- 125
- 1 685 506
OALabs
Canada
Registrace 4. 11. 2017
Malware analysis tools, techniques, and tutorials!
Zombieware
Self-replicating malware, long abandoned by its operators, continues to contribute significant volume and noise to malware feeds. We investigate this trend, which we refer to as Zombieware!
Join us on Patreon for Part 2 where we reverse engineer a popular file infector and write an extractor to recover the infected files!
www.patreon.com/posts/zombieware-part-103656376
Full Zombieware blog post can be found on our UnpacMe blog here: blog.unpac.me/2024/04/25/zombieware/
Ladislav Zezula's excellent talk from BSides Prague can be found here:
czcams.com/video/OgXvd-Wce9o/video.html
-----
OALABS DISCORD
discord.gg/oalabs
OALABS PATREON
www.patreon.com/oalabs
Twitch
www.twitch.tv/oalabslive
OALABS GITHUB
github.com/OALabs
UNPACME - AUTOMATED MALWARE UNPACKING
www.unpac.me/#/
-----
Join us on Patreon for Part 2 where we reverse engineer a popular file infector and write an extractor to recover the infected files!
www.patreon.com/posts/zombieware-part-103656376
Full Zombieware blog post can be found on our UnpacMe blog here: blog.unpac.me/2024/04/25/zombieware/
Ladislav Zezula's excellent talk from BSides Prague can be found here:
czcams.com/video/OgXvd-Wce9o/video.html
-----
OALABS DISCORD
discord.gg/oalabs
OALABS PATREON
www.patreon.com/oalabs
Twitch
www.twitch.tv/oalabslive
OALABS GITHUB
github.com/OALabs
UNPACME - AUTOMATED MALWARE UNPACKING
www.unpac.me/#/
-----
zhlédnutí: 3 412
Video
Introduction to YARA Part 4 - Efficient Rule Development
zhlédnutí 2,5KPřed 6 měsíci
In this OALABS Patreon tutorial we cover the foundations of writing efficient YARA rules and provide some tips that can help speed up your YARA hunting. The full notes for this tutorial are unlocked for everyone on our Patreon www.patreon.com/posts/introduction-to-96638239 OALABS DISCORD discord.gg/6h5Bh5AMDU OALABS PATREON www.patreon.com/oalabs Twitch www.twitch.tv/oalabslive OALABS GITHUB gi...
Introduction to YARA Part 3 - Rule Use Cases
zhlédnutí 1,5KPřed 6 měsíci
In this OALABS Patreon tutorial we cover the three main use cases for YARA rules and how they apply to both BlueTeam/SOC operations and malware analysis. Fun notes have been unlocked for everyone on our Patreon here www.patreon.com/posts/introduction-to-96637668 The following are links to UnpacMe specific tutorials for developing each type of rule. Identifying specific malware families (unpacke...
Introduction to YARA Part 2 - Hunting on UnpacMe
zhlédnutí 1,7KPřed 6 měsíci
In this OALABS Patreon tutorial we demonstrate a simple YARA hunting example using the UnpacMe free YARA scan service: www.unpac.me Full notes have been unlocked on our Patreon here www.patreon.com/posts/introduction-to-96637337 OALABS DISCORD discord.gg/6h5Bh5AMDU OALABS PATREON www.patreon.com/oalabs Twitch www.twitch.tv/oalabslive OALABS GITHUB github.com/OALabs UNPACME - AUTOMATED MALWARE U...
Introduction to YARA Part 1 - What is a YARA Rule
zhlédnutí 6KPřed 6 měsíci
In this OALABS Patreon tutorial we cover the basics of YARA, what is it, how is it used, and how to write your first rule. Full notes have been unlocked on our Patreon here www.patreon.com/posts/introduction-to-96636471 OALABS DISCORD discord.gg/6h5Bh5AMDU OALABS PATREON www.patreon.com/oalabs Twitch www.twitch.tv/oalabslive OALABS GITHUB github.com/OALabs UNPACME - AUTOMATED MALWARE UNPACKING ...
Tips For Analyzing Delphi Binaries in IDA (Danabot)
zhlédnutí 3,5KPřed 7 měsíci
Reverse Engineering Delphi is a nightmare ... or it can be if you don't have the right setup! In this clip we cover some easy tips that can help make some of the analysis a bit easier. Full notes with links for tools are available here: research.openanalysis.net/danabot/loader/delphi/2023/12/04/danabot.html Full stream with analysis of the Danabot loader is available on Patreon here: www.patreo...
How To Recognize Macro Encrypted Strings in Malware
zhlédnutí 3,8KPřed 7 měsíci
How to identify when a macro is used to encrypt strings in malware... inferring source from disassembly! OALABS PATREON www.patreon.com/oalabs OALABS DISCORD discord.gg/6h5Bh5AMDU Twitch www.twitch.tv/oalabslive OALABS GITHUB github.com/OALabs UNPACME - AUTOMATED MALWARE UNPACKING www.unpac.me/#/
Direct vs. Indirect Syscalls What Is All The HYPE?! [OALABS Call-In Show]
zhlédnutí 3,3KPřed 9 měsíci
Our live discord call-in show debates! Are indirect syscalls even required? What are they and how are they used?! What are EDR vendors doing to detect them and why you might care.... OALABS PATREON www.patreon.com/oalabs OALABS DISCORD discord.gg/6h5Bh5AMDU Twitch www.twitch.tv/oalabslive OALABS GITHUB github.com/OALabs UNPACME - AUTOMATED MALWARE UNPACKING www.unpac.me/#/
Are Red Team Tools Helping or Hurting Our Industry? [OALABS Call-In Show]
zhlédnutí 1,9KPřed 9 měsíci
Our live discord call-in show debates! Are red team tools really helping our industry or are they just giving malware operators a free lunch?! OALABS PATREON www.patreon.com/oalabs OALABS DISCORD discord.gg/6h5Bh5AMDU Twitch www.twitch.tv/oalabslive OALABS GITHUB github.com/OALabs UNPACME - AUTOMATED MALWARE UNPACKING www.unpac.me/#/
Reverse Engineering With Unicorn Emulation
zhlédnutí 10KPřed 10 měsíci
In this OALABS Patreon tutorial we will learn how to use the Unicorn Emulator to assist with reverse engineering! This is the second part in a five-part tutorial series that can be found on our Patreon here... www.patreon.com/oalabs/posts?filters[tag]=Applied Emulation Lab Notes gist.github.com/herrcore/1a5af37f91a6f9b263a527c98c7b08bd OALABS DISCORD discord.gg/6h5Bh5AMDU OALABS PATREON www.pat...
Emulation Fundamentals - Writing A Basic x86 Emulator
zhlédnutí 15KPřed 10 měsíci
In this OALABS Patreon tutorial we will explore how an emulator works by building one ourselves! This is the first part in a five-part tutorial series that can be found on our Patreon here... www.patreon.com/oalabs/posts?filters[tag]=Applied Emulation The demo Jupyter Lab note can be found on GitHub here... gist.github.com/herrcore/f25bcf55fa10fa8d04effc172eeb63c9 OALABS DISCORD discord.gg/6h5B...
AV Emulation Detection Tricks Used by Malware
zhlédnutí 6KPřed rokem
Tricks that malware developers use to detect antivirus emulators and how these differ from the sandbox emulators we use from our recent Twitch stream. Alexie's Windows Defender research with some insights into the emulation engine used... recon.cx/2018/brussels/resources/slides/RECON-BRX-2018-Reverse-Engineering-Windows-Defender-s-JavaScript-Engine.pdf i.blackhat.com/us-18/Thu-August-9/us-18-Bu...
Tips to Learn Reverse Engineering: Avoid These Common Pitfalls!
zhlédnutí 12KPřed rokem
How to maximize the return on your time when learning how to reverse engineer! Just a few thoughts on what worked for me and what to avoid from our recent Twitch stream. OALABS PATREON www.patreon.com/oalabs OALABS DISCORD discord.gg/6h5Bh5AMDU Twitch www.twitch.tv/oalabslive OALABS GITHUB github.com/OALabs UNPACME - AUTOMATED MALWARE UNPACKING www.unpac.me/#/
Understanding The PEB for Reverse Engineers
zhlédnutí 9KPřed rokem
Understanding The PEB for Reverse Engineers
Well it finally happened... infected myself with Emotet lel
zhlédnutí 7KPřed rokem
Well it finally happened... infected myself with Emotet lel
ESXiArgs Ransomware Analysis with @fwosar
zhlédnutí 5KPřed rokem
ESXiArgs Ransomware Analysis with @fwosar
What The Security Industry Should Know About Reverse Engineering [ Reverse Engineering AMA ]
zhlédnutí 2,7KPřed rokem
What The Security Industry Should Know About Reverse Engineering [ Reverse Engineering AMA ]
Do Companies Actually Pay Ransomware [ Reverse Engineering AMA ]
zhlédnutí 1,6KPřed rokem
Do Companies Actually Pay Ransomware [ Reverse Engineering AMA ]
What is The Future of Reverse Engineering [ Reverse Engineering AMA ]
zhlédnutí 2,4KPřed rokem
What is The Future of Reverse Engineering [ Reverse Engineering AMA ]
One Trick To Level Up Your Reverse Engineering [ Reverse Engineering AMA ]
zhlédnutí 3,8KPřed rokem
One Trick To Level Up Your Reverse Engineering [ Reverse Engineering AMA ]
How To Identify Unknown Crypto Functions [ Reverse Engineering AMA ]
zhlédnutí 1,8KPřed rokem
How To Identify Unknown Crypto Functions [ Reverse Engineering AMA ]
Tips For Writing a .NET Static Config Extractor for Malware [ Reverse Engineering AMA ]
zhlédnutí 784Před rokem
Tips For Writing a .NET Static Config Extractor for Malware [ Reverse Engineering AMA ]
What Is The Most Interesting Malware From 2022 [ Reverse Engineering AMA ]
zhlédnutí 2,5KPřed rokem
What Is The Most Interesting Malware From 2022 [ Reverse Engineering AMA ]
Most Embarrassing Malware You Have Analyzed [ Reverse Engineering AMA ]
zhlédnutí 1,6KPřed rokem
Most Embarrassing Malware You Have Analyzed [ Reverse Engineering AMA ]
How to Switch Careers Into Reverse Engineering [ Reverse Engineering AMA ]
zhlédnutí 2,3KPřed rokem
How to Switch Careers Into Reverse Engineering [ Reverse Engineering AMA ]
Tips for Analysis of Large Complex Binaries [ Reverse Engineering AMA ]
zhlédnutí 1,6KPřed rokem
Tips for Analysis of Large Complex Binaries [ Reverse Engineering AMA ]
Does Big Cyber Pay Better Than Startups [ Reverse Engineering AMA ]
zhlédnutí 1,5KPřed rokem
Does Big Cyber Pay Better Than Startups [ Reverse Engineering AMA ]
Just had to analyze this sample in SANS FOR610 training. Very nice sample.
Hi, i'd like to see the rest of the videos, but patreon decline my payment. Is there another way? Or platform to see all video course? Thank you
Declined your payment?! Sorry but Patreon is the only option 💔
Amazing content! Please do more videos Reverse engineering context! thank you.
is there an update to this?
A few things have changed, VMware is now free, Windows 11 installs without the hacks, we stopped trying to support FLAREVM but the basics are pretty much the same
@@OALABS do I still have to convert VHDX to VMDK?
@@mt000mp No, you don't have to if you are downloading Win11 directly from VMWare Fusion
how would you go about finding the ioctl code if it wasn't pre-disclosed? i'm new to reversing
7:35 pseudocode is pretty readable : )
Excellent for beginners like me.
2:49 could you link that tool? I couldn't find it anywhere. Perhaps I'm using the wrong search terms.
Already linked in the article in the vid description
No I mean the one you said by rattle, not the danabot scripts repo on GitHub
Parabéns pelo conteúdo...
chave de braço! 🇧🇷
Couldn't you have inserted a jump instead of the push 0?
I love you for uploading this. Great video!
: )))
G-UINT
You know what I said to self? "That's nasty. Maybe I'll try that." I don't have a particular use for it and don't ever look at pseudocode for anything, ever. But still I dig it. Rock on, dude.
so anyway to bypass breakpoint check ?
Turn it off on x64dbg?
Dc ?
ac?
@@OALABS Discord ?
rb.gy/5f85nv
The Stompin' Tom outro really caught me off guard xD Unfortunately I seem to be at this kind of video a bit too early, don't know nearly enough about assembly to make heads or tails of what i'm looking at. I just wanted to figure out why this (not malicious) program I have wasn't properly launching xD
I did not see actual diffing like side by side pseudocode comparison in IDA is it possible with BinDiff?
I don't know of any open source tool that does this for pseudocode
hi, i love malware develpment & reverse engineering in windows, how can i start this two fields? please help me
sending mental fist bumps
not to be a dick but those edits ruins the video a lot and its so annoying
tenor.com/view/swag-cat-mad-watch-this-swag-crash-lol-gif-20326813
Hello! Thank you for this! Has anyone here run into the issue that after restart to Safe Boot, when logging on it says an app is need and one simply cannot log on?
I worked with an "experienced" coder who worked on Windows 95 and they've been calling it WindBag for years... because it's name is windbg - windbag. Pretty simple really.
None of this is true
Video very good 🎁🎁🎁😍😍 Like friends ❤❤❤❤❤⚘️⚘️🫰
hi, can you create a complete tutorial how to create a bortnet with IRC
I have a question, do you know why would a developer use this method? Is there any performance loss or anyother limitation because using the injection is lot more complex than just using the themida in the exe.
honestly I think most of it is just boils down to skill issue, sadly
Bro thanks learn lot of tricks in your channel.
I’ve been struggling with a Delphi file for the last week wish I’d found this sooner 😀
Hi can I run Remnux on Flare VM for Windows on ARM?
wow, a german!
Nice to see mystery Sean, the hairy end of OALabs xD
Lol clearly he got the hair for both of us XD
pretty insane, thank you for this
a wild sean has appeared
A rare sighting haha
@@OALABS let him out of the basement more often
احلي اصلع فالكوكب
😄
Lol
عامل قلق يا ميشو😂
Can someone here invite me to Malpedia?
Thank you for your great work 👍 👏 😀 🙌 🙏 and for sharing ♥️ ❤️ ✨️ 😀
awesome video
Woooa, very CLEAR !!! thank you so much !!!!!!!!!!!1
Thanks for the video. I have one question. My EntryPoint in x64dbg is 1001149B and PEbear lists 10E20 as my Function RVA for Export 'DllInstall'. How exactly would I add those numbers to set a BP after the call?
Video very good🎁🎁🎁🎁⚘️🌷 Happy birthday ❤❤❤🥰🥰🥰🥰❤️
I understand that it's a good practice to use WIN7 for RE, but these days some malware is targeting specifically WIN10 and nothing else. Have you found a reliable way to disable ASLR on Windows 10?
This video is from 2019, as you point out prob not good practice to use win7 now haha. It's built into x64dbg now though i.imgur.com/hddLhub.png
@@OALABS 1. You're content is incredible - best RE/InfoSec channel ever. Thanks to you, I've been able to expand my skills beyond what I ever thought possible. 2. Thank you for spending the time to reply. You've saved me tons of headache.
you can recommended any book about emulation I am writing my article for my graduate program in computer science and I want to discuss emulation techniques and case study with analysis of how the JVM works, thanks
very cool explanation. Nice talk about the API hammering. I also love the doggo[.]exe :)
How do I debug Comodo Internet Security Pro? it reaches this breakpoint and no longer debugs.
The new WinDbg allows you to do kernel mode debugging from the host :)
Thank you
idk when I press F5 it says sorry you don't have any decompilers on windows
Asking this more than a year after this video's release .... is this the best and most optimal way to build a Windows Malware Analysis environment on ARM Macs ?
Still the setup that I use to this day 👍 Some of the quirks of the vm install have been ironed out as the hypervisor market catches up with the M series chips but overall this is the solution
Very cool. I'm writing an 8 bit multi-CPU symbolic simulator with static analysis and code tracing/debug capabilities, it's cool to see how the main OS's implement the debug/single step functions. Thanks for the explanation.
Nice!
You spend a great edeal of time explaining what you are not going to be explaining instead of explaining all thye things you ARE going to be explaining.
This would have been very helpful advice 6 years ago!
May I ask if you have tried to compile unicorn from source? I tried to compile unicorn static libraries for arm64 architecture and failed.
i.imgur.com/IhWEb3a.png
@@OALABS wow,I didn't expect you to really answer my question. Thank you very much.
@@OALABS 🤣man,It turned out to be a picture
hahahah!! sry, yes I have compiled it, only pain awaits you...
Thank! awesome video
Thanks : ))