section and wait for the execution exception. This is how it's done for generic unpacking ; )

Good point! So we usually do some initial investigation of the behaviour of the sample using a sandbox to get an idea of what it is doing. From there we take a guess that what packing techniques it is using. As we saw in the beginning of the video here, a sample that starts a copy of itself is most likely doing process injection, and we cover other tells like these in our tutorials for other packing techniques. So once we have an idea of what type of packing techniques are used we set breakpoints on the APIs used to unpack these techniques... now here comes the magic of cinema, most of the time we guess right and the unpacking works the way you see in the video, but sometimes we guess incorrectly and we simply cut those parts out ; ) I can assure you neither myself nor Sean are anywhere near as proficient at reverse engineering as we appear in these heavily edited videos : ))) We do include some of the failures in some videos where it is relevant to the sample (ie. they are intentionally tricking us and we want to point it out) but for the most part we only include the "good" path through solving the problem. You can also check out our blooper reel from last year if you want to see some samples that really bamboozled us haha! kzbin.info/www/bejne/ZmXUmpSuebB0Y8k

AvE's vids are skookum as frig! One of our favourite channels : )

Malshare is suffering terribly these days, many times after we upload files they just disappear and we get this nice messages about "recovery mode". This is why we switched to CAPE in the first place. I guess CAPE purges samples though so that's not a great solution either. We are open to suggestions. I've tried malshare again, see links below... milage may vary... malshare.com/sample.php?action=detail&hash=905506beae7e547314951fabe12660d0 malshare.com/sample.php?action=detail&hash=%20-%20862f4ddb7b7560959b2e863e7416dfa8 malshare.com/sample.php?action=detail&hash=%20-%20030ac5675a716d53da65dab98c374174

Thanks! This is a great question. So over the years there have been a lot of attempts to build "auto unpacking" tools that would do just that! Sean and I have been working on one for a few years now... cough *secret project* cough... but until we release our tool there are a few things you could try... 1) You could use a modified version of Cuckoo Sandbox. The best one we have seen so far is CAPE. It is fully open source and you can find the code here; github.com/ctxis/CAPE or just use the online version here: cape.contextis.com/submit/. This has some drawbacks though as it's not very precise and you are giving up the control that you have with a stand-alone tool that you can use with a debugger. 2) You could write a script to control a debugger like Immunity or OllyDBG that automatically sets the hooks and then uses the debugger. 3) You could use a DBI framework to develop a tool to hook the API. For an example of how to do this take a look at our frida-extract auto-unpacking tool build on the Frida DBI framework github.com/OALabs/frida-extract

@@OALABS Search for #PEsieve

@@OALABS Thank you. Also, I found some nice tool: www.novirusthanks.org/products/writeprocessmemory-monitor/ (works on 32-bit and 64-bit OS).

I'm a huge fan of hasherezade's tools! That's a great suggestion!

The samples should all be on malshare too malshare.com/. You will need an account but they are free to sign up.

Yeh I saw malshare is currently having some difficulty. In the mean time we are looking for other options to share samples ... if anyone has any suggestions for other malware sharing sites that don't require a paid registration or vetting process let me know.

We have now uploaded all the samples to CAPE so they can be downloaded without a user account: Original sample: 0ca2971ffedf0704ac5a2b6584f462ce27bac60f17888557dc8cd414558b479e cape.contextis.com/analysis/21237/ Stage1 (packed UPX): 7f463bd55aa360032fbd6489b4e34455178a35254ff66c1cd98d0775437074b4 cape.contextis.com/analysis/21240/ Stage2 (custom injector): 89a0325379e1e868b668955ed41ba0faa724845028bc961a0691f19e5213dedf cape.contextis.com/analysis/21241/

Check our playlist, it's the next video in the series... kzbin.info/aero/PLGf_j68jNtWG_6ZwFN4kx7jfKTQXoG_BN