IDA Pro Tutorial - Reverse Engineering Dynamic Malware Imports

Поділитися
Вставка
  • Опубліковано 4 гру 2024

КОМЕНТАРІ • 89

  • @OALABS
    @OALABS  5 років тому +4

    For those of you interested in attempting this in Ghidra, check out this excellent blog post: blag.nullteilerfrei.de/2019/11/09/api-hashing-why-and-how/

  • @ExploitedShells
    @ExploitedShells 5 років тому +15

    All I have to say, is a huge thank you.
    Your content helped me so much, and I improved myself so much because of your tutors. Again, thank you for your content!

    • @OALABS
      @OALABS  5 років тому +1

      That's awesome to hear thanks very much : ))

  • @2nc4yproduction
    @2nc4yproduction 2 роки тому +1

    probably the best video about this subject in youtube

  • @EvilSapphireR
    @EvilSapphireR 4 роки тому +1

    Super late squad, but loved the video! Loved your clarity of thinking, clearly your years of expertise is showing. Just wanted to point out for anyone else following here, the 4th byte and the 22nd, 23rd and 24th bit of the hash is used to determine the DLL via the right shift of 21, the rest of the bits (1st, 2nd bytes, lower 4 bits of 3rd byte and 21st bit) is used to determine the function name via the AND of 0x1FFFFF.

  • @billtibbs5768
    @billtibbs5768 5 років тому +6

    Definitely please post more like this. Actual RE into the guts of malware is very helpful. Personally, I’m interested in the comms/command and control and of course any watching how you an experienced professional approach it and use the tools like IDA.

    • @OALABS
      @OALABS  5 років тому +4

      Stay tuned, I think we will cover some C2 stuff soon : )

  • @demarcusthomas601
    @demarcusthomas601 5 років тому +1

    Please continue additional videos such as this. Very helpful to see your process for analyzing samples.

  • @dejadk
    @dejadk 5 років тому +3

    I love reverse engineering and all I want to do is make a career of it. Thank you so much for creating these videos.

  • @DmytriE
    @DmytriE 5 років тому +3

    The actual Reverse Engineering aspect is very interesting and helpful. There are definitely somethings that you just won't get from the tips and tricks of unpacking malware. Eventually, you have to get into the weeds and I'm glad that you are willing to share you insight and knowledge. Looking forward to the IDA scripting video!!

  • @EvilSapphireR
    @EvilSapphireR 5 років тому +1

    As someone who's looking to switch from Network Security to RE and Malware Analysis, you're doing God's work man. I'm looking to do GIAC GREM certification and your tutorials are a huge confidence boost that I can actually do this! Thanks so much!

    • @OALABS
      @OALABS  5 років тому

      Hey that's awesome to hear. Thank you so much : )))

  • @Thiago1337
    @Thiago1337 5 років тому +2

    Quality content right here. Keep it up. Step by step videos are long, but the amount of knowledge contained on them is priceless.

  • @turner7777
    @turner7777 3 роки тому +1

    you never dissapoint!

  • @Juan-je3ml
    @Juan-je3ml 5 років тому +2

    As usual! Pure quality! Helps me learn a lot! Thanks man!

  • @typedeaf
    @typedeaf 3 роки тому +1

    Great video. The whole time I was screaming at you, 'It's ANDing 21 bits, not a word!'

    • @OALABS
      @OALABS  3 роки тому

      🤣🤣🤣🤣

  • @MrLuchoni3
    @MrLuchoni3 4 роки тому +2

    +1 . for more posts like this. its really cool to see how he thinks about and approaches the analysis.

  • @84h81
    @84h81 2 роки тому +1

    nice intro bro..will recommend hearing it again 10/10.

  • @alphatsar6141
    @alphatsar6141 5 років тому +2

    Excellent material! Would make for a great tutorial series in itself. There's not enough out there that ties together the disparate skills into an actual malware RE workflow perhaps all the way to a report deliverable. Would love to see more of that. Thank you :)

  • @ДенисЮзвик-м6о
    @ДенисЮзвик-м6о 5 років тому +1

    Happy to see a new video. Thanks. I vote for "tutorial style" videos :)

  • @AetherlabNet
    @AetherlabNet 5 років тому +2

    Great video, looking forward for more like this. If I have the time, I will try to reproduce it in Ghidra.

  • @anonymousquoll9316
    @anonymousquoll9316 5 років тому +2

    The "0x1FFFFF is just the lower word part" threw me for a loop until you caught your mistake later on. Other than that, this was a great video.

    • @OALABS
      @OALABS  5 років тому +1

      OMG yeh sorry about that. I thought it was 4 F's not five haha. Wanted to leave that in there though so you can all have a peak behind the curtain of how these things are made : )

  • @purpler3m910
    @purpler3m910 5 років тому +1

    Love this. Thank you lots! i will go home and follow step by step. This helps anyone new to reversing understand the hows of malware, is more hands on. I hope you guys do more of reverse engineering. Maybe without IDA Pro, but using some open source tools. Anyways Thanks OALabs

  • @CosmoCopulates1
    @CosmoCopulates1 5 років тому +3

    More of these types of videos! Great job

  • @humbertocaron334
    @humbertocaron334 2 роки тому +1

    make more videos like this. It is awsome.

  • @jacekklepacki8301
    @jacekklepacki8301 5 років тому +1

    Your videos are awesome, thanks to you I finally got into malware reversing. Can't wait for the scripting video.

    • @OALABS
      @OALABS  5 років тому +1

      Thanks! That's awesome to hear!

  • @malware_reverse
    @malware_reverse 5 років тому +1

    Another awesome video. Looking forward to seeing the ida script for this one too.

  • @thehen101
    @thehen101 5 років тому +1

    Another excellent video. Your channel has really helped me to learn the ropes when it comes to IDA, and this video is no exception. Edit: can't wait for the scripting tutorial.

  • @hapja
    @hapja 5 років тому +1

    Fantastic vid, love this type of content.

  • @Extys
    @Extys 5 років тому +2

    Thanks man, you're truly an inspiration to me.

  • @SaulloCarvalho
    @SaulloCarvalho 5 років тому +1

    Awesome video!
    Thank you.

  • @beeb490
    @beeb490 3 роки тому +1

    That was very helpful, thanks man :)

  • @saultube44
    @saultube44 5 років тому +1

    Great video, thanks a bunch, keep up the good work!

  • @xcron0sx
    @xcron0sx 3 роки тому +1

    Thx man keep it up! You got a new follower :)

    • @OALABS
      @OALABS  3 роки тому

      Thanks : )

  • @mr_ehmed
    @mr_ehmed 5 років тому +1

    please make beginner series for IDA pro plz plz big fan of you

    • @OALABS
      @OALABS  5 років тому

      You can check out our old IDA tips video... it's from a while ago so the editing isn't quite as good but it might have some info that is useful for you ua-cam.com/video/qCQRKLaz2nQ/v-deo.html

  • @unk6822
    @unk6822 5 років тому +1

    That was really interesting not boring! Could you maybe bring up a video on defeating anti debugger tricks from Malware? Because often Malware's main target is to not even be analyzed by a live debugger.

    • @OALABS
      @OALABS  5 років тому

      Thanks for the feedback, we will make more like this in the future for sure. We also have an older (lower quality) vid where we talk about how to defeat some anti-analysis tricks ua-cam.com/video/WlE8abc8V-4/v-deo.html I'm not sure if that covers everything you are looking for but it's a start.

  • @ilanisme3698
    @ilanisme3698 5 років тому +1

    love your vids!

  • @HardyJap
    @HardyJap 5 років тому +3

    Can we have another Windbg tutorial? There is a dearth of Windbg tutorials though everybody in the industry uses it. Would love a follow up to the last Windbg tutorial on this channel.

    • @OALABS
      @OALABS  5 років тому +3

      Yes this is a great idea and something we have been trying to arrange with Josh for a while. We have just suffered from such a busy schedule that we haven't had a chance to arrange another collaboration. This is definitely going to happen though.

  • @AholicKnight
    @AholicKnight 5 років тому +1

    Hes alive!

  • @mmm-me4kk
    @mmm-me4kk Рік тому +1

    Great video! Quick question, with a dynamic IAT, do you mean API functions that are called at runtime (so not static DLL imports)?

    • @OALABS
      @OALABS  Рік тому +2

      Yes exactly. The imports are resolved dynamically at runtime and called directly.

  • @ItzZyannYT
    @ItzZyannYT 2 роки тому +2

    what key did you use by renaming the function? in this part 12:17

    • @OALABS
      @OALABS  2 роки тому +2

      You can highlight the function and press "n" to open the name text box like you see in the video.

    • @ItzZyannYT
      @ItzZyannYT 2 роки тому

      @@OALABS ohh

    • @ItzZyannYT
      @ItzZyannYT 2 роки тому

      @@OALABS also one question, is theres anyway to generate all byte codes of functions?

    • @OALABS
      @OALABS  2 роки тому +1

      I'm not sure what you mean, but if you have a specific example feel free to jump on our discord and ask there. Make sure you are specific though and post a link to the sample you are analyzing.

  • @yassinelaptop8286
    @yassinelaptop8286 5 років тому +1

    Thanks man

  • @b1scoito
    @b1scoito 5 років тому +1

    great video.

  • @akiraperera9574
    @akiraperera9574 2 роки тому

    Hi, in the structures part of IDA, is there a way to display all values of one value in a list?
    Thanks.

  • @tni2667
    @tni2667 5 років тому +3

    what about more "proper" dynamic import implementations where the import resolving is completely inlined and the function pointers are stored on the stack rather than the .data section?=)

    • @OALABS
      @OALABS  5 років тому

      That would be a neat tutorial, but that's pretty rare since it's a lot more work for the malware developer. This sort of block-table import resolving is pretty much the standard unless the malware dev has spent a lot of time on it. The only malware that I know of that does individual import resolving is Dridex and they have their own macros for it. If you send me some hashes of other malware that does this I could maybe make a tutorial out of it?

    • @alvinye4860
      @alvinye4860 5 років тому

      @@BSOD.Enjoyer 牛逼

  • @francis2k488
    @francis2k488 5 років тому +1

    Nice video but I was lost. What should be the prerequisite for this knowledge?

    • @OALABS
      @OALABS  5 років тому

      If you scroll down I thing your question is similar to @Do py's. You might be interested in some of the resources Micheal and I recommended to them.

  • @TheBlackAndWhiteCow
    @TheBlackAndWhiteCow 5 років тому +1

    Good tutorial ,But in practice is there any benefit in static resolving rather than dynamic (just let it run) ?

    • @OALABS
      @OALABS  5 років тому +1

      That's a great question, and it depends on what you need to do. In most of our tutorials we demonstrate how to quickly triage malware; unpack it and get it ready for reverse engineering. In this tutorial we are starting to show how you begin actually reverse engineering malware. So what's the difference? If you just need to quickly identify the malware and what it does, using the dynamic trick we showed in part 1 of this tutorial will work great and it's nice and fast. However, if you need to report on this malware you may get questions like, how do they resolve their imports, have you seen this import resolving technique used in other malware, is there anything unique we can use to identify this malware by based on the way it resolves imports, etc. These questions can't be answered without fully reversing the malware. That is the main difference between triage, and proper reverse engineering; when you are reverse engineering your are attempting to collect as much information about the binary as possible. At the time of collection you may not understand what is relevant and what is not. There is also a practical benefit to building the IDA scripts which we will demonstrate in the next tutorial. Often when you track the evolution of malware over the course of its life cycle you will have to look at many similar samples. It is much faster to do this type of "bulk" reverse engineering with static scripts rather than having to use a debugger to build the imports each time. Apologies for the long answer but I think this question is very important as it gets at the heart of difference between proper reverse engineering, and triage.

    • @TheBlackAndWhiteCow
      @TheBlackAndWhiteCow 5 років тому +1

      @@OALABS Thanks for the detailed response didn't even considered the signature aspect.I guess this specific example doesn't demonstrate the benefits of static analysis all too well since as you described the method is well known and reversing the specifics doesn't bring too much new information to the table, of course it's just a tutorial and great one at that.
      I was using myself IDA Python to find and decrypt salted strings in some sample and it was amazing so I don't look down on static analysis in any way I just avoid it since it usually takes more time (depends on the case).
      Looking forward for the next video ;)

  • @MrEnsiferum77
    @MrEnsiferum77 5 років тому

    I'm not so much in this reversing things, but does is important for the reverse engineer to know what asm code, is actually what data structure? I mean u look at code, and from experience and so on, u detect, oh, this is Binary Tree.
    What is important to look when u reversing some code?

  • @dopy8418
    @dopy8418 5 років тому +1

    What would be the starting point ? This is too advanced for me but i find it interesting, i can do cisco networking and python code but is there a book to start in this debugging stuff ?

    • @Demonslay335
      @Demonslay335 5 років тому +2

      "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software" is pretty much the industry standard to get started from what I've heard. It's a pretty good read to get some of the basic concepts in your head. Other than that, honestly just jumping in and playing with IDA or a debugger for a bit to get familiar with it a little bit.

    • @OALABS
      @OALABS  5 років тому +2

      We actually get this question a lot, and if you scroll through the comments of our other videos you will see we have had a few pretty long answers over the years. I agree with what Michael said, that's a good book if you are interested. But if you are like me and you prefer to learn hands on with videos etc. I highly recommend these other channels too:
      Colin Hardy ua-cam.com/channels/ND1KVdVt8A580SjdaS4cZg.html
      Malware Analysis for Hedgehogs ua-cam.com/channels/VFXrUwuWxNlm6UNZtBLJ-A.html
      Hasherezade ua-cam.com/channels/NWVswPNgn5kutPNa5sprkg.html
      Also for written content I think the Dr. Fu blog is amazing!
      fumalwareanalysis.blogspot.com/p/malware-analysis-tutorials-reverse.html
      Good luck! And feel free to drop any questions you have in the chat here.

    • @OALABS
      @OALABS  5 років тому

      Oh also, all this free course work from opensecuritytraining.info/. It's a bit boring since it's just recorded college lectures but if you are looking for a very thorough free resource it can't be beat!

  • @bob_ross12
    @bob_ross12 5 років тому

    thx bob

  • @inspiredbymichansenpai2393
    @inspiredbymichansenpai2393 5 років тому

    can you let us download the video for offline viewing?

  • @asafcohen3562
    @asafcohen3562 5 років тому +2

    did you pay for ida pro

    • @OALABS
      @OALABS  5 років тому

      Yes I have my own private license 💸💸💸

    • @ElenFan2011
      @ElenFan2011 5 років тому

      @OALabs In your opinion, does one need x64 Hex-Rays decompiler for a malware analysis or is it sufficient to have x86 only?

    • @asafcohen3562
      @asafcohen3562 5 років тому

      @@OALABS that's cool as fuck i just pirate it running through wine or just run ghidra

    • @Matt-ir1ky
      @Matt-ir1ky 5 років тому

      @@asafcohen3562 Bro, OALabs could just crack IDA himself in like 10 mins.

  • @supportsupport8156
    @supportsupport8156 5 років тому +4

    comming on UA-cam
    crack IDA PRO licence using GHIDRA😆😆

    • @OALABS
      @OALABS  5 років тому +1

      😂😂😂😂

  • @rex_x7028
    @rex_x7028 5 років тому

    Hi can you talk with me .?
    Because I need your help

    • @OALABS
      @OALABS  5 років тому

      Our contact information is on our website.

    • @rex_x7028
      @rex_x7028 5 років тому

      @@OALABS how can I open SPRX files
      ?

    • @rex_x7028
      @rex_x7028 5 років тому

      @@OALABS to open source

  • @Useless-Gameplay
    @Useless-Gameplay 5 років тому +1

    Man, you're a god. thanks for this class.
    by the way, do you have any contact as skype? can we talk?

    • @OALABS
      @OALABS  5 років тому

      Our contact info is on our website : )

    • @Useless-Gameplay
      @Useless-Gameplay 5 років тому

      @@OALABS I was thinking if you can teach how to decompile a program packed with themida. I had some problems doing it

  • @jundolfarpilleda3628
    @jundolfarpilleda3628 5 років тому

    Hi brow could you please help me debug pdf sam enhanced 5,, i have been having difficulty doing it,, thx brahh,,and more power to you

    • @OALABS
      @OALABS  5 років тому

      Sorry we only analyze malware.

  • @新之助-d8w
    @新之助-d8w 5 років тому +2

    好详细,期待下一集~打算养肥了再看😁