- 13
- 61 564
Anuj Soni
United States
เข้าร่วมเมื่อ 13 ม.ค. 2014
I'm a Malware Reverse Engineer, SANS Certified Instructor and Course Author. I'm here to share my successes and failures analyzing malicious code.
Malware Analysis Courses I Author and Teach:
sans.org/for610 (co-author)
sans.org/for710 (author)
Find Anuj Soni on X: asoni
Follow on LinkedIn: www.linkedin.com/in/sonianuj/
DMs open for work inquiries and collaboration proposals.
Malware Analysis Courses I Author and Teach:
sans.org/for610 (co-author)
sans.org/for710 (author)
Find Anuj Soni on X: asoni
Follow on LinkedIn: www.linkedin.com/in/sonianuj/
DMs open for work inquiries and collaboration proposals.
Shellcode Analysis - Part 2: Automated Extraction
Description: In Part 2 of this series on malicious shellcode analysis, I demonstrate an automated method for extracting shellcode from multi-stage malware.
In case you missed it, check out Part 1 in this series: th-cam.com/video/642VUEjMeLw/w-d-xo.html
If you have any questions or specific topics you'd like me to cover in future videos, feel free to leave a comment below!
SANS Malware Analysis Courses I Author and Teach:
FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques ➡ sans.org/for610 (co-author)
FOR710: Reverse-Engineering Malware: Advanced Code Analysis ➡ sans.org/for710
Samples:
Sample 1: github.com/as0ni/youtube-files/raw/refs/heads/main/syswow.zip
Sample 2: github.com/as0ni/youtube-files/raw/refs/heads/main/mount.zip
Password: infected
Mal_unpack GitHub thread with some clarifying information: github.com/hasherezade/mal_unpack/issues/6
Tools I Use:
x64dbg: x64dbg.com/
Binary Ninja: binary.ninja/free/
Mal_unpack: github.com/hasherezade/mal_unpack
Referenced Videos:
An Intro to Binary Ninja for Malware Analysis: th-cam.com/video/-RaOeooSmug/w-d-xo.html
@hasherezade background on PE-sieve : th-cam.com/video/fwo4XE2xgis/w-d-xo.html
Follow Me:
Find Anuj Soni on X: x.com/asoni
Connect on LinkedIn: www.linkedin.com/in/sonianuj/
In case you missed it, check out Part 1 in this series: th-cam.com/video/642VUEjMeLw/w-d-xo.html
If you have any questions or specific topics you'd like me to cover in future videos, feel free to leave a comment below!
SANS Malware Analysis Courses I Author and Teach:
FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques ➡ sans.org/for610 (co-author)
FOR710: Reverse-Engineering Malware: Advanced Code Analysis ➡ sans.org/for710
Samples:
Sample 1: github.com/as0ni/youtube-files/raw/refs/heads/main/syswow.zip
Sample 2: github.com/as0ni/youtube-files/raw/refs/heads/main/mount.zip
Password: infected
Mal_unpack GitHub thread with some clarifying information: github.com/hasherezade/mal_unpack/issues/6
Tools I Use:
x64dbg: x64dbg.com/
Binary Ninja: binary.ninja/free/
Mal_unpack: github.com/hasherezade/mal_unpack
Referenced Videos:
An Intro to Binary Ninja for Malware Analysis: th-cam.com/video/-RaOeooSmug/w-d-xo.html
@hasherezade background on PE-sieve : th-cam.com/video/fwo4XE2xgis/w-d-xo.html
Follow Me:
Find Anuj Soni on X: x.com/asoni
Connect on LinkedIn: www.linkedin.com/in/sonianuj/
มุมมอง: 1 354
วีดีโอ
Shellcode Analysis - Part 1: Extraction with x64dbg
มุมมอง 2.8Kหลายเดือนก่อน
Description: Kickstart your journey into malicious shellcode analysis with this introductory video in the series. In Part 1, I share one approach I use to manually extract shellcode from multi-stage malware using a debugger (x64dbg). Part 2 (Automated Shellcode Extraction) in this series: th-cam.com/video/D6Bm5vD78eY/w-d-xo.html Have malware analysis questions or topics you'd like me to cover? ...
5 Ways to Find Encryption in Malware
มุมมอง 3.3K9 หลายเดือนก่อน
Description: In this video, I discuss five strategies to locate encryption within malware. Have malware analysis questions or topics you'd like me to cover? Leave a comment and let me know! SANS Malware Analysis Courses I Author and Teach: FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques ➡ sans.org/for610 (co-author) FOR710: Reverse-Engineering Malware: Advanced Code A...
An Intro to Binary Ninja (Free) for Malware Analysis
มุมมอง 7K10 หลายเดือนก่อน
Description: In this video, I introduce a workflow for analyzing malware with Binary Ninja, free edition. Have malware analysis questions or topics you'd like me to cover? Leave a comment and let me know! SANS Malware Analysis Courses I Author and Teach: FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques ➡ sans.org/for610 (co-author) FOR710: Reverse-Engineering Malware: ...
Decode Malware Strings with Conditional Breakpoints
มุมมอง 2.9K11 หลายเดือนก่อน
Description: In this video, we explore how to deobfuscate malware strings using conditional breakpoints in x64dbg. Timestamps: 0:00 - Intro 1:26 - Running capa 2:39 - Analysis with Ghidra 4:20 - Static file analysis with CFF Explorer 4:40 - Debugging with x64dbg 7:32 - Introducing conditional breakpoints 14:35 - Conditional breakpoints for code deobfuscation Have malware analysis questions or t...
Binary Diffing with Ghidra's BSim Feature
มุมมอง 2.6Kปีที่แล้ว
In this video, I discuss how to get started with Ghidra's BSim Feature, which helps identify similar functions across executable files. Have malware analysis questions or topics you'd like me to cover? Leave a comment and let me know! Timestamps: 0:00 - Intro 1:12 - Enabling BSim in Ghidra 3:23 - Create BSim Database 4:55 - Populate BSim Database 8:20 - Register BSim Database 9:34 - Run BSim Qu...
Malware Evasion Techniques: API Unhooking
มุมมอง 4.1Kปีที่แล้ว
Description: In this video, we explore a malware evasion technique - API unhooking. Timestamps: 00:00 - Intro 00:37 - Inline hooking explained 02:04 - Introducing frida-trace 04:12 - Static analysis of Gazprom ransomware 06:18 - Patching Gazprom sample 07:37 - Hooking Gazprom with frida-trace 09:50 - Identifying API unhooking code using x64dbg 12:14 - Reviewing API unhooking code using Ghidra 1...
6 Tips to Get Started with Malware Analysis
มุมมอง 4Kปีที่แล้ว
Have malware analysis questions or topics you'd like me to cover? Leave a comment and let me know! Recommended Malware Analysis Write-ups (for practice): See any of my previous videos: www.youtube.com/@sonianuj WannaCry Analysis: blogs.blackberry.com/en/2017/06/threat-spotlight-inside-the-wannacry-attack Remcos Analysis: blogs.blackberry.com/en/2019/07/an-introduction-to-code-analysis-with-ghid...
Analyzing the FBI's Qakbot Takedown Code
มุมมอง 6Kปีที่แล้ว
Description: In this video, we analyze the FBI's Qakbot takedown code using malware analysis techniques. Timestamps 0:00 - Intro 1:21 - Shellcode analysis with Malcat 7:23 - Identify functionality with Mandiant's capa 10:41 - Analyze shellcode with Ghidra 15:35 - Debug shellcode with runsc 19:40 - Review decoded executable with PEStudio 21:07 - Code analysis to confirm how Qakbot is terminated ...
How I Debug DLL Malware (Emotet)
มุมมอง 17Kปีที่แล้ว
Have questions or topics you'd like me to cover? Leave a comment and let me know! Sample: github.com/as0ni/youtube-files/blob/main/bad.zip Password: infected Malware Family: Emotet Tools Ghidra: ghidra-sre.org/ CFF Explorer: ntcore.com/?page_id=388 x64dbg: x64dbg.com/ Process Hacker: processhacker.sourceforge.io/downloads.php REMnux: remnux.org/ SANS Malware Analysis Courses I Author and Teach:...
Identifying Code Reuse in Ransomware with Ghidra and BinDiff
มุมมอง 4.1Kปีที่แล้ว
Have questions or topics you'd like me to cover? Leave a comment and let me know! Samples: github.com/as0ni/youtube-files/blob/main/conti_lockbit.zip Password: infected Malware Families: Conti, Lockbit Ransomware Tools Ghidra: ghidra-sre.org/ BinDiff: www.zynamics.com/software.html BinExport: github.com/google/binexport Credits vxunderground/status/1620129967874134017 Ma...
How I Execute Malicious Services
มุมมอง 3.6Kปีที่แล้ว
In this video, I share an approach to analyzing a malicious service executable. Please subscribe to the channel to get notified about upcoming malware analysis / reverse engineering videos. Sample: github.com/as0ni/youtube-files/blob/main/12a6.zip Password: infected Malware Family: Cobalt Strike Tools Ghidra: ghidra-sre.org/ pestudio: www.winitor.com/download CFF Explorer: ntcore.com/?page_id=3...
Code Analysis with Ghidra
มุมมอง 3.4K5 ปีที่แล้ว
This video presents a workflow for performing code analysis with Ghidra. SANS Malware Analysis Courses I Author and Teach: FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques ➡ sans.org/for610 (co-author) FOR710: Reverse-Engineering Malware: Advanced Code Analysis ➡ sans.org/for710 Resources: Ghidra: ghidra-sre.org/ WannaCry Sample: malwology.files.wordpress.com/2019/08/2...
Amazing
Amazing content bro 😎 we’re subscribers as of now learning a lot too by the way thx ☺️
Appreciate the kind words!
This may be the clearest and easiest to understand overview of BNinja on the planet. Total respect for your work!
Thank you so much!
i needed this
So happy to hear it was helpful!
Excellent guidance! Thanks for sharing this informative video.
Thanks for watching! Glad to hear you enjoyed it!
Awesome stuff. Thank you!
Thank you for watching, and for leaving a comment! Very happy to hear you found it helpful.
I finished up a SANS cyber immersion academy recently and one of my favorite topics we touched on was using GDB to place breakpoints within an assembly program to gain a better understanding of the stack vs the heap and how memory works. This video really reignited a fire in me to want to learn more about debugging and reverse engineering. Thank you!
Glad to hear that the video resonated with you! Love the passion you have for the topic - it's why I make these videos :-).
Excellent contents!!!
Thank you!
After watching the video, check out this GitHub thread for some additional clarifying information: github.com/hasherezade/mal_unpack/issues/6
Awesome videos mate. Would love to see a video on bypassing malware Anti-Analysis techniques. May or may not be battling with some samples and this is some of the best Malware Analysis content I’ve found on YT!
Thanks so much! Would love to do some anti-analysis videos. If you’re battling any specific techniques, let me know and perhaps I can cover them!
@@sonianuj Thanks! I would say for a video, it would be best to start with the easy ones and work your way through to more complex stuff. Maybe a top 5 or 10 common methods. In terms of my current battle, I can consistently bypass the easy checks for a debugger by altering ZF at jumps or EAX values on API returns but unfortunately actually don't know what check is stopping me at the moment. I suspect I am making it harder than it needs to be due to inexperience. I can see the beginnings of the malicious executable being decoded in memory, from scattered chunks of encoded data stored in the .text section... Best I can hope for is to get onto GREM (wishlist item) or hope you cover it in a video or have a helpful hint for me :)
Great video, thank you!
Appreciate it, thanks for watching!
Thanks for the amazing video Anuj! Unfortunately password "infected" isn't working for extracting mount.zip
Sorry about that! I’m not near my computer right now - but can you try using the password “malware”?
@sonianuj yes able to extract now, Thanks Anuj!
Just a note for anyone else who sees this comment - I updated the password for mount.zip to be "infected" as described in the video description. Thank you!
enable automatic dubbing on your channel
Thanks for the suggestion, I'll definitely look into it!
Thanks a lot for making these videos! They're really well structured and they provide decent information for people that are into malware analysis.
Thank you for leaving a comment. Glad to hear you're benefitting from the videos!
Could you do a video on analyzing samples that use direct syscalls?
I was thinking about this topic a few months ago! Appreciate the comment, will move this higher on my list!
Awesome content. Perfect explanation and very educative. Greetings from Brazil
Very much appreciate the feedback!
Great Piece of Advices 👍
Thank you!
Great video and I like the series building on the previous videos. Hasherzede has awesome repos, hollows_hunter is another great tool.
useful
Thank you for sharing very informative.
Absolutely, thanks for watching!
nice
Please, just don't stop to make new videos!
So glad to see you posting more, great video.
Thanks so much! Glad you enjoyed it.
welcome back, mr Anuj Soni
🫡
❤❤❤❤
❤❤❤❤
❤❤❤❤
Very useful information!! 👍 It would interesting to see how can shellcode be mapped to to a specific shellcode generation framework/ extract C2s and other relevant data. I know that speakeasy might help with that. Would you like to share how you approach such scenarios? Thank you for your content, it is very valuable and easy to follow.
Great ideas, I plan to cover approaches like using speakeasy (emulation) in upcoming videos!
Great video on mal_unpack, looking forward to the analysis part on the next video!
Thanks for watching!
These videos are really high quality. Amazing work
Appreciate that, thanks for watching!
Great video, Anuj! I love how you explain common patterns you look for when going through the analysis process.
Excellent video Anuj. Could you possibly discuss about the job prospects for a malware analyst and the skills required for such a job. Thank you
Hi there, thank you! I appreciate the suggestion and will definitely give this some thought. Generally on the the channel I'm trying to focus on technical demos, but perhaps there is a different format I can use to share my thoughts on the topic you suggested (future live stream, community section of TH-cam). I'll reflect on this some more, thanks again.
accidentally stumped on your channel and it was a bless, this is Top Studio Quality tutorials from a professional Progressive instructions (without stuttering or waffling to fill the time with empty talks), to a clean video quality , to the Tools used in the video mentioned in description , to a clean Audio Quality and pronunciation , all boxes checked ✔ , you may wonder why i mention "good pronunciation", that is because 90% of the time on youtube we suffer from videos that you can't even understand what they saying "bad audio quality, and bad pronunciations with some hard accents" . its hard to find a channel that sticks to professional standards like yours . well done , you deserve millions of subscribers
Wow, thank you so much for the kind words! 🙏
Are you able to make a video detailing API hashing?
Hi @davidmohan2698. It's a great suggestion, but also something that takes quite a bit of time to discuss properly (I spend more than an hour digging into the specifics in my SANS 710 course). To be honest, so far, my TH-cam stats indicate people watch my videos for 5 minutes on average. If I see an uptick in those numbers and more interest in longer videos, I'll definitely reconsider though. Again, I really appreciate you offering a suggestion!
More content...Yes please!
The hex values is api hashing at work. I believe you go into great detail about this in your FOR710 course.
You got it!
Really excited to see the rest of this series. Keep up the amazing work!
Thanks so much!
seems likely API hashing going on there
You got it!
Great as always, thanks for the new series!
The hex references are memory addresses to dynamically resolve Windows API's, known as API hashing. Correct ?
You got it!
Welcome back Anuj, very happy to see a notification that you placed another video! Do you know by any chance if FOR710, will get an exam ? I did the course in January 2023, with Nick as instructor. Would look forward to certify this one.
Thanks, it’s good to be back! Regarding the exam, unfortunately it’s completely out of my control. I do hope GIAC creates an exam soon, but I’m not aware of the timeline.
@sonianuj for what they told me back then it highly depends on the subscription and interest for the course. I can imagine it needs to be profitable. Apart from all of that, the course content is amazing, highly recommendable, I have learned so much from it.
Amazing video and good explaination thank you for sharing.
My pleasure!
how to find strings using dbg and modify them?
Not exactly sure if I understand your question - but in general, if you view strings in x64dbg (right-click > Search for > Current Region > String references), you can dump any string to the dump window and edit those bytes.
Thanks for the video indeed useful waiting for part 2
Thank you for watching!
Excellent video! I really appreciate how you explain how to identify malicious patterns used by malware, even when they are very simple. It’s incredibly helpful for beginners starting with malware analysis at the ASM level.
Glad you enjoyed it!
I'm assuming those hex values are the expected hash values for certain modules that the malware wants to locate and load?
You got it, API hashing at work!
Unfortunately your videos so rare...
Hoping to change that. Stay tuned!
Thank you for the video! It was really useful 👍
You’re welcome, glad it was helpful!
I love how everyone is glossing over the fact that your wallpaper says rem master 😂😂. Excellent video none the less. I learned a lot. ✊🏿✊🏿
Thanks! 😅
I'd personally love to see more videos on DLL analysis in this format. Explanations are perfect in length and detail, although I'd suggest possibly slowing down delivery a touch!
Thanks for leaving a comment! If you have any specific feedback on what sort of DLL analysis you would like to see, please let me know. And appreciate the note on slowing down!