ไม่สามารถเล่นวิดีโอนี้
ขออภัยในความไม่สะดวก
ฝัง
- เผยแพร่เมื่อ 6 ส.ค. 2024
- We reverse engineer the IcedID custom malware injection component using IDA Pro, x64dbg, and some Python (API Scout). Expand for details...
-----
OALABS DISCORD
/ discord
OALABS PATREON
/ oalabs
OALABS TIP JAR
ko-fi.com/oalabs
OALABS GITHUB
github.com/OALabs
UNPACME - AUTOMATED MALWARE UNPACKING
www.unpac.me/#/
-----
14:45 - Unpacking live with x64dbg
19:03 - Attaching to 2nd process to dump code
20:09 - OEP of injected code (and dynamic building of IAT)
22:16 - Find other injected code sections by reference
24:35 - Loading injected code sections into IDA Pro
27:34 - Using API Scout to label APIs in injected code
30:50 - Building structs in IDA Pro and re-labeling data
35:20 - Final overview of unpacking steps
See unpacking Bokbot part 1 here:
• Unpacking Bokbot / Ice...
Original sample:
0ca2971ffedf0704ac5a2b6584f462ce27bac60f17888557dc8cd414558b479e
cape.contextis.com/analysis/2...
Stage1 (packed UPX):
7f463bd55aa360032fbd6489b4e34455178a35254ff66c1cd98d0775437074b4
cape.contextis.com/analysis/2...
Stage2 (custom injector):
89a0325379e1e868b668955ed41ba0faa724845028bc961a0691f19e5213dedf
cape.contextis.com/analysis/2...
Talos blog post on Bokbot injection method:
blog.talosintelligence.com/20...
Vitali Kremez analysis of IcedID:
www.vkremez.com/2018/09/lets-...
TOOLS - API Scout
github.com/danielplohmann/api...
TUTORIAL - How to setup a FREE malware analysis VM
oalabs.openanalysis.net/2018/...
TUTORIAL - Understanding API calls in Windows (ntdll.dll, kernel32.dll)
• The Curious Case of Sh...
TUTORIAL - Fast unpacking by hooking RtlDecompressBuffer
• Fast Malware Unpacking...
Feedback, questions, and suggestions are always welcome : )
Sergei / herrcore
Sean / seanmw
As always check out our tools, tutorials, and more content over at www.openanalysis.net
You are just awesome. Your tutorial videos are phenomenal. Thank you for enriching our knowledge.
Hey thanks so much! It's feedback like this that keeps us motivated! 🍻
Protip, you can actually see the structure offset names by highlighting a constant and pressing T, IDA should associate the dereferenced pointer with the structure and you'll see the data member just as you would in hex-rays decompiler view ^^
Oh nice!! Thanks for the tip... I'm so spoiled with hex-rays I feel like I'm REing with one hand tied behind my back in the disassembler view 😅
One of the most impressive videos I've ever seen! Thank you so much for this!
Awesome Video! Learned a ton about IDA :)
Thank you for a very interesting video ^^! I have learned alot from you !!
hell yeah, you are awesome :3 I love malware and i want to become a malware analysis. Your video just like a walkthrough for me, thanks alot
Awesome Video!!!
Just Great , Thanks very much !
ayy, part 2!
Would love to see a vid on formbook, specifically on the dummy functions that decrypt to data, and what that is used for.
Hey this is a great idea! Formbook actually has some complicated tech going on under the hood and would make for an interesting vid. Sean is actually the expert on it so he's added it to his todo... as we mentioned a few times we have a side project right now that is soaking up all our free time but once that is launched I'm sure he will have more time to put something together.
Hell Ya, Hell Ya
😂😂😂
Tried to replicate it, can't seem to get the NtCreateUserProcess hook. and after that breakpoint is hit the process just terminates. i followed the video to the letter until that point
Great video, but could you either run your vm in a lower resolution, or use windows to scale to 150%? I often watch the videos on the ipad and it is hard to read your debugger and ida and you usually don’t use 1/3 of your screen anyway.
Yeh currently our recording setup is insane and we need to fix it... apparently a brand new MacBook Pro can't handle video recording, screen recording and a VM at the same time 😡🤯I'll see what we can do for future videos. Any suggestions are very welcome!
@@OALABS I used Screenflow on mac to do screen recording, and now working with Camtasia on Windows, which is also supported on Mac. You could either use the scaling feature in your windows VM (settings/display/scale), or either in vmware or virtualbox (I am not sure) there was also a scaling option for the VM. But you can also consider cropping the screen in your video editor and scaling it up there.
Can u plz do more basics RE tutorials and put them in 1 playlist you already did
Reverse engineering 101
So you can build on top of that ....
Sure thing! I think we should have another malware analysis tips video out soon : )
Hey! I was trying to analyze this malware on my own, and I was able to identify the access to the PEB structure. I opened WinDbg and from what I got, in 32 bit binaries the malware is accessing PEB->PEB_LDR_DATA->InInitalizationOrderModuleList, if I'm correct on this, how do I know he is using it to build de IAT? You probably have years of experience with malware analysis so it comes naturally to you but there's no documentation on it on the win32 API, so I guess my main question is: how did you learn this? :(
So basically once you know they are using dynamic imports then you can start looking at how by starting at where the API addressed will be located and identifying where they are loaded in the code... we made a deep-dive reverse engineering tutorial on this topic in our more recent REVIL video th-cam.com/video/hM2Zvsak3GM/w-d-xo.html
@@OALABS thx man!
Thank you for the awesome tutorial but the samples on malshare give this error when I try to download : "Error 12412 (Sample Missing. Please alert admin@malshare.com)" .
If possible could you please re-upload them elsewhere?
This was the case even for the samples used for the part-1 of the tutorial earlier last month. Hoped that the issue would go away but I guess that they still did not restore the samples on Malshare :(
It also shows me this error at the top of the screen , after I login to Malshare : "Recovery Mode. Please be aware. Older samples are currently being restored. "
I can download from Hybrid-analysis in case you want to upload them there?
I could only find the main sample there but not the others that you uploaded to Malshare, when I last checked.
Thank you again for the share :)
Thanks for the heads up! Malshare is definitely hurting... I have uploaded the samples to CAPE so they can be downloaded without a user account. I have also updates the video descriptions to reflect this.
Original sample:
0ca2971ffedf0704ac5a2b6584f462ce27bac60f17888557dc8cd414558b479e
cape.contextis.com/analysis/21237/
Stage1 (packed UPX):
7f463bd55aa360032fbd6489b4e34455178a35254ff66c1cd98d0775437074b4
cape.contextis.com/analysis/21240/
Stage2 (custom injector):
89a0325379e1e868b668955ed41ba0faa724845028bc961a0691f19e5213dedf
cape.contextis.com/analysis/21241/
Thanks a lot for the upload. I really appreciate that. Now we are able to dl them without issues :)
I have just one question . How hard is the process of unpacking a VMprotect 3 > 0 . Cuz we all know know that the traditionnal packers only compress and/or encrypt the bytecodes . It's not the same thing with virtualization .
OALabs, always learn something new from you. May you advise: I have c# application. It calls native dll, written in c++. I know that dll is encrypted with first layer -- HASP SRM Envelope and the second layer -- themida 2.4.6.0. The application is x64. Teacher gave me this task as diploma work. I need to reverse engineer whole project, (including that dll) to be able to compile it with visual studio. The main problem that i do not know how to unpack that sh*t. May you provide me please some books, links, maybe devirtualization scripts, advises how to do it. Any information would be useful. I have been googling it for 3 weeks, nothing decent found. Can you throw me a life buoy?
Classes now require the cracking of commercial anti-piracy software?? Wow things must have changed a lot since I dropped out of university 🤔I'm pretty sure I have never seen malware using a HASP dongle as protection, but if you can send me a sample I'm sure Gemalto will unpack it for you for free just out of curiosity! 😂🤣 Ok so seriously, no we will definitely not help you crack some commercial software. We only help with analysis of malware. If you have malware related RE questions feel free to reach out we are always happy to help... but for this request the answer is no, sorry.
@@OALABS The task is to not crack software but to learn unpacking. And as far as i know it's impossible to crack HASP without dongle. All i need is to unpack it and the teacher have to be able to run it as before. HASP is there to not allow debug this shit. And i do not need to unpack this for me by you, i just wanna some tips to do it myself. It's hard for me to locate all handles of the dispatcher.
RtcShdAnalyzer_R64.dll is what is interesting to me.
anyway i think it'll be interest to take a look for you
www.sendspace.com/file/kia9zz
You write " I'm sure Gemalto will unpack it for you for free just out of curiosity! " like its sososo easy for him, like 1 hour of work xD ?
So the questions are:
1) is there silver bullet alghorithm to locate that shit, may you give some tips. I still trying to rake out this shit. It's like fucking with cactus to do it manually.
2) May you give some tips how you start to reverse large code bases, what are your favourite plugins. I have a task to reverse old game to port on new machines.
3) What do you do if an application you reverse updates 2 times a week ? (it's my hobby, i wanna write cheat to some game). I think my fingers press Ctrl+n event when i sleep. Do you have some useful python scripts ?
4) may you provide some article to configure driver debug in IDA. i have some issues to configure it. I hate Windbg. aaaah that shit. aaaah.
5) why so long no new videos ????????
PS: My university is Ukraine, Mykolaiv, Admiral Makarov National University of Shipbuilding, Cybersecurity(you know, in ukraine threre are no checks, by the way i think you heard news, we have a huge war). PPS: we use cracked version of ida7 on our class computers and no one give a fuck. I wish I had taken another task. I think professor trolls me. PPPS: i'm reading right now "the rootkit arsenal escape and evasion in the dark corners of the system", so after I read this, beware :)
Thank you for your time !
@@OALABS "I have never seen malware using a HASP dongle as protection" xD !!!!!!