Malware Evasion Techniques: API Unhooking
Vložit
- čas přidán 27. 07. 2024
- Description: In this video, we explore a malware evasion technique - API unhooking.
Timestamps:
00:00 - Intro
00:37 - Inline hooking explained
02:04 - Introducing frida-trace
04:12 - Static analysis of Gazprom ransomware
06:18 - Patching Gazprom sample
07:37 - Hooking Gazprom with frida-trace
09:50 - Identifying API unhooking code using x64dbg
12:14 - Reviewing API unhooking code using Ghidra
19:39 - Debugging API unhooking code using x64dbg
Have malware analysis questions or topics you'd like me to cover? Leave a comment and let me know!
SANS Malware Analysis Courses I Author and Teach:
sans.org/for610 (co-author with Lenny Zeltser)
sans.org/for710
Sample: github.com/as0ni/youtube-file...
Password: infected
Unzipped SHA-256: 32ec301f02dfa21932679726f07e30f9c807391aaf1044278c0e0b2c0dc8ebdf
Description: Gazprom Ransomware Sample
Tools
Frida: frida.re/
PEStudio: www.winitor.com/download
Process Hacker: processhacker.sourceforge.io/...
x64dbg: x64dbg.com/
Ghidra: ghidra-sre.org/
Find Anuj Soni on X: x.com/asoni
Connect on LinkedIn: / sonianuj - Jak na to + styl
This is an amazing video! Your content is phenomenal and I hope your channel grows! You deserve lots of recognition for your work and I will say I believe 2k subs is a crime for the amazing videos you are putting out. Keep up the good work and I look forward to watching more of your videos!
Wow thank you so much! That is so kind of you to say. Another video coming soon!
@@sonianuj This has to be one of the best videos on CZcams about API unhooking. Great content. Very clear voice, well explained. Didn't understand everything (you lost me about 70% through), but that's because I don't have enough knowledge about reverse engineering. I'm just a simple system engineer.
🎉 The most thorough step by step explanation of windows API Ghidra and debug use. I like your style. Excited for more videos and thanks for spending all this time helping others in the community. Salute!
Thank you so much!
Hi,
great content.... only one small suggestion if I may: if you want to get more views you must change the channel name by adding something related to malware reverse engineering. I know you from sans because I'm interested in 610.
Great content & looking forward for next ones!
Amazing content, thank you!
Thanks for watching!
Amazing ❤❤
Thanks 😄
A big fan of your detailed-explain approach... 😊
looking forward to a video explaining "how to identify API hashing technique"
Thank you!
Interesting anuj hope to see more future videos
Will do, thanks for watching!
your concepts explanation are straight forward and the videos are concise and very educative@@sonianuj
Very nice. Well worth staying in the office for :)
Wow that’s great to hear! Thank you for watching.
hi Anuj,
I have been learning a lot with your videos but I have a question; I find very interesting what you described at 06:55 in the video and I want to ask what is the difference between attaching the executable after putting this infinite loop and just putting a breakpoint at the entry point of it without attaching it? Both the breakpoint and the infinite loop won't let it execute further right?
Always nice to learn new things.
Hi there! Thanks for watching. So, if my goal was simply to debug find.exe, I could absolutely set a breakpoint at the entry point of find.exe like you suggested. However, at this point in my analysis (06:55), I wanted to debug a version of find.exe that had been hooked by frida-trace. This means I first need to launch find.exe via frida-trace and *then* debug it - my solution was to insert the infinite loop so that I could attach to the running (but hooked) find.exe before it terminates. I hope that makes sense!
I see, thank you
Might just be me, but the description (In this video, we analyze the FBI's Qakbot takedown code using malware analysis techniques) is for another video of yours I believe - czcams.com/video/ZDXqrfG7hWc/video.html
Thanks for the great content!😃
Whoops, thanks for noticing that! Just fixed it.
Hi, could you mention any ideas how to detect unhooking techniques? Provided that you already unhooked ntreadfile function (or use it's syscall), you can load any unhooked native api function from disk to avoid EDR/XDR detection. Being deaf to api monitoring, static rules seem to be applied. Any thought how to approach the topic and detect the manipulation statically?
Love your meterials❤
Great question. Capa or YARA rules could help with this. YARA is often discussed, capa less so. Maybe I'll make a video on using capa rules to detect this sort of thing. Thanks for the idea!
@@sonianuj I was thinking about looking for binary string reaching the pointer to PEB from TIB. It may be a preety constant thing.
Very Amazing Video, needed this as i may start my career in malware reversing in a company soon (you're videos helped me get this job btw), thanks a ton
Wow, thank you so much for sharing this. Your comment inspires me to continue putting in the work to create these videos.
what build of windows are you using?
Hi there. I'm using a Win10 enterprise build where I've installed all my tools (all free). Hope that helps!