Malware Triage Tips: How To Stop Wasting Time in IDA On Packed Samples [ Twitch Clip ]
Vložit
- čas přidán 24. 05. 2022
- Stop wasting time trying to reverse engineer packed samples in IDA Pro, quickly understand what you are are looking at and use the correct tools...
Full stream: / oalabs
Packed Sample:
bazaar.abuse.ch/sample/bbb1db...
-----
OALABS DISCORD
/ discord
OALABS PATREON
/ oalabs
Twitch
/ oalabslive
OALABS GITHUB
github.com/OALabs
UNPACME - AUTOMATED MALWARE UNPACKING
www.unpac.me/#/
-----
![Emotet 64-bit Emulation and String Decryption with Dumpulator [Twitch Clip ]](http://i.ytimg.com/vi/HSwHtU2aGyI/mqdefault.jpg)
![Why Is The PE Entry Point Not The Same As Main SEH and The _security_init_cookie [Patreon Unlocked]](/img/n.gif)
Cannot overemphasize the importance here. So many malware authors are not geniuses at all, they're throwing very simple malware into packing and obfuscation frameworks. So let's throw their stuff into tools as well. Always go from high-level to low because a malware author's bread and butter is wasting your time.
💯
very cool explanation. Nice talk about the API hammering. I also love the doggo[.]exe :)
very good video, I really like seeing the API calls all laid out
Great video showing fundamental concepts :)
many years ago I had made a debugger that with the help of the files dbg and pdb first version v.2 of the system files, I extracted the function names and the relative addresses of the import/export table from the PE I could put the breakpoints on all the API I wanted and filter the contents of the value pushed on the stack and the return values, to quickly study the functioning of these APIs (I never loved Python, even if I know well how it works under the hood, I prefer to do things myself in assembly or C) then over time I modified it and made sure to lock it if the pushed values were suspicious, (I also used it to see the function send and recv of the mswinsock, and with the help of a sniffer I discovered the servers where they connected )... at the time I remember that the only help we could have to do these things were the articles by Matt Pietrek, a hex editor and debugger for windows as w32dasm and SoftICE for the kernel ( that if used badly freeze the pc until reboot).... I wanted to add that as sandbox virtual machine for testing dll, exe or shellcode you can also use Unicorn with Libemu, they have been added hundreds of win32 API with about 15 dlls for Win; great tutorial this and others you have done for IDA Pro , I really enjoyed
You are a good teacher
The nose scratch counter made me buckle 🤣🤣
Great video as always!
You should do a video on TLS callbacks and how you deal with malware utilizing them for anti-debugging/reversing, etc.
I can maybe cover these at some point, but there is nothing special about them, they are just another entry point. I think these were only an issue when they were unknown back in the early days for RE, now pretty much every tool will automatically handle them.
lol yeh you have to configure the debugger for the sample you are debugging... I guess that's something we could cover... my personal workflow is unpack, then static analysis first, always, then debugging if I need to, but I guess this could get you if you were debugging first?
BTW, almost forgot, join our discord! Sounds like you guys would have some nice stuff to add discord.gg/oalabs.
You can check entropy with radare.. i usually check entropy whenever I analyse binary files using R2.
Lol! Radareee 🤣🤣🤣
@@OALABS i know why u r laughing 😂😂 just said.. pecheck tool is the easiest one to check entropy..
Where does that "OOOF" sound effect come from? I needs it.
IDA Minecraft plugin XD
I read all the comments just to see if anyone is talking about that sound. lol. I have a crazy imagination
I tried to use cape, but it keep refusing to upload a sample, states Account inactive and I just created it. Any ideas?
How does ida immediatly redirects you to main?. My ida has not signatures and it gets me to the entry point unless i have pdb
That is a good question! And I don't know the answer 😆 All versions of IDA I have used (including free) seem to jump to main if you are looking at an MSVC PE file. I think they have a signature for the MSVC entry point that seems to do the work, but that's just a guess czcams.com/video/suwZB3EA_u4/video.html
@@OALABS the entry point is also listed in the peheader, isn't it? I guess you could manually go there, but idk if IDA does imagebase offsets or not.
It's under the Image Optional Header, btw!
where is the oalabs Catalog on process injection ? link me please
By "catalogue" I just meant a collection of our old videos, before there was unpacme we made a lot of unpacking tutorials, here are a few:
czcams.com/video/uxlpRof1QWs/video.html
czcams.com/video/HfSQlC76_s4/video.html
czcams.com/video/4VBVMKdY-yg/video.html
czcams.com/video/242Tn0IL2jE/video.html
czcams.com/video/WthvahlAYFY/video.html
czcams.com/video/ylWInOcQy2s/video.html
czcams.com/video/QgUlPvEE4aw/video.html
czcams.com/video/EdchPEHnohw/video.html
czcams.com/video/wkPsvYfA08g/video.html
@@OALABS thank you. your work is amazing
hi can you make video for how to setup keypatch/keystone plugn please bro ?
Neat! I wasn't aware of this, I'm actually looking for a patching framework right now so this is a happy coincidence! I'll check it out and get back to you.
@@OALABS ok bro
fireship voice ?
TwistedPanda
LanguidLion