Awesome. Can't believe I requested this a week ago and it's done already. You guys rock. Excellent video, easy to follow and understand and fills in some gaps I was struggling with. Keep up the excellent work.
Pretty sure I requested it too. Thanks for also requesting it, :P I'm super happy to find other ppl out there who care about learning this stuff and even happier that Sergei and Sean are willing to take the time to explain it. OALabs, some day, I'm going to have to send you a giant meaningful thank-you, perhaps at a conference ;)
19:08: Believe it or not, there is a lot of value in stepping through and showing us, because it lets us know your thinking process in decoding all those different sections and why you think they should be labeled in a certain way. That type of process is critical to understanding how to look at the code and make sense out of it. I'm glad that you are great a explaining what you are doing throughout the process. The ability to get into your mindset and the thinking process is very important. Its almost like solving a complex difficult Sudoku problem that once you figure out a key the rest unlocks itself. Getting to that key moment is the magic. Some of these complex Sudoku problems can take hours to solve and only a few key areas block the entire process. The crazy part is the answer was always in front of you.
@@tcc1234 You did a great job. I learned a lot from watching what you were doing. Three weeks ago I never programmed in C and now I'm trying to figure out IDA... LOL. It was a shock to have to learn some basic assembly and C to understand how to reverse engineer. Your videos were very helpful.
I love this because not only do I learn from these videos, but they also show that the reality is, RE does take a lot of time and WORK and there aren't a ton of shortcuts except for stepping around problems like you did at the end of the vid with the memory dump. But I love that you took the time to explain the actual analysis of the anti-debug because most ppl just bring the subject up but don't actually show wtf they mean with anti-debug. Thank you VERY MUCH! Also I loved the old school part. Keep rockin you guys are awesome!
:D omg, I remember all the oldschool Ollydbg techniques! ollydbg scripts like morphine (I still have all the old plugin source code for olly in my old Harddrive drawer lamo!)... I remember ImpREC with the simpson icon... It was so much fun back in the day! Did they ever release ollydbg 64 lmao? I know with IDA who needs ollydbg but... Ohhhhh, I just had goozebombs from back in the day making mmorpg's private servers from scratch like Dekaron and stuff.
Great Video! Some question regarding 36:20. So You took a snapshot of the VM? When exactly? When that first break-point triggered? Is this an IDA feature/plugin? Maybe You have a video explaining Your setup? Edit: nvm it is explained in the IDA Pro Malware analysis tips video at 40:00
Awesome, very informative and fun to watch at the same time. I always welcome the extra reading material for studying/reading, definitely will get a copy of those 2 pdfs. Thanks for your efforts..
Wow!! I'm truly just a newbie, barely finished reading the Ida Pro Book 2nd Edition & this video has truly helped me clear up some gaps! Great video!! Definitely recommending this to others who are learning! You guys are doing an amazing job, keep it up :)
Great video, guys! I was also surprised, that they compared processes names directly instead of using strings md5 hashes compare or something, so it would be hard to guess what name actually triggered processExit.
Thank you : ) Yes this is a pretty straight forward sample to analyze, some other more complex malware like Dridex use hashes instead of strings as you suggested, it really makes RE a lot slower. There is a nice blog on this by our friend r3mrum r3mrum.wordpress.com/2018/02/15/string-hashing-reverse-engineering-an-anti-analysis-control/
You mention that the `get_str_len` function for the 64 byte string is a silly mistake [20:41] because it doesn't test for the file extension, but isn't this correct because it's a JB instruction not a JNZ? So if the file was greater than or equal to 64 bytes the unpacking process would exit? Thanks for the videos!
Great video again! Thanks for the time and effort invested!!! :) I do not agree with one thing though... You're saying that going through code and labeling functions is boring, but showing us such things is pretty useful to reverse stuff. :)
Great, trying to catch up on all these how-to videos. I've a question though, how come the sample ran when you renamed it to "auto.exe" ? Was that part of it being packed by autoit, or a fluke, or did you see it somewhere in the assembly? I don't understand why the sample ran once you renamed it (apart from not matching the strings it specifically looks for)
So originally the binary had the word "sample" in its name that is why it wasn't running. I just changed the name to remove "sample", I could have chosen any name there is nothing special about "auto". I just chose it since I was thinking of autoit but it makes no difference to the unpacking : )
Hey man, thanks again for the amazing video! Could you make a video on how to unpack enigma 5xxx or later ? There isn't much or any information at all available on that. Keep up with the good work!
I find it interesting that you place the breakpoint at the first instruction of the WinAPI functions because I've learned that protection mechanisms can simply scan (usually) the first byte for 0xCC before it is called. Is this method common enough such that it should always be taken into account? Is it safer to place the breakpoint a bit further below? Hardware breakpoints are limited so this isn't an optimal solution. Using a PAGE_GUARD memory breakpoint might not also be an efficient solution?
That's a great point! There are lots of ways malware can avoid inline API hooks, and API breakpoints. The two most common methods that I have seen are: 1) the technique you mentioned where the breakpoint is scanned for, or a hash of first few bytes is used to ensure they haven't been modified, and 2) where the first few bytes of the API code are replicated in the malware and the malware calls into the middle of the API code. Also worth mentioning is the real tricky stuff that just calls the kernel interrupt directly. However, the being said, when it comes to debugging my approach is always use a VM with a snapshot, and try the easiest thing first : ) This is only my experience, but probably 80%+ of packers I have seen don't use any API checking so I rarely have to do anything special. My experience could be non-representative though since I usually use a hooking engine with no debugger to unpack stuff. So maybe I have missed some of these tricks. But this is a great point to keep in mind when troubleshooting! Also, I should mention, this technique is a bit more common in malware payloads but generally you would see this and know to work around it once the sample was unpacked. Thanks for the excellent comment!
Ah that's probably just me making up words : ) I tend to call any inline API hook framework a "hooking engine", but I'm not sure how widely used that term is. For example, the monitor dll for cuckoo github.com/cuckoosandbox/monitor.
The "d" hot key changes the data type under the cursor. In this case pressing "d" three times converts the data type into a DWORD which IDA then recognizes as a pointer to another memory address.
Well this is awkward. I recently analyzed a 2021 Loki sample via memory analysis. After watching your video I spent hours trying to apply this to the new sample. All APIs were there: QueryInformationProcess, Createtoolhelp32snapahot... Yet the process always exited without ever stopping on toolhelp32. After hours, I eventually debugged enough to understand that it was ignoring any anti-vm/debug checks, injecting the unpacked sample on MSBuild.exe and exiting after it was done. I guess they just abandoned the checks you showed on newer samples 😅
Very interesting video!! But since (we presume) there are no checksum checks, a "code beautify" with ida-python to convert the "db 0E4h" dirty stuffs into 0x90 (nop) and then start the autoanalysis once again, wouldnt it be useful to get a faster functions reading? Thanks for sharing!
Really enjoying your videos. I was trying to obtain the sample from Hybrid Analysis so that I could follow along but they require vetting which involves submitting research / blog links etc but I do not have any of those as I am new to malware analysis. I only do Reverse Engineering to satisfy my own inquisitiveness during my own time and have never blogged or uploaded any of my own material in support of this.
We have recently moved away from sharing samples on Hybrid Analysis for this reason, we now use Malshare. You will need to create a free account on Malshare to download samples but they don't require any extra vetting or any intrusive information. Once you have an account you can download the packed sample here: malshare.com/sample.php?action=detail&hash=16eb2d73377fbc5dd00c93fcd604bfd5 and the unpacked sample here: malshare.com/sample.php?action=detail&hash=037b874a119a7cd0e00a3c971dd3298a I should also note that we got the original sample from Brad's awesome Malware Traffic Analysis blog. He always includes links to the samples at the end of this posts so you can download the packed sample there too www.malware-traffic-analysis.net/2017/11/16/index.html Thanks for the support : )
No, I pretty much just use x64dbg now, this tutorial was from a very long time ago. We have a Patreon post on setting up ScyllaHide for x64dbg though www.patreon.com/posts/installing-to-57091901
Awesome video...your videos always more informative and detailed ...thanks for that!!! can you do video on how malware uses exception handler to find debugger?
j u s t b a s e 64 d e c o d e this: IzhjMzRiYTAzNSBJIGhhdmUgYSBwcm9ibGVtIHVucGFja2luZyB0aGlzIHByb2dyYW0uIElmIHlvdSBjYW4gdW5wYWNrIHRoaXMgaSBjYW4gZ2l2ZSB5b3UgNTAgZG9sbGFycyEgSGVyZSB0aGUgcHJvZ3JhbTogaHR0cDovL3d3dy5tZWRpYWZpcmUuY29tL2ZpbGUvMjlzZm9uNXJuMWljdHkzL3RhcmdldC43ei9maWxlICM4YzM0YmEwMzU=
What is the different between dynamically resolved and import API ? import, Is it when you include the header that has the API ? I do not know how dynamically resolving work? Is it related to DLL files?
Dynamically resolved just refers to resolving the imports at runtime in the actual code rather than using the PE import table (which relies on the windows loader to resolve the APIs). There is a pretty good explanation in this blog blag.nullteilerfrei.de/2019/11/09/api-hashing-why-and-how/
Thanks! Glad you are enjoying the tutorials : ) Identifying garbage is more of an art than a science unfortunately. After a while you can start to spot patterns of stuff that looks out of place but when you are just starting out a trick you can use is to follow the execution path for a bit and see if there is code that repeats itself. So for example, if you see a bunch of APIs being called but the returned data is never used, or if you see some jump statements that you follow only to be redirected back to near where you started. I know that's not a great answer... it's definitely not an easy task... maybe some of our viewers have better suggestions?
Hey glad you are enjoying the tutorial. So the reason we focus on injection is more as a way to quickly unpack the malware not as a way to "clean" the infected process. Since it is only the process that the malware is injected into, and not the actual PE on disk, as soon as the process is terminated the injected code will cease to run and the next time the process is started it will be clean (until something else is injected into it). So to "clean" it you just need to kill the process and restart it. But this won't clean the malware off the system, injection into processes is just the symptom of the malware not the root cause.
Hello sir. Great video. Can you show the same process using a malware that was written in .Net ? I have been trying to learn using one, but it is also obfuscated with custom obfuscator (confuserex custom), so i can't proceed. Thank you
Thank you! I think the two best .NET analysis and deobfuscation videos have been done by Karsten over on the MalwareAnalysisForHedgehogs channel: ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-0DV1bhnnOyM.html ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-1RNcZpBLZHs.html
Is there a way to install ScyllaHide to ida pro? I can't get it working... It works fine in ollydebug, but ida pro is so much better... or maybe somethign similar
I'm not quite sure if you mean how do you collect samples or if you mean how do you detect if you are infected with malware? If you are looking for malware samples to practice your analysis we grab a lot of our samples from this excellent blog: www.malware-traffic-analysis.net/. Karsten also had a great video about collecting free samples which might be of interest to you: ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-SCJVW1E8dFA.html If you are interested in determining if you are infected with malware this is more in the realm of incident response or enterprise security and it's not really our focus with this channel. That being said I can highly recommend the memory forensics content from volatility-labs.blogspot.ca/. Also if you interested in doing detection at scale you can checkout the following projects: thehive-project.org/ github.com/tomchop/malcom malpedia.caad.fkie.fraunhofer.de/ We also have a few free workshops that provide an overview of the incident response process linked from our website: www.openanalysis.net/#training I hope that is enough to get started. We may make some videos about how to use the output from the malware analysis process to detect malware. Or how to integrate IOCs into your incident response process. But I don't think we will focus specifically on implementing the controls.
We covered some of these topics in an earlier video ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-qCQRKLaz2nQ.html You can expand the description of that video to see a list of the different topics we covered. As for plugins I think IDA is pretty complete without anything extra until you begin doing more advanced reversing. For more advanced users I would recommend the hex-rays decompiler (which is expensive) and BinDiff. Maybe we will make a video on some more advanced analysis techniques in the future. Thanks for the suggestion : )
it's just a hook, there are hundreds of tutorials on this already? MinHook is one of the simpler frameworks github.com/TsudaKageyu/minhook. I not gonna be pasting code into RU-vid comments but if you join the discord and share the sample you are working on someone can prob help you
Haha yeh it's an old tool and showing its age but it still has a place in our hearts 💕 Moving forward I think it will mostly be replaced with Scylla as Tio Peprino points out. However, I strongly recommend using Windows 7 SP1 x86 for x86 malware (or even XP if you can still get it). It greatly simplifies the environment and makes debugging etc. more straight forward. It also has the side benefit that all the fun old tools still work. We are planning to do some basic lab setup videos at some point and I will cover this.
Haha we are all noobs in our own way... to answer your question, yes these techniques will work for any type of PE. If you want an example of how to debug a DLL with IDA you can check out our tutorial here ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-qCQRKLaz2nQ.htmlm32s
You should be able to use IDA Free with most of that as long as the binary is a 32 bit one. HE didn't use the decompiler or any special plugins to do that.
Yes you can replicate the process using the IDA 5.0 freeware version. The main difference is that IDA 5.0 doesn't have a remote debugger only a local one so you will have to install IDA on the same VM that you are doing the debugging on. This isn't an issue though since it's a free version of IDA you don't need to worry about the license being stolen : )
Yes in a lot of cases it would be much faster to either try to kill these checks by hardening the environment and hiding our debugger or attempting to kill the checks with some API hooks. We made this video to show how these checks actually work, and how you can identify them individually as an exercise to learn more about these techniques. Our friend Lasha Khasaia (@_qaz_qaz) has actually created an amazing project that detects these checks via hooks! You can check it out here github.com/secrary/makin
Hello! good job! I would be interested in cracking on a type of PDFEditor protection. I am not interested in the program but only in its protection scheme. can you help me? Thanks a lot!
I following this , but i could not get how did you come to the call get_str_len, i converted to code , but i could not get call get_str_len, please help
I've blocked as many of these debugger checks that I can find except it still detects the debugger,very frustrating - I am a complete newbie so following your tutorials have definitely made life a lot easier
Yeh sometimes it can be very tricky. You could try out this neat tool from @_qaz_qaz if you get really stuck. It will basically profile the malware and identify most potential anti-dbg checks github.com/secrary/makin
