This was fantastic. This type of stuff is exactly what I've been looking for and it's extremely hard to find good instruction for this. IIn fact, I would say theres NO good instruction available on YT in plain English with detail, so major kudos. I won't keep buggin ya for more.. But if you have more, or want to make more of this kinda thing.... I would become a Patron... Just sayin ;)
hi OALabs. Thank you very much for this. As always you explain it very well. I watched both parts and learned a lot, although when looking at the title, I though that you will also talk about rebuilding import table of unpacked binaries. This imports table reconstruction is an unclear subject to me. It would be cool to see you talk about this subject on some other video. Have a good day!
Hey glad you found this useful. I have been meaning to do an in-depth tutorial on import reconstruction but I just haven't gotten around to it. I agree it's a complex subject but there are some tricks we have tried to demonstrate in our tutorials to make it easier. Ex. APIscout, and using scylla. I will try to make a dedicated video at some point though as many people have requested it.
I really enjoy these videos, very helpful and entertaining. Thank you for making them! Question, was the reason they didn't unmap the remote address 90000 because the explorer pe would do it or was the payload written without ever calling to unmap?
Thank you! Regarding your question, I recoded this video a long while back so I can't exactly remember but watching it now I can see that they are not using the process hollowing technique so I believe they are just writing the payload in without calling unmap. This was a unique injection technique ... for more common techniques I can recommend this excellent overview by the folks at Endgame www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
You are using the "pe_unmaper.exe" tool a few times in this tutorial but did not provide any reference to the source files. github.com/hasherezade/pe_recovery_tools/tree/master/pe_unmapper After source files analizing, would like to notise that "pe_unmaper.exe" works only with following relocation formates: #define IMAGE_REL_BASED_LOW 3 #define IMAGE_REL_BASED_DIR64 0xA And more specific TypeOffset like IMAGE_REL_BASED_HIGHADJ will not be unmapped. It requires updating the "apply_reloc_block" function.
Awesome thanks for the heads up, I have added a link to the video description. Also, good point about the relocations, please submit a pull request with your patch. Or at the very least open an Issue so it can be tracked. It's an open source tool : ))
What were a little boring on my opinion: 1. retn search (part #1) 2. patching of the program code using Hex editor (part #1) 3. dumping of the section (part #1, part #2)
This was fantastic. This type of stuff is exactly what I've been looking for and it's extremely hard to find good instruction for this. IIn fact, I would say theres NO good instruction available on YT in plain English with detail, so major kudos. I won't keep buggin ya for more.. But if you have more, or want to make more of this kinda thing.... I would become a Patron... Just sayin ;)
hi OALabs. Thank you very much for this. As always you explain it very well. I watched both parts and learned a lot, although when looking at the title, I though that you will also talk about rebuilding import table of unpacked binaries. This imports table reconstruction is an unclear subject to me. It would be cool to see you talk about this subject on some other video. Have a good day!
Hey glad you found this useful. I have been meaning to do an in-depth tutorial on import reconstruction but I just haven't gotten around to it. I agree it's a complex subject but there are some tricks we have tried to demonstrate in our tutorials to make it easier. Ex. APIscout, and using scylla. I will try to make a dedicated video at some point though as many people have requested it.
I really appreciate your videos. I'm just starting out and what you say is very helpful!
Hey thanks very much! That's nice to hear : )
Awesome video man! Thank you for making these videos :). Hope to see more from you.
Thanks so much! We really appreciate the encouragement : )
The one and only big bossss so thanks for that video
Awesome videos, really appreciate all of your insight!
Thank you so much for making the video..
I really enjoy these videos, very helpful and entertaining. Thank you for making them! Question, was the reason they didn't unmap the remote address 90000 because the explorer pe would do it or was the payload written without ever calling to unmap?
Thank you! Regarding your question, I recoded this video a long while back so I can't exactly remember but watching it now I can see that they are not using the process hollowing technique so I believe they are just writing the payload in without calling unmap. This was a unique injection technique ... for more common techniques I can recommend this excellent overview by the folks at Endgame www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
Hi, is it possible to open a program 1 app with 2 different mac address with dll injection. U can only open this app one time in on pc
Would this be the same approach when the process injects into its own child processes
Awesome video! But I was wondering why aren't you using idc.GetManyBytes()? it would be a lot faster.
For sure 😆This is an old tutorial but I guess it's still good to see how to do it all manually though : )
Awesome!
You are using the "pe_unmaper.exe" tool a few times in this tutorial but did not provide any reference to the source files.
github.com/hasherezade/pe_recovery_tools/tree/master/pe_unmapper
After source files analizing, would like to notise that "pe_unmaper.exe" works only with following relocation formates:
#define IMAGE_REL_BASED_LOW 3
#define IMAGE_REL_BASED_DIR64 0xA
And more specific TypeOffset like IMAGE_REL_BASED_HIGHADJ will not be unmapped. It requires updating the "apply_reloc_block" function.
Awesome thanks for the heads up, I have added a link to the video description. Also, good point about the relocations, please submit a pull request with your patch. Or at the very least open an Issue so it can be tracked. It's an open source tool : ))
What were a little boring on my opinion:
1. retn search (part #1)
2. patching of the program code using Hex editor (part #1)
3. dumping of the section (part #1, part #2)