WinDbg Basics for Malware Analysis
Vložit
- čas přidán 27. 07. 2024
- In this tutorial we cover the basics of debugging malware with WinDbg. Expand for more...
-----
OALABS DISCORD
/ discord
OALABS PATREON
/ oalabs
OALABS TIP JAR
ko-fi.com/oalabs
OALABS GITHUB
github.com/OALabs
UNPACME - AUTOMATED MALWARE UNPACKING
www.unpac.me/#/
-----
Automated Malware Unpacking
www.unpac.me/
Tutorial Bookmarks:
3:12 WinDbg workspace layout
13:00 downloading and importing symbols
17:10 basic commands
25:40 unpacking live malware with WinDbg
WinDbg Cheat Sheet and Tutorial Notes:
oalabs.openanalysis.net/2019/...
Huge thank you to Josh... follow him on Twitter for lots of great Reverse Engineering content!
/ jershmagersh
TLD Malware:
SHA256: 1be4cbc9f9b6eea7804e08df92cff7453aa72f0bb862b0fb8f118c5e3ffdaad6
www.malware-traffic-analysis....
Josh’s talk on TLD Malware:
• Mo` Monero Mo` Problem...
Feedback, questions, and suggestions are always welcome : )
Sergei / herrcore
Sean / seanmw
As always check out our tools, tutorials, and more content over at www.openanalysis.net
#WinDbg #ReverseEngineering #Tutorial
The Stompin' Tom outro really caught me off guard xD
Unfortunately I seem to be at this kind of video a bit too early, don't know nearly enough about assembly to make heads or tails of what i'm looking at. I just wanted to figure out why this (not malicious) program I have wasn't properly launching xD
Hey guys, great helpful video. I am definitely interested in seeing more!
This is a brilliant resource - quite amazing how far debugging has come since my W32Disasm days
I used this tutorial back in 2020 to create a library that can get "LoadLibrary" and "GetProcAddress" without including . Not to write viruses, just to be able to write OpenGL code without having all the bloat that comes with .
Reviewing this again so I can work on a header-only C file that you can run to start writing shader code. No dependencies. Just a single file.
Try to make OpenGL as easy to get started with in C as it is with WebGL.
Yes more on this please! Kernel debugging would be awesome!
The new version of Windbg is so nice, I don't no if you saw her..
Good video !!
Awesome! Gonna go through this right now 👍
Awesome video as usual!
The new WinDbg allows you to do kernel mode debugging from the host :)
yesssssssssssssssssssss!!!!!!!! been waiting for more oalabs!
This was a great tutorial. I really liked how you give little explanations for some concepts, it is really beginner-friendly and easy to follow. I would definitely like to see more about windbg. Thank you for the videos.
Thanks for the feedback! I wasn't sure if those cuts were going to be annoying or informative... sounds like the latter though so I'll keep doing them : )
i agree, the little explanations are one of the key reason why i love oalabs
Great overview, thanks!
Was so helpful. Thanks a ton! 🙌🙌
Thumbs up to bringing back Josh!
looking forward to kernel debugging!
Well done guys!! 🤓
Good tutorial. Please upload more such vides.
@19:00-19:02 the return address of VirtualAlloc is most likely at 7504590e and not the one being highlighted (it belongs to KERNELBASE!ResetWriteWatch). You could put an annotation there to help future viewers:)
Thank you very much for your work, great video!
True that. Another way to do it is to simply set a bp at VirtualAlloc and then running "pt" command which jumps right into the ret.
Very very nice video, TNX.
Perfect!! ,Thank you very mach !
Your channel is the best for learning reverse engineering!!
Hey thank you very much, glad you are enjoying these : ))
I recently found out about this channel and I immiediately fell in love, something I've been looking for since long time.Also, it would be awesome to have simmilar tutorial on x64dbg, I've been using it for some time but it still feels I'm missing something (unless there's a nice tutorial already)
Hey thanks very much! We have been thinking about doing something similar for x64dbg, stay tuned : )
Perfect ! Thanks !
Yay!!! Kernel debugging
When providing a range to the .writemem function all values are inclusive. MSDN uses as an example that writing the range 1000 - 1007 is 8 bytes long. So for this video, the range should have been 30000 - 35999 which will return the desired size of 6000. Keep up the great videos!
That makes sense, thanks Dmytri!
Thanks for the video =)
Thanks for a great video. Love you babe
Love your work i wish i have found your videos earlier keep up the good work
I worked with an "experienced" coder who worked on Windows 95 and they've been calling it WindBag for years... because it's name is windbg - windbag. Pretty simple really.
None of this is true
16:55 that sound. I thought something closed or broke...
Is it possible to bp a 64-bit API from a 32-bit process? a heaven's gate thing. i was able to create a trace script using z command while monitoring the change in cs register but it takes forever.
Can you use WinDbg for other software programs other then Windows applications?
Well done guys. Also can you guys do a .NET malware analysis? Thanks!
Is .NET malwares that harmful? never have experienced with it.
Hey thanks for the suggestion. The reason we haven't covered .NET stuff is because there are already so many excellent .NET malware analysis tutorials over on the MalwareAnalysisForHedgehogs channel. We do get a lot of requests for this though so maybe we will do something in the future. Until then I recommend checking out these:
czcams.com/video/O3S-M2nAKmE/video.html
czcams.com/video/92GDWqCK1rQ/video.html
czcams.com/video/0DV1bhnnOyM/video.html
czcams.com/video/1RNcZpBLZHs/video.html
I saw some of them @@inspiredbymichansenpai2393
Thank you for the recommendation! Really helpful. @@OALABS
Should I learn assembly before watching this video?
Can you make a video on bypassing anti debug? :D
We have already covered a generic process for identifying and bypassing anti-analysis techniques in an older video czcams.com/video/WlE8abc8V-4/video.html but if there are some specific tricks you want to see just let us know! Maybe we could do a tutorial on setting up some plugins to do this automatically?
In the instruction *eb $peb+0x2 0x0*, why isn’t BeingDebugged byte at $peb+0x1? Since $peb itself ie. $peb+0x0 will be the first byte of the structure?
Okay that’s an array of two bytes. My bad.
How do I exit WinDbg? Every time I open a game, it says to exit it. Someone please help
Your videos are amazing sir. I will be starting the book- Secrets of Reverse Engineering soon after finishing black hat python book.I'll really appreciate if we can do a cybertalk on my channel and you can share your side of knowledge🙂any way i can get in touch with you?
Thanks, would be happy to chat. Contact info is in the description of each video, and on our website openanalysis.net
@@OALABS🙂 thanks for the quick response sir.I unfortunately dont have a twitter account....Can we get in touch through Discord/Instagram/linkedin?
And here I am, in front of my gdb prompt...
I like GEF to make gdb a bit more user-friendly github.com/hugsy/gef
Windebug? I thought it was affectionately pronounced Windbag?
Lol, an Ionescu student I see : )
Hi, I'm a liveoverflow subscriber and I wanted to give your channel some constructive criticism: upgrade your mic. This is the 1 thing that immediately pushed me away from your channel. Then I would suggest maybe zoom the part you are talking about (ie at 12:47) more often because the mouse pointer is tiny otherwise and makes following harder. Lastly the cam is appreciated but not necessary (IMO). Regardless you are one helpful source of info for the Reverse Engineers community.