Really cool video full of nice little RE tips and tools! Hadn't used pin mini tracer and pe-unmap before but they sure look usefull! Thanks for the great content
you have don a great video, but I wanna know how did you know the malware is .Net while the function that you read while unpacking is not .Net function
I made one in the past that was able to inject clr code into an existing clr process using a DMA device, not public though. I used a small a small assembly stub.
@@nezu_cc if i compile a tiny nasm exe and call a mixed dll, the regular CLR will fail to load. maybe nasm exe needs either special section or import to make CLR happy.
Great video! Looking forward for more detailed malware analysis content!
I'm truly appreciative of your insightful analysis. Your breakdown of each step is incredibly valuable !!
Really cool video full of nice little RE tips and tools!
Hadn't used pin mini tracer and pe-unmap before but they sure look usefull! Thanks for the great content
Nice analysis. Really like how you explain each and every step. Really helpful for new folks. God bless you.
Thank you. It is my goal to teach others with those videos, so it is good to know that this helps.
you have don a great video, but I wanna know how did you know the malware is .Net while the function that you read while unpacking is not .Net function
Thank you. To answer your question, watch the part at 04:15. The sample loads and then executes mscoree._CoreExeMain. That is the .NET runtime.
Tanks sir
Hi, I know your channel since you where a lot younger. May I ask which job route you took? Do you work as an RE for an antivirus company?
Hi. I am lead engineer at GDATA CyberDefense. Before that I had been working for 7 years as malware analyst.
@@MalwareAnalysisForHedgehogs Sounds great, I'm currently studyig cyber security at university! Good job man!
@@ThaLiquidEdit I wish you success in your studies!
seen any nasm based clr loaders?
not that I recall
I made one in the past that was able to inject clr code into an existing clr process using a DMA device, not public though. I used a small a small assembly stub.
@@nezu_cc if i compile a tiny nasm exe and call a mixed dll, the regular CLR will fail to load. maybe nasm exe needs either special section or import to make CLR happy.