Тёмный

Malware Triage Tips: How To Stop Wasting Time in IDA On Packed Samples [ Twitch Clip ] 

OALabs
Подписаться 43 тыс.
Просмотров 15 тыс.
50% 1
ВидеоПоделитьсяСкачатьДобавить в

Stop wasting time trying to reverse engineer packed samples in IDA Pro, quickly understand what you are are looking at and use the correct tools...
Full stream: / oalabs
Packed Sample:
bazaar.abuse.c...
-----
OALABS DISCORD
/ discord
OALABS PATREON
/ oalabs
Twitch
/ oalabslive
OALABS GITHUB
github.com/OALabs
UNPACME - AUTOMATED MALWARE UNPACKING
www.unpac.me/#/
-----

Опубликовано:

 

21 окт 2024

Поделиться:

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист
Посмотреть позже
Комментарии : 31   
@d3f4rm
@d3f4rm 2 года назад
Cannot overemphasize the importance here. So many malware authors are not geniuses at all, they're throwing very simple malware into packing and obfuscation frameworks. So let's throw their stuff into tools as well. Always go from high-level to low because a malware author's bread and butter is wasting your time.
@OALABS
@OALABS 2 года назад
💯
@Marstighter
@Marstighter 7 месяцев назад
very cool explanation. Nice talk about the API hammering. I also love the doggo[.]exe :)
@riskydissonance
@riskydissonance Год назад
The nose scratch counter made me buckle 🤣🤣
@Coledebord2
@Coledebord2 2 года назад
Great video as always! You should do a video on TLS callbacks and how you deal with malware utilizing them for anti-debugging/reversing, etc.
@OALABS
@OALABS 2 года назад
I can maybe cover these at some point, but there is nothing special about them, they are just another entry point. I think these were only an issue when they were unknown back in the early days for RE, now pretty much every tool will automatically handle them.
@OALABS
@OALABS 2 года назад
lol yeh you have to configure the debugger for the sample you are debugging... I guess that's something we could cover... my personal workflow is unpack, then static analysis first, always, then debugging if I need to, but I guess this could get you if you were debugging first?
@OALABS
@OALABS 2 года назад
BTW, almost forgot, join our discord! Sounds like you guys would have some nice stuff to add discord.gg/oalabs.
@davidechiappetta
@davidechiappetta 2 года назад
many years ago I had made a debugger that with the help of the files dbg and pdb first version v.2 of the system files, I extracted the function names and the relative addresses of the import/export table from the PE I could put the breakpoints on all the API I wanted and filter the contents of the value pushed on the stack and the return values, to quickly study the functioning of these APIs (I never loved Python, even if I know well how it works under the hood, I prefer to do things myself in assembly or C) then over time I modified it and made sure to lock it if the pushed values ​​were suspicious, (I also used it to see the function send and recv of the mswinsock, and with the help of a sniffer I discovered the servers where they connected )... at the time I remember that the only help we could have to do these things were the articles by Matt Pietrek, a hex editor and debugger for windows as w32dasm and SoftICE for the kernel ( that if used badly freeze the pc until reboot).... I wanted to add that as sandbox virtual machine for testing dll, exe or shellcode you can also use Unicorn with Libemu, they have been added hundreds of win32 API with about 15 dlls for Win; great tutorial this and others you have done for IDA Pro , I really enjoyed
@kaushikkumarbora
@kaushikkumarbora 2 года назад
You are a good teacher
@RingZeroLabs
@RingZeroLabs 2 года назад
Great video showing fundamental concepts :)
@SaravanaKumar-qm7kj
@SaravanaKumar-qm7kj 2 года назад
You can check entropy with radare.. i usually check entropy whenever I analyse binary files using R2.
@OALABS
@OALABS 2 года назад
Lol! Radareee 🤣🤣🤣
@SaravanaKumar-qm7kj
@SaravanaKumar-qm7kj 2 года назад
@@OALABS i know why u r laughing 😂😂 just said.. pecheck tool is the easiest one to check entropy..
@spacewolfjr
@spacewolfjr 2 года назад
Where does that "OOOF" sound effect come from? I needs it.
@OALABS
@OALABS 2 года назад
IDA Minecraft plugin XD
@shans2408
@shans2408 Год назад
I read all the comments just to see if anyone is talking about that sound. lol. I have a crazy imagination
@nikos4677
@nikos4677 2 года назад
How does ida immediatly redirects you to main?. My ida has not signatures and it gets me to the entry point unless i have pdb
@OALABS
@OALABS 2 года назад
That is a good question! And I don't know the answer 😆 All versions of IDA I have used (including free) seem to jump to main if you are looking at an MSVC PE file. I think they have a signature for the MSVC entry point that seems to do the work, but that's just a guess ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-suwZB3EA_u4.html
@nordgaren2358
@nordgaren2358 Год назад
@@OALABS the entry point is also listed in the peheader, isn't it? I guess you could manually go there, but idk if IDA does imagebase offsets or not. It's under the Image Optional Header, btw!
@jasonrobertcheney
@jasonrobertcheney 2 года назад
I tried to use cape, but it keep refusing to upload a sample, states Account inactive and I just created it. Any ideas?
@duckie4670
@duckie4670 2 года назад
where is the oalabs Catalog on process injection ? link me please
@OALABS
@OALABS 2 года назад
By "catalogue" I just meant a collection of our old videos, before there was unpacme we made a lot of unpacking tutorials, here are a few: ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-uxlpRof1QWs.html ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-HfSQlC76_s4.html ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-4VBVMKdY-yg.html ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-242Tn0IL2jE.html ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-WthvahlAYFY.html ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-ylWInOcQy2s.html ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-QgUlPvEE4aw.html ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-EdchPEHnohw.html ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-wkPsvYfA08g.html
@duckie4670
@duckie4670 2 года назад
@@OALABS thank you. your work is amazing
@jamesakaiz0124
@jamesakaiz0124 2 года назад
hi can you make video for how to setup keypatch/keystone plugn please bro ?
@OALABS
@OALABS 2 года назад
Neat! I wasn't aware of this, I'm actually looking for a patching framework right now so this is a happy coincidence! I'll check it out and get back to you.
@jamesakaiz0124
@jamesakaiz0124 2 года назад
@@OALABS ok bro
@royendgel
@royendgel 2 года назад
fireship voice ?
@donaldduck6198
@donaldduck6198 2 года назад
TwistedPanda
@OALABS
@OALABS 2 года назад
LanguidLion
Далее
Malware Triage Analyzing PrnLoader Used To Drop Emotet
37:00
Malware Triage Analyzing PrnLoader Used To Drop Emotet
Просмотров 9 тыс.
Unpacking Princess Locker and Fixing Corrupted PE Header (OALabs x MalwareAnalysisForHedgehogs)
34:03
Unpacking Princess Locker and Fixing Corrupted PE Header (OALabs x MalwareAnalysisForHedgehogs)
Просмотров 22 тыс.
skibidi toilet multiverse 042
20:57
skibidi toilet multiverse 042
Просмотров 4,7 млн
Почему наша малышка не ходит?🙀прямо в день старта продаж свечей😭Свечи на вб арт. 269944557
01:00
Почему наша малышка не ходит?🙀прямо в день старта продаж свечей😭Свечи на вб арт. 269944557
Просмотров 529 тыс.
ЕЁ УГНАЛИ 15 лет назад! Тачка ПРИЗРАК…
1:00:00
ЕЁ УГНАЛИ 15 лет назад! Тачка ПРИЗРАК…
Просмотров 1,4 млн
ЭКСПЕРИМЕНТЫ КОТОРЫЕ НЕЛЬЗЯ ПОВТОРЯТЬ - ОТ 1 ДО 100 УРОВНЯ
10:58
ЭКСПЕРИМЕНТЫ КОТОРЫЕ НЕЛЬЗЯ ПОВТОРЯТЬ - ОТ 1 ДО 100 УРОВНЯ
Просмотров 862 тыс.
I Reverse Engineered this Program Automatically.
16:53
I Reverse Engineered this Program Automatically.
Просмотров 74 тыс.
Unpacking Process Injection Malware With IDA PRO (Part 1)
42:28
Unpacking Process Injection Malware With IDA PRO (Part 1)
Просмотров 17 тыс.
HashDB - Malware API Hashing Obfuscation Solved Forever (Not Clickbait)
32:06
HashDB - Malware API Hashing Obfuscation Solved Forever (Not Clickbait)
Просмотров 10 тыс.
IDA Pro Tutorial - Reverse Engineering Dynamic Malware Imports
34:59
IDA Pro Tutorial - Reverse Engineering Dynamic Malware Imports
Просмотров 45 тыс.
How To Defeat Anti-VM and Anti-Debug Packers With IDA Pro
48:37
How To Defeat Anti-VM and Anti-Debug Packers With IDA Pro
Просмотров 108 тыс.
Reverse Engineering for Beginners: How to Perform Static Analysis on any Piece of Software
55:24
Reverse Engineering for Beginners: How to Perform Static Analysis on any Piece of Software
Просмотров 118 тыс.
MALWARE ANALYSIS | Reversing IDAT (Hijack) Loader / Injector using x32dbg, Ghidra, and IDA
28:08
MALWARE ANALYSIS | Reversing IDAT (Hijack) Loader / Injector using x32dbg, Ghidra, and IDA
Просмотров 1,7 тыс.
Emotet 64-bit Emulation and String Decryption with Dumpulator [Twitch Clip ]
31:07
Emotet 64-bit Emulation and String Decryption with Dumpulator [Twitch Clip ]
Просмотров 6 тыс.
One Trick To Level Up Your Reverse Engineering [ Reverse Engineering AMA ]
10:52
One Trick To Level Up Your Reverse Engineering [ Reverse Engineering AMA ]
Просмотров 3,9 тыс.
Analyzing Ransomware - Completing a FULL Analysis
48:23
Analyzing Ransomware - Completing a FULL Analysis
Просмотров 11 тыс.
skibidi toilet multiverse 042
20:57
skibidi toilet multiverse 042
Просмотров 4,7 млн