I have been watching you for a couple years now and i always come back to watch these videos for my sanity. And I love how the subtitles always say "DXE" when he says "EXE"
Really great and clear explanations, even for someone like me who just knows the basics of malware analysis. These videos are so helpful, specially the tricks like the “anti-reverse” technique explanation and how you actually approach new malware. Thanks!
I feel like I won the twitter library by clicking the link to this video. Seriously you hit the exact right spot in your speed/explanation... Not too fast that I get lost and not too slow that I get bored. Thank you for going to the trouble of making the video!
Starting to get more into your videos as I come closer to finishing the labs in the book Practical Malware Analysis. These videos are awesome and you're really good at explaining things while keeping at a good pace too. Thanks for uploading these :) Keep it up.
I love your videos. This is great. I already read about injection in this new book I bought a while ago Mastering Malware Analysis by Alexey Kleymenov. Your videos still help me the most thank you so much for the hint to this video
Your videos are incredibly helpful. Has anyone ever told you that you look, sound, talk, and even have the same way of adjusting your glasses like anthony fantano? :p Anyway, thanks for your work!
Awesome to hear you like our videos : ) So funny you mention Fantano... I saw him interviewed on NoJumper a while back and I was seriously creeped out how similar we look hahaha!
No I pretty much keep the environment vanilla from the install. I think it is useful to get familiar with the normal operation of windows as when you triage in the wild you will need to deal with these. However, if you want to create a sandbox to help with RE then it does make sense to trim down the OS to the bare minimum so you can focus on the malware.
Just a question regarding the part about CreateProcess at around 19:00, though I'm not really sure if it is even a valid question as I'm quite new to this stuff. If the malware were to call the Nt layer CreateProcessInternalW ( if that's what it's called at that layer ) function as opposed to the one that you set your breakpoint on, would it just run and avoid the breakpoint you set?
Hey this is a great question! In short yes, you are absolutely correct, if the malware calls a lower level API then it will circumvent our breakpoint and we will not see the call. We actually cover a bit of this in an older video here th-cam.com/video/CiZ5D6wlIrw/w-d-xo.htmlm42s The reason we are confident setting the breakpoint on CreateProcessInternalW is that if the malware wants to call APIs lower than that they will have to do more work to setup the call so it is rare that we see that amount of effort in simple packers.
Sure thing! Now we submit all our samples to malshare for this exact reason but this was an older video and we weren't doing that yet. Below you can find the malshare links for these samples. Thanks for the reminder! Original sample: malshare.com/sample.php?action=detail&hash=84063bd287827277ae2a22f4b3e9757a Patched sample: malshare.com/sample.php?action=detail&hash=1b68729f1f03c3d82b13abe38599f6c3 Stage #1 unpacked: malshare.com/sample.php?action=detail&hash=044eebcc3e6980d95ceff93f6865b789 Stage #2 unpacked: malshare.com/sample.php?action=detail&hash=067e188c774b232246dd4924cb910dde Final payload: malshare.com/sample.php?action=detail&hash=7f0fdddf5905886532c8a652abed1b6c
Very good video. Can I give you sample for you analysis with IDAPro or OllyDbg? I'm so confused with malware that used "Antidebug_AntiVM" technique, coz can not running in my Cuckoo Sandbox system. So I want bypass that technique. Sorry for my stupid ask.
Can someone please guide me I did bachelor's in computer science and then just completed postgrad in Cyber Security recently I am very confused as to what skills are required for which job and which field should I pursue as a career also where to apply for jobs ?? Please help
The VT links for all the samples and unpacked stages are in in the description of the video. If you don't have a VTI key you can download them for free from hybrid-analysis. You just need to sign up for a free account then on each of the links below you will see the sample download button at the top of the page. Original sample: www.hybrid-analysis.com/sample/8af6a0ad98f53063e6f730828a59621dac2aa575cd1a618723b0ad7823ef3ec4?environmentId=100 Patched sample: www.hybrid-analysis.com/sample/59bba7a104592a31e6ccd062da8d2e1b226de19e5c4ea2d4416b328068bb7081?environmentId=100 Stage #1 unpacked: www.hybrid-analysis.com/sample/7d3b38d67d15e79799fe614d57520c6de81d260ce8701ca16e7d64b7c80732f4?environmentId=100 Stage #2 unpacked: www.hybrid-analysis.com/sample/cc59ecd59719f464a6d0e69c895c742334d40f50c41d59b5eaa51ba7c561b2b5?environmentId=100 Final payload: www.hybrid-analysis.com/sample/275f927f5cc809ebba57c6e766c550d2d27b1841708459a876c6f5a99201ecb6?environmentId=100
@@OALABS but hybrid analysis is free ONLY for some researcher that has published at least 3 freaking blog!!!!! why not just upload the sample ?! if youtube doesnt allow it then just upload it on your website and we can search the hash and download it from there
I have been watching you for a couple years now and i always come back to watch these videos for my sanity.
And I love how the subtitles always say "DXE" when he says "EXE"
Lol the AI subtitle generator is not very familiar with reverse engineering terms...
Really great and clear explanations, even for someone like me who just knows the basics of malware analysis. These videos are so helpful, specially the tricks like the “anti-reverse” technique explanation and how you actually approach new malware. Thanks!
I feel like I won the twitter library by clicking the link to this video. Seriously you hit the exact right spot in your speed/explanation... Not too fast that I get lost and not too slow that I get bored. Thank you for going to the trouble of making the video!
Starting to get more into your videos as I come closer to finishing the labs in the book Practical Malware Analysis. These videos are awesome and you're really good at explaining things while keeping at a good pace too. Thanks for uploading these :) Keep it up.
Right on! That''s great to hear thanks : )
I love your videos. This is great. I already read about injection in this new book I bought a while ago Mastering Malware Analysis by Alexey Kleymenov. Your videos still help me the most thank you so much for the hint to this video
I asked, you provided... Awesome I am so excited to view this! Thank you!!
Thanks for the video. Just a tip, the file offset is in the bottom of the ida disassembly frame. No need to search for the byte sequence.
Whoa, nice tip! Been using IDA for years and never noticed haha! Thanks : )
"injecting breakpoints in random interesting places" is way i gamble my way in RE
Awesome work! thanks for the contribution!
Your videos are incredibly helpful.
Has anyone ever told you that you look, sound, talk, and even have the same way of adjusting your glasses like anthony fantano? :p
Anyway, thanks for your work!
Awesome to hear you like our videos : )
So funny you mention Fantano... I saw him interviewed on NoJumper a while back and I was seriously creeped out how similar we look hahaha!
Do you turn off all windows service on start up? why my windows VM seems have a lot of processes. Thank you for the video. great job 🥰
No I pretty much keep the environment vanilla from the install. I think it is useful to get familiar with the normal operation of windows as when you triage in the wild you will need to deal with these. However, if you want to create a sandbox to help with RE then it does make sense to trim down the OS to the bare minimum so you can focus on the malware.
Just a question regarding the part about CreateProcess at around 19:00, though I'm not really sure if it is even a valid question as I'm quite new to this stuff. If the malware were to call the Nt layer CreateProcessInternalW ( if that's what it's called at that layer ) function as opposed to the one that you set your breakpoint on, would it just run and avoid the breakpoint you set?
Hey this is a great question! In short yes, you are absolutely correct, if the malware calls a lower level API then it will circumvent our breakpoint and we will not see the call. We actually cover a bit of this in an older video here th-cam.com/video/CiZ5D6wlIrw/w-d-xo.htmlm42s The reason we are confident setting the breakpoint on CreateProcessInternalW is that if the malware wants to call APIs lower than that they will have to do more work to setup the call so it is rare that we see that amount of effort in simple packers.
Your videos are fantastic!
Thank you very much : ))
Where did you learn this? Have you got some resources?
Good one!!!! keep rocking.
How i can start playing with binary stuff ?!😭
What's the best book or tutorial to get starting in the binary exploitations as all
Your videos are really helpfull. Can you share the samples on malshare, so that people who doesn't have VT account can also try???
Sure thing! Now we submit all our samples to malshare for this exact reason but this was an older video and we weren't doing that yet. Below you can find the malshare links for these samples. Thanks for the reminder!
Original sample:
malshare.com/sample.php?action=detail&hash=84063bd287827277ae2a22f4b3e9757a
Patched sample:
malshare.com/sample.php?action=detail&hash=1b68729f1f03c3d82b13abe38599f6c3
Stage #1 unpacked:
malshare.com/sample.php?action=detail&hash=044eebcc3e6980d95ceff93f6865b789
Stage #2 unpacked:
malshare.com/sample.php?action=detail&hash=067e188c774b232246dd4924cb910dde
Final payload:
malshare.com/sample.php?action=detail&hash=7f0fdddf5905886532c8a652abed1b6c
Thanks :)... you guys are awesomeeee (y)
Very good video.
Can I give you sample for you analysis with IDAPro or OllyDbg?
I'm so confused with malware that used "Antidebug_AntiVM" technique, coz can not running in my Cuckoo Sandbox system. So I want bypass that technique.
Sorry for my stupid ask.
Sure thing! Just send us the hash for the sample. You can post it here or DM it to one of us on twitter.
OALabs Cool!!!!
I'm so happy.
This hash SHA256 of my sample viruses:
1. DFCC3CFA8B7FB19C87D7D91EA6A3477E11289A6F638A0DFCABB7CBE9F57C8078
Size: 0,98 MB (1.036.288 bytes)
2. 8412B1B381AEFE1C3B74F14DD5894A4B1A15F213EB3771945351DA000F3A93F1
Size: 736 KB (753.664 bytes)
3. 16540597E03AC70BEA055AA72BF83A7DC3276CF6A64CD6CAFDB09E05EBCC198B
Size: 484 KB (495.616 bytes).
Thanks before.
Maravilhoso demais
obrigada!
Can someone please guide me I did bachelor's in computer science and then just completed postgrad in Cyber Security recently I am very confused as to what skills are required for which job and which field should I pursue as a career also where to apply for jobs ?? Please help
how do i download the sample?
The VT links for all the samples and unpacked stages are in in the description of the video. If you don't have a VTI key you can download them for free from hybrid-analysis. You just need to sign up for a free account then on each of the links below you will see the sample download button at the top of the page.
Original sample:
www.hybrid-analysis.com/sample/8af6a0ad98f53063e6f730828a59621dac2aa575cd1a618723b0ad7823ef3ec4?environmentId=100
Patched sample:
www.hybrid-analysis.com/sample/59bba7a104592a31e6ccd062da8d2e1b226de19e5c4ea2d4416b328068bb7081?environmentId=100
Stage #1 unpacked:
www.hybrid-analysis.com/sample/7d3b38d67d15e79799fe614d57520c6de81d260ce8701ca16e7d64b7c80732f4?environmentId=100
Stage #2 unpacked:
www.hybrid-analysis.com/sample/cc59ecd59719f464a6d0e69c895c742334d40f50c41d59b5eaa51ba7c561b2b5?environmentId=100
Final payload:
www.hybrid-analysis.com/sample/275f927f5cc809ebba57c6e766c550d2d27b1841708459a876c6f5a99201ecb6?environmentId=100
@@OALABS but hybrid analysis is free ONLY for some researcher that has published at least 3 freaking blog!!!!! why not just upload the sample ?! if youtube doesnt allow it then just upload it on your website and we can search the hash and download it from there
Great informations on this tutorials but you just talk tooooooooo much. Signal:10 noise: 90. Please stop "uhm-ing" on and on and on
Haha! Don't worry this is just an old tutorial, check out some of our new ones to see how our editing has improved : )
Try making a video on your own then? It's not as easy as you think.