Wondeful video ! I know how much time it takes to make this high quality content Keep it up Anuj ! Hope you keep making more videos Can you make one about Manually Unpacking Malware ? I'd love to share some samples with you
Wondeful Video ! I know how much time it takes to pump out these high qualites video Keep it up Anuj ! Any plans on making a video on manually unpacking malware ? I'd love to give some samples for it Thanks 😄
Great videos. I have learned many things from here. Hopefully there will be more content on the topic of obfuscating malware from you in the near future
You can also do the filtering in the logfile using notepad++ itself instead of using de find command. This can be done by marking all lines containing the OUTPUT string and then remove all non marked lines.
Hi Anuj, Thanks for making a video on this topic, conditional breakpoints are highly underrated. Could you pls make video on tracing and its uses. There are a few ppl taking about it uses or significance.
Great video. Why are there are all the int instructions after the call to VirtualProtect (I think they're breakpoints, but the number seems excessive to me.)?
That's a great question. I *think* the 0xCC values are associated with some sort of padding/alignment. They are present in the file on disk as well (kernel32.dll), not just in memory. If anyone else knows, please inform us!
Great question, I could have done a better job of clarifying this. When I dumped the address in EAX to the dump window, each character was represented with two bytes. UTF-16 uses two bytes for most characters (vs. UTF-8, for example, which uses 1 byte per ASCII character).
If I was looking at the sample for the first time, I would review each address and evaluate the function for indications that it decoded content (e.g., mathematical operations within a loop, pointers to random looking bytes passed as arguments). So definitely some trial and error involved. I skipped to the 4th to save us some time.
I'm trying to apply your method to get password for protected file packed with InnoSetup which dropping malware. I already found function with Capa which you showed. Thanks a lot.
Great video Anuj..! Will try all this for sure.. Thanks a lot..!! Can please make another fantastic video on debugging running processes (attach/attach to debugger)?? Context is like:- debugging a.exe b.exe, now wanted to debug b.exe process at the same time.. Thanks in advance..!! :)
Anuj! Great well explained video! Thanks for all the hard work you put into these. Keep it up! 👏
Thank you, that means a lot!
Another great video Anuj! Looking forward to seeing more. It helps with my course in Advanced Malware Analysis from Zero 2 Automated!!!
Anuj ! thank you for your effort and shariing this insighful content that worth :)
You’re very welcome, thanks for taking the time to let me know you enjoyed the content!
Wondeful video !
I know how much time it takes to make this high quality content
Keep it up Anuj ! Hope you keep making more videos
Can you make one about Manually Unpacking Malware ? I'd love to share some samples with you
Wondeful Video ! I know how much time it takes to pump out these high qualites video
Keep it up Anuj ! Any plans on making a video on manually unpacking malware ? I'd love to give some samples for it
Thanks 😄
Always looking for ideas - DM me at @asoni on X.
great stuff! have john h. learn from you before streaming any malware related content again! :-)
Thanks a lot Anuj! Apart from your technical knowledge I appreciate the didactic knowledge even more!! Very well explained
Appreciate that very much. Trying to make the info as practical as possible.
@@sonianuj it feels even a bit like "piracy" watching these videos since the quality is up to the standard you maintain in FOR710.
Learned a lot from this one, thank you Anuj :)
Glad to hear it!
Great videos. I have learned many things from here. Hopefully there will be more content on the topic of obfuscating malware from you in the near future
More to come!
Awesome as always.
Thank you!
Keep it up, videos are always fantastic!
well explained and well presented thank you
Glad it was helpful!
You can also do the filtering in the logfile using notepad++ itself instead of using de find command.
This can be done by marking all lines containing the OUTPUT string and then remove all non marked lines.
Thanks for the tip!
More Videos, you are incredible
More to come!
Well explained @anuj … making a video on .net malware deobfuscation will also be very helpful …. 🙏🙏🙏
Thanks for watching! Great idea, will look into this one.
Hope to see more videos
@@sonianuj
Hi Anuj, Thanks for making a video on this topic, conditional breakpoints are highly underrated. Could you pls make video on tracing and its uses. There are a few ppl taking about it uses or significance.
Thanks for the idea! That could be a good one. I'll give this some more thought.
@@sonianuj Thanks for commenting. Eagerly waiting for an another great video.
Hi Anuj, just a quick question. In this decoding of the strings. Is there a way to decode them and see their associated indexes? Thanks again!
Thank you very much 🎉❤
You're welcome 😊
so good
Glad you enjoyed it!
Great video. Why are there are all the int instructions after the call to VirtualProtect (I think they're breakpoints, but the number seems excessive to me.)?
That's a great question. I *think* the 0xCC values are associated with some sort of padding/alignment. They are present in the file on disk as well (kernel32.dll), not just in memory. If anyone else knows, please inform us!
Maybe I have to fill some knowledge gap here... but how did you know the decoded strings at 7:19 in the video were UTF-16?
Great question, I could have done a better job of clarifying this. When I dumped the address in EAX to the dump window, each character was represented with two bytes. UTF-16 uses two bytes for most characters (vs. UTF-8, for example, which uses 1 byte per ASCII character).
TY, from capa hwo did you know the 4th address was the xor function?
If I was looking at the sample for the first time, I would review each address and evaluate the function for indications that it decoded content (e.g., mathematical operations within a loop, pointers to random looking bytes passed as arguments). So definitely some trial and error involved. I skipped to the 4th to save us some time.
@@sonianuj ok, i was like.. "now how in the h### did he find that out!?" lol. good video ty
I'm trying to apply your method to get password for protected file packed with InnoSetup which dropping malware. I already found function with Capa which you showed. Thanks a lot.
You’re welcome!
Great video Anuj..! Will try all this for sure.. Thanks a lot..!!
Can please make another fantastic video on debugging running processes (attach/attach to debugger)??
Context is like:-
debugging a.exe b.exe, now wanted to debug b.exe process at the same time..
Thanks in advance..!! :)
I like this idea, I'll definitely look into it! Thanks for being so specific in your suggestion.