- 43
- 218 496
DuMp-GuY TrIcKsTeR
เข้าร่วมเมื่อ 21 ก.พ. 2021
Some of my publicly available Malware analysis and Reverse engineering. (Reports, Tips, Tricks...)
Sharing is caring ❤
Sharing is caring ❤
ConfuserEx2 - Full Deobfuscation Guide
This video was created for educational purposes and covers how to deal with obfuscated "malicious" code during malware analysis.
The video covers a full deobfuscation of ConfuserEx2: github.com/mkaring/ConfuserEx
Tools used in the video:
github.com/Dump-GUY/ConfuserEx2_String_Decryptor
The video covers a full deobfuscation of ConfuserEx2: github.com/mkaring/ConfuserEx
Tools used in the video:
github.com/Dump-GUY/ConfuserEx2_String_Decryptor
มุมมอง: 7 104
วีดีโอ
IDA Memory Snapshot - Amadey Malware Unpacking & Initterm Poisoning
มุมมอง 3.6Kปีที่แล้ว
This video was recorded only for educational purposes. In this video, I will explain how the feature of IDA - Memory Snapshot works, what are the currently available options and the benefits of using them. We will use the IDA Memory Snapshotting on a practical example of unpacking Amadey Malware with all shellcode pre-stages. In the last section, I will cover what _Initterm C internal function ...
Reverse Engineering Mixed Mode Assemblies (IDA, DnSpyEx)
มุมมอง 4.5Kปีที่แล้ว
This video was recorded only for educational purposes. In this video, I will guide you through reverse engineering Mixed Mode Assemblies. Github (Example Sample of Mixed Mode Assembly - Source/binary): github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/tree/main/Reverse Engineering Mixed Mode Assemblies (IDA, DnSpyEx) Useful Links: MSDN - learn.microsoft.com/en-us/cpp/dotnet/mixed-nat...
Deobfuscation of .NET using PowerShelling & dnlib - Eternity Malware
มุมมอง 7Kปีที่แล้ว
This video was recorded only for educational purposes. In this video, I will guide you through .NET deobfuscations covering a few exciting tricks and tips. We will be using PowerShell and dnlib library. We will create a universal string deobfuscator for Eternity Malware that uses some kind of custom obfuscation that is not so trivial at first sight. Steps during deobfuscation: - Load dnlib via ...
Advanced DnSpy tricks in .NET reversing 2 - PS debugging, Watch vs Locals, Code Optimization, more..
มุมมอง 11K2 ปีที่แล้ว
This video is created only for educational purposes. This video covers: - Debugging Powershell process when debugging Powershell scripts - catch module loading (dnSpy) - dnSpy multi-process debugging - Dealing with code optimization during .NET debugging (when and why you can NOT see Locals and put a breakpoints) - Watch vs. Locals Windows in dnSpy - benefit from both (see fields, invoke expres...
Invoke-AttachDnSpy work-in-progress (register dnSpy debugger to attach on process creation)
มุมมอง 2.3K2 ปีที่แล้ว
This video is created only for educational purposes. This video covers more like work-in-progress where we could be able to attach dnSpy debugger on specific process name. You know gflags, so what about attaching dnSpy debugger on specified process name (covering wildcards and does NOT have to exist yet) ??? If there will be more interest I will convert it to C# (.exe file)😁
In-Memory ZipArchive object creation from HTTP Stream
มุมมอง 8572 ปีที่แล้ว
This video is created only for educational purposes. This video was created only as a reaction to tweet: 0xToxin/status/1562428823689654272?s=20&t=fvS0NGVbyX0lNRAZ53o7Hw It covers a way how we can easily work with ZipArchive object retrieved from HTTP Request and still stay only in-memory.
From Zero to Hero - Advanced Usage of Tiny_Tracer tracing APT29
มุมมอง 4.2K2 ปีที่แล้ว
This video is created only for educational purposes. In this video, I will be covering the building/compilation process of tiny_tracer tool: github.com/hasherezade/tiny_tracer I will introduce new features like Tracing Syscalls. We will learn to modify settings of tiny_tracer to fulfill our needs (tracing specified module in desired process, changing params.txt config, changing .ini config etc....
Get-UnJlaive - Jlaive Protector Reconstructor
มุมมอง 1.3K2 ปีที่แล้ว
Get-UnJlaive is tool which is able to reconstruct Jlaive (.NET Antivirus Evasion Tool (Exe2Bat)) to original Assembly and stub Assembly. It should defeat even the obfuscated form. Get-UnJlaive - github.com/Dump-GUY/Get-UnJlaive Jlaive - github.com/ch2sh/Jlaive
Analyzing HTML Application "HTA" Loading .NET Runtime
มุมมอง 1.5K2 ปีที่แล้ว
This video is created only for educational purposes. In this video I will show you how you can deal with HTML Application ".hta" loading .NET Runtime next stage .NET assembly. The point here is that we can actually debug "mshta.exe" serving for execution of Microsoft HTML Application (HTA) in DnSpy. We will break on malicious .NET assembly loading from memory and save it for later analysis. Lin...
VoiceC2 POC - Using Speech Recognition
มุมมอง 6262 ปีที่แล้ว
This video is created for educational purposes. We will introduce just simple example how to use Speech Recognition to process our commands. Written in C#. [Github - Code]: github.com/Dump-GUY/VoiceC2_POC
.NET Reversing Get-PDInvokeImports - Dealing with PInvoke, DInvoke and Dynamic PInvoke
มุมมอง 1.5K2 ปีที่แล้ว
This video is created for educational purposes. In this video I will show you the usage of my newly created small utility (PS module) Get-PDInvokeImports written in PowerShell using dnlib. Get-PDInvokeImports is tool (PowerShell module) which is able to perform automatic detection of P/Invoke, Dynamic P/Invoke and D/Invoke usage in assembly. Showing all locations from where they are referenced ...
IDAPro Reversing Delphi MBR Wiper and Infected Bootstrap Code
มุมมอง 5K2 ปีที่แล้ว
This video is created for educational purposes. In this video I will be covering reversing of MBR Wiper written in Borland Delphi with IDA Pro. In the second part of this video I will jump to reversing of infected MBR bootstrap code where I will show you how you can use the combination of IDA Pro and Bochs Emulator. Second part start: th-cam.com/video/qmhGwvAH7-8/w-d-xo.html Video is related to...
Decryption of Midas Ransomware - based on thanos ransomware builder
มุมมอง 1.6K2 ปีที่แล้ว
Remember #midas #ransomware - 28 victims on leak site? Another one based on the latest version of #thanos builder. Older versions of #thanos builder were used in ex. #thanos, #prometheus, #haron, #hakbit. In this case no hardcoded pass and secured RandGen. Still break it!! In many cases there is possible solution for you - depends on builder version and used config..
Advanced DnSpy tricks in .NET reversing - Tracing, Breaking, dealing with VMProtect
มุมมอง 49K2 ปีที่แล้ว
This video was created for educational purposes. Guide and sample to download (Github): github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/Advanced_DnSpy_tricks_in_.NET_reversing_Tracing_Breaking,_dealing_VMProtect/Advanced DnSpy tricks in .NET reversing - Tracing, Breaking, dealing with VMProtect.md This Video covers: Advanced usage of DnSpy Module Breakpoints Class Breakpo...
Deobfuscation SmartAssembly 8+ and recreating Original Module SAE+DnSpy
มุมมอง 18K2 ปีที่แล้ว
Deobfuscation SmartAssembly 8 and recreating Original Module SAE DnSpy
Full malware analysis Work-Flow of AgentTesla Malware
มุมมอง 7K2 ปีที่แล้ว
Full malware analysis Work-Flow of AgentTesla Malware
So you Really think you Know What Powershell Is ???
มุมมอง 1.7K2 ปีที่แล้ว
So you Really think you Know What Powershell Is ???
Powershell and DnSpy tricks in .NET reversing - AgentTesla [Part1]
มุมมอง 6K2 ปีที่แล้ว
Powershell and DnSpy tricks in .NET reversing - AgentTesla [Part1]
Powershell and DnSpy tricks in .NET reversing - AgentTesla [Part2]
มุมมอง 2.2K2 ปีที่แล้ว
Powershell and DnSpy tricks in .NET reversing - AgentTesla [Part2]
Introduction to Invoke-DetectItEasy PowerShell Module
มุมมอง 9452 ปีที่แล้ว
Introduction to Invoke-DetectItEasy PowerShell Module
Reversing CryptoCrazy Ransomware - PoC Decryptor and some Tricks
มุมมอง 1K2 ปีที่แล้ว
Reversing CryptoCrazy Ransomware - PoC Decryptor and some Tricks
[2] Lokibot analyzing - spoofing GULoader and LokiBot C2 [part2] - INetSim + BurpSuite
มุมมอง 1K3 ปีที่แล้ว
[2] Lokibot analyzing - spoofing GULoader and LokiBot C2 [part2] - INetSim BurpSuite
Finding Vulnerability in PE parsing tool - NEVER trust tool you didn´t write by your own
มุมมอง 1K3 ปีที่แล้ว
Finding Vulnerability in PE parsing tool - NEVER trust tool you didn´t write by your own
HiveNightmare - Bug in ACLs of Registry Hives [CVE-2021-36934]
มุมมอง 1.2K3 ปีที่แล้ว
HiveNightmare - Bug in ACLs of Registry Hives [CVE-2021-36934]
Dancing with COM - Deep dive into understanding Component Object Model
มุมมอง 29K3 ปีที่แล้ว
Dancing with COM - Deep dive into understanding Component Object Model
Fast API resolving of REvil Ransomware related to Kaseya attack
มุมมอง 1.2K3 ปีที่แล้ว
Fast API resolving of REvil Ransomware related to Kaseya attack
[2] Lokibot analyzing - spoofing GULoader and LokiBot C2 [part1] - Own implementation in Python
มุมมอง 9223 ปีที่แล้ว
[2] Lokibot analyzing - spoofing GULoader and LokiBot C2 [part1] - Own implementation in Python
[1] Lokibot analyzing - defeating GuLoader with Windbg (Kernel debugging) and Live C2
มุมมอง 2.6K3 ปีที่แล้ว
[1] Lokibot analyzing - defeating GuLoader with Windbg (Kernel debugging) and Live C2
Advanced Memory Forensics (Windows) - Threat_Hunting and Initial Malware_Analysis [part1]
มุมมอง 4.5K3 ปีที่แล้ว
Advanced Memory Forensics (Windows) - Threat_Hunting and Initial Malware_Analysis [part1]
This was insanely useful, thank you!
I want to copy the entire assembly, how do I do that? I tried using "export code" but it only copies the hexdump part.
Can this deobfuscate javascript
You're deobfuscating one thing at a time, is it possible to deobfuscate everything at once? Thanks for this video! I always wanted to learn this!
VB6 gang. Real hackers. Solid video.
i dont have modules tab in dnspy
bro did not told me that its fucking dnspyEx and i had normal dnspy
Your video is the best I have ever seen,thankso much~
Great stuff. I have been successfully escaping COM for so many years, this time I have no other option except to dig it with C++. Thank you!!
I have never heard anyone say "nice feature" while referring to COM. Bravo sir! I just had pause video and write this comment. There was no other way.
ive found similar tools but this is FAR more extensive and easier to understand. great tool great video man 👍
Very Useful!
Hey I want your all tools exe please provide me
Basically a great video. Basically!!!
Is this protect the string too?
Showing below error in Powershell sir.. Please suggest.. Unhandled Exception: System.IO.FileNotFoundException: Could not load file or assembly 'System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e' or one of its dependencies. The system cannot find the file specified.
Man it worked perfectly, thank you very much
A real hidden gem, Thanks so much for such an incredible video
Thanks! Very good explanation
did any one have an y promblems implementing this tutorial???
i need help regarding .net and power shell. i want to practice system.reflection.assembly but i am getting errors when using load() loadfile() loadfrom() and i keep getting error messages any tips
using powershell 7.2.6
I ran into a sticky problem where the project I wanted to modify used a lot of reflection code which made it impossible to deduce where it was located,Is there any way to do a stack trace of the methods in this class when the breakpoint is triggered🥲🙃🙃
In dnSpy you can go to Debug > Windows > Call Stack and in call stack window see the function calls on a breakpoint
@@dedicatedserver8214 How do I set breakpoints in a multithreaded .net program,thanks😃😃
very nice and succinct tutorial. I was able to dump a binary using your technique. please keep up the good work
HI, Can you help to reverse .net dll
Where is the second part? You just explained general stuff in this.
is it possible to change a boolean thats set as false to true using only the IL thing, I can't use edit method since it wont find my libraries
Thanks for the tutorial. Is there a way to log keys and values which are stored inside a dictionary structure in the program? I have tried to index with [ ], and also tried calling methods.. {this.foo.bar[1].Key}, and similar. so far everything has failed..
amazing
very nice
Know how to work around ArmDot obfuscation? de4dot doesn't recognize it as a .net exe
Great job bro thank you so much
u have discord ?
Work with dll?
Not Working...
Fascinating video, thank you very much! You did go off on a slight tangent though from 39:21 to 43:20... In Delphi, ParamStr(0) returns the path and file name of the executing program. At 39:21 index = 0, hence the else branch (line 24) executes to return the path and file. And you figure out that was the goal by 43:20.
What do you do when you have an obfuscated dll that's loaded by another program, in my case, obfuscated mods loaded by a unity game? How can you dump the unpacked dll from memory?\ Cheers.
If you can get dnspy attached you can open the Modules tab and find the dll that’s loaded and right click and save to dump it
@@dedicatedserver8214 I can get it attached and all but the module says that it's not loaded, no matter where breakpoint it so I can't dump it. D'oh.
Awesome! Nice walkthrough of PEB structutee!
nice tutorial. thanks! are those tools a replacement (better solution) than the Simple Assembly Explorer tool you covered in a previous tutorial about de-obfuscation?
Very helpful ! thanks
nice
helo, i need help to broke a limite time usage in one software. can you help me?
Great video! Glad I have found your channel. Learning a ton.
can you make a tutorial , jow to deobfuscate of dnguard protected .net exe file
hey can u pls help on two questions, how come you opened you opened ida 64 on a win 7 32? The code that appears to me used for NtCreateFile is 42(NtConnectPort) instead of 52, do you know why?
Hi, the VM environment in this video is Windows 7 64-bit, not a 32 bit. NtCreateFile is a syscall and its number is changing, depending on the windows version and architecture. For me it was Windows 7 64-bit environment so the syscall number of NtCreateFile is 0x52. If your syscall number of NtCreateFile is 0x42, you are using the Windows 7 32-bit. More info here: github.com/j00ru/windows-syscalls
Thank you.
Hey! How can i contact you? :) Do you use telegram?
but how to get rid of Module \ Confusedbyattribute , like it shown here -> /watch?v=eK3D-qgLY80 ??
Can you compare/diff two assemblies with dnspy? haven't found a way to do that yet.
No you can't do that in dnspy neither in ilspy. But I am using free tool Telerik JustAssembly for that - www.telerik.com/justassembly Another option is to decompile the assembly to project, either in Ilspy or dnspy and use some code/text based diff tool like winmerge etc.
@@DuMpGuYTrIcKsTeR cheers man, I appreciate the fast answer.
Hello. Could you please explain how to work with dll files? it can not be dumped via dnspy like exe files.
Your knowledge seems unbelievable. How did I miss this video till now? Please keep up the great work.
Wondering if you could help me please. I created a simple mod menu using DnSpy but I am unable to change the font size of the words on the menu buttons. Could you tell me what I need to type to do that? Here is a sample of my code } if (GuiFrontend.modmenu1) { GuiFrontend.string1 = "G O D M O D E <color=green>ON</color>"; GuiFrontend.modmenu1 = false; } else { GuiFrontend.string1 = "G O D M O D E <color=red>OFF</color>"; GuiFrontend.modmenu1 = true; }
Thank you, very good videos, like all the videos on your channel, they are very interesting and useful!