How To Defeat Anti-VM and Anti-Debug Packers With IDA Pro
Vložit
- čas přidán 27. 07. 2024
- Open Analysis Live! We use IDA Pro and the debugger to unpack a Loki malware sample from a packer that has a ton of anti-analysis, anti-debug, and ant-vm tricks.
-----
OALABS DISCORD
/ discord
OALABS PATREON
/ oalabs
OALABS TIP JAR
ko-fi.com/oalabs
OALABS GITHUB
github.com/OALabs
UNPACME - AUTOMATED MALWARE UNPACKING
www.unpac.me/#/
-----
Automated Malware Unpacking
www.unpac.me/
The original sample from Malware Traffic Analysis:
www.malware-traffic-analysis.n...
The hybrid-analysis sandbox run:
www.hybrid-analysis.com/sampl...
Two excellent manuals for understanding anti-analysis tricks (PDF):
anti-reversing.com/Downloads/A...
www.blackhat.com/presentation...
The unpacked sample:
www.hybrid-analysis.com/sampl...
LordPE ... old school cool : ))
www.aldeid.com/wiki/LordPE
We are always looking for feedback, what did you like, what do you want to see more of, what do you want to see us analyze next? Let us know on twitter:
/ herrcore
/ seanmw
As always check out our tools, tutorials, and more content over at www.openanalysis.net
P.S.
@BinaryAdventure has created an excellent tutorial demonstrating the same technique but using OllyDbg! Check it out • Using OdbgScript to Ov...
19:08: Believe it or not, there is a lot of value in stepping through and showing us, because it lets us know your thinking process in decoding all those different sections and why you think they should be labeled in a certain way. That type of process is critical to understanding how to look at the code and make sense out of it. I'm glad that you are great a explaining what you are doing throughout the process. The ability to get into your mindset and the thinking process is very important.
Its almost like solving a complex difficult Sudoku problem that once you figure out a key the rest unlocks itself. Getting to that key moment is the magic. Some of these complex Sudoku problems can take hours to solve and only a few key areas block the entire process. The crazy part is the answer was always in front of you.
Yeah. You should've included that and then put in a timestamp in case somebody wanted to skip that part.
@@tcc1234 You did a great job. I learned a lot from watching what you were doing. Three weeks ago I never programmed in C and now I'm trying to figure out IDA... LOL. It was a shock to have to learn some basic assembly and C to understand how to reverse engineer. Your videos were very helpful.
@@ahndeux When I said "should've included that I meant you should've included that". XDDDDD
You meaning the OALabs xDD
Awesome. Can't believe I requested this a week ago and it's done already. You guys rock. Excellent video, easy to follow and understand and fills in some gaps I was struggling with. Keep up the excellent work.
Pretty sure I requested it too. Thanks for also requesting it, :P I'm super happy to find other ppl out there who care about learning this stuff and even happier that Sergei and Sean are willing to take the time to explain it. OALabs, some day, I'm going to have to send you a giant meaningful thank-you, perhaps at a conference ;)
@@EnduranceT That "giant meaningful thank-you" sounds like a malware already. Are you working on a some virus that nobody knows how to debug yet ?
Really well done! I am surprised to see in such details, things that I had to suffer through early in my career.
Awesome, very informative and fun to watch at the same time. I always welcome the extra reading material for studying/reading, definitely will get a copy of those 2 pdfs. Thanks for your efforts..
I cannot fathom how much this video helped me. The documentation, life example etc.
Thank you so much.
Great video again! Thanks for the time and effort invested!!! :) I do not agree with one thing though... You're saying that going through code and labeling functions is boring, but showing us such things is pretty useful to reverse stuff. :)
I love this because not only do I learn from these videos, but they also show that the reality is, RE does take a lot of time and WORK and there aren't a ton of shortcuts except for stepping around problems like you did at the end of the vid with the memory dump. But I love that you took the time to explain the actual analysis of the anti-debug because most ppl just bring the subject up but don't actually show wtf they mean with anti-debug. Thank you VERY MUCH! Also I loved the old school part. Keep rockin you guys are awesome!
Yep, really nice video, I'm more of a visual guy, so these videos help a lot. Keep up the good work!
Who thinks reverse engineering is easy and takes little work?
Seriously, this is gold. Congratz!
this was freaking awesome, thank you!
Awesome tutorial. Thank you.
if only i can like this 1000x, solid info again. awesome.
thanks for the vid!!! Very informative and learned a few things Thanks!!!
Great content - thanks a lot for this contribution!
That's really helpful dear. Thanks a lot.
Great video, guys!
I was also surprised, that they compared processes names directly instead of using strings md5 hashes compare or something, so it would be hard to guess what name actually triggered processExit.
Thank you : ) Yes this is a pretty straight forward sample to analyze, some other more complex malware like Dridex use hashes instead of strings as you suggested, it really makes RE a lot slower. There is a nice blog on this by our friend r3mrum r3mrum.wordpress.com/2018/02/15/string-hashing-reverse-engineering-an-anti-analysis-control/
Very good for anyone just starting
Very informative thanks
This helped me a lot!
Some protected Apps refuses to work under Terminal Services.
Wow!! I'm truly just a newbie, barely finished reading the Ida Pro Book 2nd Edition & this video has truly helped me clear up some gaps! Great video!! Definitely recommending this to others who are learning! You guys are doing an amazing job, keep it up :)
Thank you very much : ))
Hey man, thanks again for the amazing video! Could you make a video on how to unpack enigma 5xxx or later ? There isn't much or any information at all available on that. Keep up with the good work!
Super cool awesome tutorial.
hey, thanks. Kind of new in this world and this information is valuable. Thanks for real
j u s t b a s e 64 d e c o d e this: IzhjMzRiYTAzNSBJIGhhdmUgYSBwcm9ibGVtIHVucGFja2luZyB0aGlzIHByb2dyYW0uIElmIHlvdSBjYW4gdW5wYWNrIHRoaXMgaSBjYW4gZ2l2ZSB5b3UgNTAgZG9sbGFycyEgSGVyZSB0aGUgcHJvZ3JhbTogaHR0cDovL3d3dy5tZWRpYWZpcmUuY29tL2ZpbGUvMjlzZm9uNXJuMWljdHkzL3RhcmdldC43ei9maWxlICM4YzM0YmEwMzU=
Great Video!
Some question regarding 36:20. So You took a snapshot of the VM? When exactly? When that first break-point triggered? Is this an IDA feature/plugin? Maybe You have a video explaining Your setup?
Edit: nvm it is explained in the IDA Pro Malware analysis tips video at 40:00
Awesome video...your videos always more informative and detailed ...thanks for that!!! can you do video on how malware uses exception handler to find debugger?
Absolutely! That's a great idea. I'll try to find a sample that uses that trick so we can demonstrate it in a video.
Thank you so much!!! Waiting for it!!!
:D omg, I remember all the oldschool Ollydbg techniques! ollydbg scripts like morphine (I still have all the old plugin source code for olly in my old Harddrive drawer lamo!)... I remember ImpREC with the simpson icon... It was so much fun back in the day!
Did they ever release ollydbg 64 lmao? I know with IDA who needs ollydbg but... Ohhhhh, I just had goozebombs from back in the day making mmorpg's private servers from scratch like Dekaron and stuff.
5 year ago, but still valuable.
Really enjoying your videos.
I was trying to obtain the sample from Hybrid Analysis so that I could follow along but they require vetting which involves submitting research / blog links etc but I do not have any of those as I am new to malware analysis. I only do Reverse Engineering to satisfy my own inquisitiveness during my own time and have never blogged or uploaded any of my own material in support of this.
We have recently moved away from sharing samples on Hybrid Analysis for this reason, we now use Malshare. You will need to create a free account on Malshare to download samples but they don't require any extra vetting or any intrusive information. Once you have an account you can download the packed sample here: malshare.com/sample.php?action=detail&hash=16eb2d73377fbc5dd00c93fcd604bfd5 and the unpacked sample here: malshare.com/sample.php?action=detail&hash=037b874a119a7cd0e00a3c971dd3298a
I should also note that we got the original sample from Brad's awesome Malware Traffic Analysis blog. He always includes links to the samples at the end of this posts so you can download the packed sample there too www.malware-traffic-analysis.net/2017/11/16/index.html
Thanks for the support : )
Could not have asked for a more helpful reply.
Thank you for the detailed and informative videos, enjoying the content.
Walter at it again. Thanks!
Very interesting video!!
But since (we presume) there are no checksum checks, a "code beautify" with ida-python to convert the "db 0E4h" dirty stuffs into 0x90 (nop) and then start the autoanalysis once again, wouldnt it be useful to get a faster functions reading?
Thanks for sharing!
Nice video
Well this is awkward. I recently analyzed a 2021 Loki sample via memory analysis. After watching your video I spent hours trying to apply this to the new sample. All APIs were there: QueryInformationProcess, Createtoolhelp32snapahot... Yet the process always exited without ever stopping on toolhelp32. After hours, I eventually debugged enough to understand that it was ignoring any anti-vm/debug checks, injecting the unpacked sample on MSBuild.exe and exiting after it was done. I guess they just abandoned the checks you showed on newer samples 😅
Haha LordPE! OALabs you're awesome :)
😎😂
Great, trying to catch up on all these how-to videos. I've a question though, how come the sample ran when you renamed it to "auto.exe" ? Was that part of it being packed by autoit, or a fluke, or did you see it somewhere in the assembly? I don't understand why the sample ran once you renamed it (apart from not matching the strings it specifically looks for)
So originally the binary had the word "sample" in its name that is why it wasn't running. I just changed the name to remove "sample", I could have chosen any name there is nothing special about "auto". I just chose it since I was thinking of autoit but it makes no difference to the unpacking : )
Awesome. thank you "THANOS"
I've blocked as many of these debugger checks that I can find except it still detects the debugger,very frustrating - I am a complete newbie so following your tutorials have definitely made life a lot easier
Yeh sometimes it can be very tricky. You could try out this neat tool from @_qaz_qaz if you get really stuck. It will basically profile the malware and identify most potential anti-dbg checks github.com/secrary/makin
Can I ask you a question? what's the thread? and if some threads all will running(or execute) codes at same time?
Thank you so much for this video - one question, so once malicious thread is injected into a legitimate process, how can we clean ? Thanks
Hey glad you are enjoying the tutorial. So the reason we focus on injection is more as a way to quickly unpack the malware not as a way to "clean" the infected process. Since it is only the process that the malware is injected into, and not the actual PE on disk, as soon as the process is terminated the injected code will cease to run and the next time the process is started it will be clean (until something else is injected into it). So to "clean" it you just need to kill the process and restart it. But this won't clean the malware off the system, injection into processes is just the symptom of the malware not the root cause.
You mention that the `get_str_len` function for the 64 byte string is a silly mistake [20:41] because it doesn't test for the file extension, but isn't this correct because it's a JB instruction not a JNZ? So if the file was greater than or equal to 64 bytes the unpacking process would exit? Thanks for the videos!
Yeh! Totally a mistake on my part lol! Nice catch!
Watched this twice trying to figure out what I was missing :) was just about to comment too
I find it interesting that you place the breakpoint at the first instruction of the WinAPI functions because I've learned that protection mechanisms can simply scan (usually) the first byte for 0xCC before it is called. Is this method common enough such that it should always be taken into account? Is it safer to place the breakpoint a bit further below? Hardware breakpoints are limited so this isn't an optimal solution. Using a PAGE_GUARD memory breakpoint might not also be an efficient solution?
That's a great point! There are lots of ways malware can avoid inline API hooks, and API breakpoints. The two most common methods that I have seen are:
1) the technique you mentioned where the breakpoint is scanned for, or a hash of first few bytes is used to ensure they haven't been modified, and
2) where the first few bytes of the API code are replicated in the malware and the malware calls into the middle of the API code. Also worth mentioning is the real tricky stuff that just calls the kernel interrupt directly.
However, the being said, when it comes to debugging my approach is always use a VM with a snapshot, and try the easiest thing first : )
This is only my experience, but probably 80%+ of packers I have seen don't use any API checking so I rarely have to do anything special. My experience could be non-representative though since I usually use a hooking engine with no debugger to unpack stuff. So maybe I have missed some of these tricks. But this is a great point to keep in mind when troubleshooting! Also, I should mention, this technique is a bit more common in malware payloads but generally you would see this and know to work around it once the sample was unpacked.
Thanks for the excellent comment!
Thanks for the reply! This is the first I've heard of hooking engines. Do you have any resources on what it is and how they work?
Ah that's probably just me making up words : )
I tend to call any inline API hook framework a "hooking engine", but I'm not sure how widely used that term is. For example, the monitor dll for cuckoo github.com/cuckoosandbox/monitor.
Oh, okay. I was kinda expecting something like that anyway, hah. Thanks for the link, I'll look further into myself.
Thank you! You are beautiful man and excellent teacher! Hi from Russia 😊
Hi, thanks for the great work! Is there any chance to have a guide for ida pro and scylla hide plugin? Thanks!
No, I pretty much just use x64dbg now, this tutorial was from a very long time ago. We have a Patreon post on setting up ScyllaHide for x64dbg though www.patreon.com/posts/installing-to-57091901
Bro I want to ask is similar virtual protect and anti vm?
Hello sir. Great video. Can you show the same process using a malware that was written in .Net ? I have been trying to learn using one, but it is also obfuscated with custom obfuscator (confuserex custom), so i can't proceed. Thank you
Thank you! I think the two best .NET analysis and deobfuscation videos have been done by Karsten over on the MalwareAnalysisForHedgehogs channel:
czcams.com/video/0DV1bhnnOyM/video.html
czcams.com/video/1RNcZpBLZHs/video.html
Hi. Your videos are awesome. One quick question. How to identify garbage in the code and ignore it
Thanks! Glad you are enjoying the tutorials : )
Identifying garbage is more of an art than a science unfortunately. After a while you can start to spot patterns of stuff that looks out of place but when you are just starting out a trick you can use is to follow the execution path for a bit and see if there is code that repeats itself. So for example, if you see a bunch of APIs being called but the returned data is never used, or if you see some jump statements that you follow only to be redirected back to near where you started. I know that's not a great answer... it's definitely not an easy task... maybe some of our viewers have better suggestions?
great vid - thanks :)
how did you convert dw to dd?
Select the value and press the "d" key. This will change the data type for the immediate.
Is there a way to install ScyllaHide to ida pro?
I can't get it working...
It works fine in ollydebug, but ida pro is so much better...
or maybe somethign similar
What is the different between dynamically resolved and import API ? import, Is it when you include the header that has the API ? I do not know how dynamically resolving work? Is it related to DLL files?
Dynamically resolved just refers to resolving the imports at runtime in the actual code rather than using the PE import table (which relies on the windows loader to resolve the APIs). There is a pretty good explanation in this blog blag.nullteilerfrei.de/2019/11/09/api-hashing-why-and-how/
Can you make a video about catching the malware? Honey pot usage or network analysis
I'm not quite sure if you mean how do you collect samples or if you mean how do you detect if you are infected with malware?
If you are looking for malware samples to practice your analysis we grab a lot of our samples from this excellent blog: www.malware-traffic-analysis.net/. Karsten also had a great video about collecting free samples which might be of interest to you: czcams.com/video/SCJVW1E8dFA/video.html
If you are interested in determining if you are infected with malware this is more in the realm of incident response or enterprise security and it's not really our focus with this channel. That being said I can highly recommend the memory forensics content from volatility-labs.blogspot.ca/. Also if you interested in doing detection at scale you can checkout the following projects:
thehive-project.org/
github.com/tomchop/malcom
malpedia.caad.fkie.fraunhofer.de/
We also have a few free workshops that provide an overview of the incident response process linked from our website: www.openanalysis.net/#training
I hope that is enough to get started. We may make some videos about how to use the output from the malware analysis process to detect malware. Or how to integrate IOCs into your incident response process. But I don't think we will focus specifically on implementing the controls.
Can you please make a video for IDA Pro with suggested plugins as well and how to connect to various debuggers. It would be helpful for beginners.
We covered some of these topics in an earlier video czcams.com/video/qCQRKLaz2nQ/video.html
You can expand the description of that video to see a list of the different topics we covered. As for plugins I think IDA is pretty complete without anything extra until you begin doing more advanced reversing. For more advanced users I would recommend the hex-rays decompiler (which is expensive) and BinDiff. Maybe we will make a video on some more advanced analysis techniques in the future. Thanks for the suggestion : )
HI,I have a question,at "13:10"
What is DDD mean?
The "d" hot key changes the data type under the cursor. In this case pressing "d" three times converts the data type into a DWORD which IDA then recognizes as a pointer to another memory address.
7:33 Sir, What do you mean by hooking engine can any body please explain
a framework that allows you to place hooks on API calls to monitor and intercept them... minhook is a good example github.com/TsudaKageyu/minhook
I see TApplication. It's definitely Borland.)
LordPE doesn't work for Win 10 (1709 64bit).
It could not dump any process and also did not see any ImageBase.
Serhii Dziublyk you can use Scylla Import Reconstructor, available at devhub.io/repos/x64dbg-Scylla
Haha yeh it's an old tool and showing its age but it still has a place in our hearts 💕 Moving forward I think it will mostly be replaced with Scylla as Tio Peprino points out. However, I strongly recommend using Windows 7 SP1 x86 for x86 malware (or even XP if you can still get it). It greatly simplifies the environment and makes debugging etc. more straight forward. It also has the side benefit that all the fun old tools still work. We are planning to do some basic lab setup videos at some point and I will cover this.
OALabs will be waiting thise vids dawg 👍
Hi is there any alternative link that I can download the sample?.. thanks
2nd question, most anti debug detect IDA and Ollydbg,if we do remote debugger it still detected?
Does this work on a dll? Cuz im a noobie
Haha we are all noobs in our own way... to answer your question, yes these techniques will work for any type of PE. If you want an example of how to debug a DLL with IDA you can check out our tutorial here czcams.com/video/qCQRKLaz2nQ/video.htmlm32s
Can this be done with IDA Free 5.0?
You should be able to use IDA Free with most of that as long as the binary is a 32 bit one. HE didn't use the decompiler or any special plugins to do that.
Yes you can replicate the process using the IDA 5.0 freeware version. The main difference is that IDA 5.0 doesn't have a remote debugger only a local one so you will have to install IDA on the same VM that you are doing the debugging on. This isn't an issue though since it's a free version of IDA you don't need to worry about the license being stolen : )
hours of debugging and one minute for dumping xD
I suppose I am doomed. I cannot even figure out how ti open the threads / modules window.
08:50.
Yeh you are f-ed, give up now, go to chef school.
why not to hook all this functions? it's not easier?
Yes in a lot of cases it would be much faster to either try to kill these checks by hardening the environment and hiding our debugger or attempting to kill the checks with some API hooks. We made this video to show how these checks actually work, and how you can identify them individually as an exercise to learn more about these techniques. Our friend Lasha Khasaia (@_qaz_qaz) has actually created an amazing project that detects these checks via hooks! You can check it out here github.com/secrary/makin
👏👏👏
How to crack ida pro?
GHIDRA?
But ProcessExplorer allows you to create dumps.
Track from intro pls
czcams.com/video/Ln-cBFanW9I/video.html ;)
@@OALABS thx bro
Hello! good job! I would be interested in cracking on a type of PDFEditor protection. I am not interested in the program but only in its protection scheme. can you help me? Thanks a lot!
Can I request specific tutorial ..
Yes for sure! Let us know what you would like to see, just keep in mind it has to be malware analysis related : )
@@OALABS oh I was thinking to crack game cheats
We get asked that a lot : ) We are only really interested in analyzing malware though.
can i beat vm detection of gameguard anti cheat with this tutorial?
yes
@@OALABS can u plz tell me which minute should i start watch from for bypass the gameguard vm detection?
yes
Fravia did he still alive I can't solve the puzzle but now I see it
What is your primary OS ?
macOS with two Windows VMs : )
@@OALABS Waiting for your video on WarZone 🙂
It's in the works!
30:12 "Avast AV check"
Who even uses Avast
Edit: nvm 2017 video. malware sample probably even older.
😂😂
Sir Please make latest Tutorials cracking
Sorry we only do malware analysis, no cracking.
@@OALABS ok sir thank you
I following this , but i could not get how did you come to the call get_str_len, i converted to code , but i could not get call get_str_len, please help