Unpacking Process Injection Malware With IDA PRO (Part 1)

Рет қаралды 17,415

Күн бұрын

Пікірлер: 37

@rayray1999100 Жыл бұрын

I have been watching you for a couple years now and i always come back to watch these videos for my sanity. And I love how the subtitles always say "DXE" when he says "EXE"

@OALABS Жыл бұрын

Lol the AI subtitle generator is not very familiar with reverse engineering terms...

@Matt-ir1ky 7 жыл бұрын

I feel like I won the twitter library by clicking the link to this video. Seriously you hit the exact right spot in your speed/explanation... Not too fast that I get lost and not too slow that I get bored. Thank you for going to the trouble of making the video!

@cazurro96 3 жыл бұрын

Really great and clear explanations, even for someone like me who just knows the basics of malware analysis. These videos are so helpful, specially the tricks like the “anti-reverse” technique explanation and how you actually approach new malware. Thanks!

@LunaOoze 5 жыл бұрын

Starting to get more into your videos as I come closer to finishing the labs in the book Practical Malware Analysis. These videos are awesome and you're really good at explaining things while keeping at a good pace too. Thanks for uploading these :) Keep it up.

@OALABS 5 жыл бұрын

Right on! That''s great to hear thanks : )

@EnduranceT 7 жыл бұрын

I asked, you provided... Awesome I am so excited to view this! Thank you!!

@_why_3881 3 жыл бұрын

I love your videos. This is great. I already read about injection in this new book I bought a while ago Mastering Malware Analysis by Alexey Kleymenov. Your videos still help me the most thank you so much for the hint to this video

@lucca1820 5 жыл бұрын

Awesome work! thanks for the contribution!

@marcus.edmondson 6 жыл бұрын

Your videos are fantastic!

@OALABS 6 жыл бұрын

Thank you very much : ))

@drgowen 6 жыл бұрын

Thanks for the video. Just a tip, the file offset is in the bottom of the ida disassembly frame. No need to search for the byte sequence.

@OALABS 6 жыл бұрын

Whoa, nice tip! Been using IDA for years and never noticed haha! Thanks : )

@eliwhalen604 5 жыл бұрын

Just a question regarding the part about CreateProcess at around 19:00, though I'm not really sure if it is even a valid question as I'm quite new to this stuff. If the malware were to call the Nt layer CreateProcessInternalW ( if that's what it's called at that layer ) function as opposed to the one that you set your breakpoint on, would it just run and avoid the breakpoint you set?

@OALABS 5 жыл бұрын

Hey this is a great question! In short yes, you are absolutely correct, if the malware calls a lower level API then it will circumvent our breakpoint and we will not see the call. We actually cover a bit of this in an older video here kzbin.info/www/bejne/eZq9ZndsrNF8qNkm42s The reason we are confident setting the breakpoint on CreateProcessInternalW is that if the malware wants to call APIs lower than that they will have to do more work to setup the call so it is rare that we see that amount of effort in simple packers.

@ganeshkumargopinathan6375 7 жыл бұрын

Good one!!!! keep rocking.

@evanjoshua4338 Жыл бұрын

Do you turn off all windows service on start up? why my windows VM seems have a lot of processes. Thank you for the video. great job 🥰

@OALABS Жыл бұрын

No I pretty much keep the environment vanilla from the install. I think it is useful to get familiar with the normal operation of windows as when you triage in the wild you will need to deal with these. However, if you want to create a sandbox to help with RE then it does make sense to trim down the OS to the bare minimum so you can focus on the malware.

@3dadventures792 7 жыл бұрын

Your videos are incredibly helpful. Has anyone ever told you that you look, sound, talk, and even have the same way of adjusting your glasses like anthony fantano? :p Anyway, thanks for your work!

@OALABS 7 жыл бұрын

Awesome to hear you like our videos : ) So funny you mention Fantano... I saw him interviewed on NoJumper a while back and I was seriously creeped out how similar we look hahaha!

@diegocracker 3 жыл бұрын

Maravilhoso demais

@OALABS 3 жыл бұрын

obrigada!

@vorsprungdurchtechnik7373 6 жыл бұрын

Where did you learn this? Have you got some resources?

@rookier2949 6 жыл бұрын

Your videos are really helpfull. Can you share the samples on malshare, so that people who doesn't have VT account can also try???

@OALABS 6 жыл бұрын

Sure thing! Now we submit all our samples to malshare for this exact reason but this was an older video and we weren't doing that yet. Below you can find the malshare links for these samples. Thanks for the reminder! Original sample: malshare.com/sample.php?action=detail&hash=84063bd287827277ae2a22f4b3e9757a Patched sample: malshare.com/sample.php?action=detail&hash=1b68729f1f03c3d82b13abe38599f6c3 Stage #1 unpacked: malshare.com/sample.php?action=detail&hash=044eebcc3e6980d95ceff93f6865b789 Stage #2 unpacked: malshare.com/sample.php?action=detail&hash=067e188c774b232246dd4924cb910dde Final payload: malshare.com/sample.php?action=detail&hash=7f0fdddf5905886532c8a652abed1b6c

@rookier2949 6 жыл бұрын

Thanks :)... you guys are awesomeeee (y)

@TheBekabe 7 жыл бұрын

Very good video. Can I give you sample for you analysis with IDAPro or OllyDbg? I'm so confused with malware that used "Antidebug_AntiVM" technique, coz can not running in my Cuckoo Sandbox system. So I want bypass that technique. Sorry for my stupid ask.

@OALABS 7 жыл бұрын

Sure thing! Just send us the hash for the sample. You can post it here or DM it to one of us on twitter.

@TheBekabe 7 жыл бұрын

OALabs Cool!!!! I'm so happy. This hash SHA256 of my sample viruses: 1. DFCC3CFA8B7FB19C87D7D91EA6A3477E11289A6F638A0DFCABB7CBE9F57C8078 Size: 0,98 MB (1.036.288 bytes) 2. 8412B1B381AEFE1C3B74F14DD5894A4B1A15F213EB3771945351DA000F3A93F1 Size: 736 KB (753.664 bytes) 3. 16540597E03AC70BEA055AA72BF83A7DC3276CF6A64CD6CAFDB09E05EBCC198B Size: 484 KB (495.616 bytes). Thanks before.

@ahmedqud5639 4 жыл бұрын

How i can start playing with binary stuff ?!😭 What's the best book or tutorial to get starting in the binary exploitations as all

@vmwsree 7 жыл бұрын

how do i download the sample?

@OALABS 7 жыл бұрын

The VT links for all the samples and unpacked stages are in in the description of the video. If you don't have a VTI key you can download them for free from hybrid-analysis. You just need to sign up for a free account then on each of the links below you will see the sample download button at the top of the page. Original sample: www.hybrid-analysis.com/sample/8af6a0ad98f53063e6f730828a59621dac2aa575cd1a618723b0ad7823ef3ec4?environmentId=100 Patched sample: www.hybrid-analysis.com/sample/59bba7a104592a31e6ccd062da8d2e1b226de19e5c4ea2d4416b328068bb7081?environmentId=100 Stage #1 unpacked: www.hybrid-analysis.com/sample/7d3b38d67d15e79799fe614d57520c6de81d260ce8701ca16e7d64b7c80732f4?environmentId=100 Stage #2 unpacked: www.hybrid-analysis.com/sample/cc59ecd59719f464a6d0e69c895c742334d40f50c41d59b5eaa51ba7c561b2b5?environmentId=100 Final payload: www.hybrid-analysis.com/sample/275f927f5cc809ebba57c6e766c550d2d27b1841708459a876c6f5a99201ecb6?environmentId=100

@johndoom8471 5 жыл бұрын

@@OALABS but hybrid analysis is free ONLY for some researcher that has published at least 3 freaking blog!!!!! why not just upload the sample ?! if youtube doesnt allow it then just upload it on your website and we can search the hash and download it from there

@TheNippysidhu 5 жыл бұрын

Can someone please guide me I did bachelor's in computer science and then just completed postgrad in Cyber Security recently I am very confused as to what skills are required for which job and which field should I pursue as a career also where to apply for jobs ?? Please help