You can also edit the registry to have it always in the right-click menu. :D If I remember correctly: You just have to remove (or rename) the string value "Extended" at... HKEY_CLASSES_ROOT\Directory\Background\shell\cmd HKEY_CLASSES_ROOT\Directory\shell\cmd
Actually every folder in explorer can be set by folder options to show all files, system and hidden, than you can change attributes with right click, attrib is great command, but everything can be achieved with just gui too ;)
I already following his channel since year's now he is doing great job for us. I was not expecting that you (liveoverflow) support him, thanks for supporting him. You r a great buddy
I can't believe I was able to follow the whole video! Very good job at keeping things clear to the viewer, explaining every single bit! Subbed to OALabs :)
Had to pause to say thank you lol this is a great idea and good video. I really like the breakdown and the simplicity of the exe, it made for a great tutorial.
this OALabs channel is type of channel i was looking for when i found LiveOverFlow. never bothered looking further. maybe i could have eventually landed on that channel if i had kept looking.
Not a big fan of screen recording, face in the corner, pointing with pointer, unmaximazied windows, long length videos. That's why I love your videos! I can see them even in my phone, the whole videos or just skip to a specific part (which is hard in these kind of videos). I'm going to check his channel, but seeing a lot of videos of half an hour it's intimidating. Hope this doesn't offend anyone and I'm glad to see you take your time to continue with your thesis!
0:11 Delay between video was captured and uploaded ~4month. Reverse Engineering IcedID / Bokbot Malware Part 2 was release 5month ago and in LiveOverflow video it was 1month ago. But maybe he had long planned to shoot this video or this piece of video was sent by OALabs.
Amazing video. Sergei from OALabs did an excellent job explaining this. One concept I would love to have explained is manual mapping - because from what I understand, you can't use the method of relying on LoadLibrary for it because it's never called.
Manual mapping is doing the Windows loader job, but manually. You read PE file, move sections to correct place, reloacte image, resolve imports and execute entrypoint. This is more stealthy than LoadLibrary also because dll won't be visible in module list (in x64dbg for example).
@@asdasd-md5ot Yes, that sums it up nicely. Something I never understood was how people got their code to execute - some create a new thread (but this seems lazy). I heard that some hijack an old thread, but this seems quite complicated for x64 sources that I've seen.
@@thehen101 If you are manual mapping dll to current process you can just call entry point like any other function. There are many ways to execute code in other process. For example you can hijack thread or queue an APC or hook something that gets called often by target process.
@@thehen101Depends on anti-cheat of course. I would say executable region that doesn't belong to any module is supicious. And about execution safest way should be hooking something. But it depends on how and what you hook.
I would say there probably isn't any practical advantage, especially not the way it was done by this malware. I think traditionally the section overwrite was a bit more stealthy than just allocating some executable memory in the process space since the execution was contained inside the structure of the PE. But, as you can see here they still allocate executable memory in the process for the stub so there is no advantage. Also, modern analysis tools (and AV) won't be fooled by the section overwrite. That's just my take though. I would be interested if anyone else has some more input, maybe some advantages I overlooked?
Just a shot in the dark since I don't use Windows, but perhaps it's for legitimate programs which get packed where you want loading it to be the same as loading the unpacked version.
Interesting video, glad to find more interesting tech-related channels. Suggestion: maximize window, or zoom in so that it's easier to read the text, especially for those who are watching on lower than high quality.
I commented above (below?) with links where you can download the sample we analyzed. On the same website you will also be able to find ransomware samples for testing www.malware-traffic-analysis.net/2019/index.html
They are very competent and incredibly clear in explaining but they really have to learn how to communicate efficiently... Voice tones and such.... Hard to follow if you aren't extremely interested in the topic
Could anyone help in unpacking this sample (f9cd9c327ff4d8f493b6085812979dea) which is similar to this. But I am not able to unpack following these steps. Thanks in advance
i dont think you even need attrib, windows has checkbox to show system/hidden files in View->Folder options, directly from explorer, it shows everything beside {magic-names}
Sehr cool, aber das nächste mal bitte die Lautstärke anpassen. (ich weiß ist schwierig, mach selbst Videos, ich vergleiche meine Videos, bzw die Lautstärke immer mit LinusTechTips)
Hmm, usage of screen size as poor (I usually whatch on my phone) and all the cutting of the talk was too aggressive and therefore very distracting for me. Sorry but that style of video is not for me
@@undefined879 are you a native English speaker? I'm not. And I could read it - but not comfortably. And so much space was unused, a bit more zoom would have been nice
That intro, so satisfying
22:00 Shift+Right-Click in folder, "Open Command Prompt Here" on context menu :)
Or, type cmd in the path bar thingy, next to the search bar
You can also edit the registry to have it always in the right-click menu. :D
If I remember correctly: You just have to remove (or rename) the string value "Extended" at...
HKEY_CLASSES_ROOT\Directory\Background\shell\cmd
HKEY_CLASSES_ROOT\Directory\shell\cmd
Reth Tard well, that’s pretty cool to know when you don’t know much about how those things use the registry!
Edit: missed a word
Actually every folder in explorer can be set by folder options to show all files, system and hidden, than you can change attributes with right click, attrib is great command, but everything can be achieved with just gui too ;)
I already following his channel since year's now he is doing great job for us. I was not expecting that you (liveoverflow) support him, thanks for supporting him. You r a great buddy
> Wakes up
> New LiveOverflow video
> *Happiness Noise*
Column01 what a mood
I can't believe I was able to follow the whole video! Very good job at keeping things clear to the viewer, explaining every single bit! Subbed to OALabs :)
That's really awesome! Learning so much. Very nice of you to guest smaller channels, you're a kind man.
Had to pause to say thank you lol this is a great idea and good video. I really like the breakdown and the simplicity of the exe, it made for a great tutorial.
22:00 - it is possible to show hidden/system files in explorer
Organize -> Folder Option -> View Tab -> Uncheck "Hide Protected System Files"
Great video. I've never seen anyone walk through the instructions like that.
oh boy! I still have a lot to learn.
this OALabs channel is type of channel i was looking for when i found LiveOverFlow. never bothered looking further. maybe i could have eventually landed on that channel if i had kept looking.
Not a big fan of screen recording, face in the corner, pointing with pointer, unmaximazied windows, long length videos. That's why I love your videos! I can see them even in my phone, the whole videos or just skip to a specific part (which is hard in these kind of videos). I'm going to check his channel, but seeing a lot of videos of half an hour it's intimidating.
Hope this doesn't offend anyone and I'm glad to see you take your time to continue with your thesis!
New business moves! Great video, subscribing to the new channel.
Great video!... now more! we want to see windows stuff too
0:11 Delay between video was captured and uploaded ~4month. Reverse Engineering IcedID / Bokbot Malware Part 2 was release 5month ago and in LiveOverflow video it was 1month ago.
But maybe he had long planned to shoot this video or this piece of video was sent by OALabs.
Amazing video. Sergei from OALabs did an excellent job explaining this. One concept I would love to have explained is manual mapping - because from what I understand, you can't use the method of relying on LoadLibrary for it because it's never called.
Manual mapping is doing the Windows loader job, but manually. You read PE file, move sections to correct place, reloacte image, resolve imports and execute entrypoint. This is more stealthy than LoadLibrary also because dll won't be visible in module list (in x64dbg for example).
@@asdasd-md5ot Yes, that sums it up nicely. Something I never understood was how people got their code to execute - some create a new thread (but this seems lazy). I heard that some hijack an old thread, but this seems quite complicated for x64 sources that I've seen.
@@thehen101 If you are manual mapping dll to current process you can just call entry point like any other function. There are many ways to execute code in other process. For example you can hijack thread or queue an APC or hook something that gets called often by target process.
@@asdasd-md5ot In the context of video game cheating, would those methods be detectable?
@@thehen101Depends on anti-cheat of course. I would say executable region that doesn't belong to any module is supicious. And about execution safest way should be hooking something. But it depends on how and what you hook.
Very good site about malware.. thex explain everything very well and educational.. i recommeded it to everyone
I have to install Flare VM or OALab's VM? Or both?
Is there an advantage to unpacking over the PE section vs. any other memory region?
I would say there probably isn't any practical advantage, especially not the way it was done by this malware. I think traditionally the section overwrite was a bit more stealthy than just allocating some executable memory in the process space since the execution was contained inside the structure of the PE. But, as you can see here they still allocate executable memory in the process for the stub so there is no advantage. Also, modern analysis tools (and AV) won't be fooled by the section overwrite. That's just my take though. I would be interested if anyone else has some more input, maybe some advantages I overlooked?
Just a shot in the dark since I don't use Windows, but perhaps it's for legitimate programs which get packed where you want loading it to be the same as loading the unpacked version.
@@gyroninjamodder That's a great suggestion and probably the case for most legitimate executables that use UPX.
Thanks for showing me that these guys exist! Im off to subscribe and check out some of their content
Already subscribed to him but now clicked on the bell icone too. Thank you for leaving many clues for me towards right direction
Golden Explanation, subscribed!
Interesting video, glad to find more interesting tech-related channels.
Suggestion: maximize window, or zoom in so that it's easier to read the text, especially for those who are watching on lower than high quality.
I made the same realization with getprocaddress recently too! It’s still stuck in my head to call it get process address :(
😂😂😂😂
time to queue up some Linux malware analysis videos.
*Were can I find the ransomware virus payload to test it..?*
"GTA-VI Free crack.rar" and should be fine
I commented above (below?) with links where you can download the sample we analyzed. On the same website you will also be able to find ransomware samples for testing www.malware-traffic-analysis.net/2019/index.html
@@Haru-vw6my *what ???*
@@OALABS *Thanks*
@@OALABS *Can you recommend sites were I can get full versions of all types of malware for testing and research*
Thanks for all this content!!! Keep it coming
Good video, but everything is so tiny, also just having a screen record where most of the screen doesn't contain anything is really a waste of space
And the volume was far too quiet. Had to boost it by 200% (and then got ear raped by outro music)
@@x3ICExI feel so sorry for you.
OALabs has a really nice and soft voice :D
Which Linux distribution are u using most times?
They are very competent and incredibly clear in explaining but they really have to learn how to communicate efficiently... Voice tones and such.... Hard to follow if you aren't extremely interested in the topic
Could anyone help in unpacking this sample (f9cd9c327ff4d8f493b6085812979dea) which is similar to this. But I am not able to unpack following these steps. Thanks in advance
so in the end !!! i just need to delete all the .dll files from my pc ??
Only if you want to make the OS "unusable"
Interesting and Useful!
I was just watching your videos and then i got a popup you uploaded a video.
Ok.
I don’t change my resolution from 144p often, but this has earned the extra data. :)
bItRaTe
You didn't know about attrib? That blows my mind tbh
I think he rarely uses win.
how does it feel to have brain pieces all over your room
i dont think you even need attrib, windows has checkbox to show system/hidden files in View->Folder options, directly from explorer, it shows everything beside {magic-names}
Open Analysis LiveOverflow
that intro tho
I wish I could read Disassembler as well as I read Python or even C++ !!
I read it as Ramadan malware and wondered if it was a seasonal malware or maybe something that recently blew up.
Superb
Sir Discord?
I couldn't read any of the text. It was too small to me.
>LiveOverflow
>26 mins
>ft. OALabs
Comfy.
Sehr cool, aber das nächste mal bitte die Lautstärke anpassen. (ich weiß ist schwierig, mach selbst Videos, ich vergleiche meine Videos, bzw die Lautstärke immer mit LinusTechTips)
thanks for showing his chanel, hacking windows is what i love. linux exploitation is boring af imo
thank you so much :) !
Effortless. Nice !
No Sound;(
Open Analysis Live-Overflow
ThankYou
Nice
Hmm, usage of screen size as poor (I usually whatch on my phone) and all the cutting of the talk was too aggressive and therefore very distracting for me. Sorry but that style of video is not for me
You what mate? I watched this on my phone and I could read everything, and the guy talked very understandable. Idk what's your issue.
@@undefined879 are you a native English speaker? I'm not. And I could read it - but not comfortably. And so much space was unused, a bit more zoom would have been nice
weird that u didn't know about attrib
your videos have audio very low, consider setting it higher
Attrib? You didn’t know about attrib?!?
Jason Brooks He's not a windows guy. He has admitted it in the past multiple times.
But cp/m and dos had the command
Hey!!
Video was awesome.!!
Can you please check your mail @LiveOverflow, I have sent you mail, kindly Do reply.
Why am I here? I can hardly read python lol
good video but could NOT stand the crazy amount of editing, stop cutting out half a second pauses, its infuriating to watch
too fast.