For those of you interested in attempting this in Ghidra, check out this excellent blog post: blag.nullteilerfrei.de/2019/11/09/api-hashing-why-and-how/
All I have to say, is a huge thank you. Your content helped me so much, and I improved myself so much because of your tutors. Again, thank you for your content!
Super late squad, but loved the video! Loved your clarity of thinking, clearly your years of expertise is showing. Just wanted to point out for anyone else following here, the 4th byte and the 22nd, 23rd and 24th bit of the hash is used to determine the DLL via the right shift of 21, the rest of the bits (1st, 2nd bytes, lower 4 bits of 3rd byte and 21st bit) is used to determine the function name via the AND of 0x1FFFFF.
Definitely please post more like this. Actual RE into the guts of malware is very helpful. Personally, I’m interested in the comms/command and control and of course any watching how you an experienced professional approach it and use the tools like IDA.
The actual Reverse Engineering aspect is very interesting and helpful. There are definitely somethings that you just won't get from the tips and tricks of unpacking malware. Eventually, you have to get into the weeds and I'm glad that you are willing to share you insight and knowledge. Looking forward to the IDA scripting video!!
As someone who's looking to switch from Network Security to RE and Malware Analysis, you're doing God's work man. I'm looking to do GIAC GREM certification and your tutorials are a huge confidence boost that I can actually do this! Thanks so much!
Excellent material! Would make for a great tutorial series in itself. There's not enough out there that ties together the disparate skills into an actual malware RE workflow perhaps all the way to a report deliverable. Would love to see more of that. Thank you :)
OMG yeh sorry about that. I thought it was 4 F's not five haha. Wanted to leave that in there though so you can all have a peak behind the curtain of how these things are made : )
Love this. Thank you lots! i will go home and follow step by step. This helps anyone new to reversing understand the hows of malware, is more hands on. I hope you guys do more of reverse engineering. Maybe without IDA Pro, but using some open source tools. Anyways Thanks OALabs
Another excellent video. Your channel has really helped me to learn the ropes when it comes to IDA, and this video is no exception. Edit: can't wait for the scripting tutorial.
You can check out our old IDA tips video... it's from a while ago so the editing isn't quite as good but it might have some info that is useful for you ua-cam.com/video/qCQRKLaz2nQ/v-deo.html
That was really interesting not boring! Could you maybe bring up a video on defeating anti debugger tricks from Malware? Because often Malware's main target is to not even be analyzed by a live debugger.
Thanks for the feedback, we will make more like this in the future for sure. We also have an older (lower quality) vid where we talk about how to defeat some anti-analysis tricks ua-cam.com/video/WlE8abc8V-4/v-deo.html I'm not sure if that covers everything you are looking for but it's a start.
Can we have another Windbg tutorial? There is a dearth of Windbg tutorials though everybody in the industry uses it. Would love a follow up to the last Windbg tutorial on this channel.
Yes this is a great idea and something we have been trying to arrange with Josh for a while. We have just suffered from such a busy schedule that we haven't had a chance to arrange another collaboration. This is definitely going to happen though.
I'm not sure what you mean, but if you have a specific example feel free to jump on our discord and ask there. Make sure you are specific though and post a link to the sample you are analyzing.
what about more "proper" dynamic import implementations where the import resolving is completely inlined and the function pointers are stored on the stack rather than the .data section?=)
That would be a neat tutorial, but that's pretty rare since it's a lot more work for the malware developer. This sort of block-table import resolving is pretty much the standard unless the malware dev has spent a lot of time on it. The only malware that I know of that does individual import resolving is Dridex and they have their own macros for it. If you send me some hashes of other malware that does this I could maybe make a tutorial out of it?
That's a great question, and it depends on what you need to do. In most of our tutorials we demonstrate how to quickly triage malware; unpack it and get it ready for reverse engineering. In this tutorial we are starting to show how you begin actually reverse engineering malware. So what's the difference? If you just need to quickly identify the malware and what it does, using the dynamic trick we showed in part 1 of this tutorial will work great and it's nice and fast. However, if you need to report on this malware you may get questions like, how do they resolve their imports, have you seen this import resolving technique used in other malware, is there anything unique we can use to identify this malware by based on the way it resolves imports, etc. These questions can't be answered without fully reversing the malware. That is the main difference between triage, and proper reverse engineering; when you are reverse engineering your are attempting to collect as much information about the binary as possible. At the time of collection you may not understand what is relevant and what is not. There is also a practical benefit to building the IDA scripts which we will demonstrate in the next tutorial. Often when you track the evolution of malware over the course of its life cycle you will have to look at many similar samples. It is much faster to do this type of "bulk" reverse engineering with static scripts rather than having to use a debugger to build the imports each time. Apologies for the long answer but I think this question is very important as it gets at the heart of difference between proper reverse engineering, and triage.
@@OALABS Thanks for the detailed response didn't even considered the signature aspect.I guess this specific example doesn't demonstrate the benefits of static analysis all too well since as you described the method is well known and reversing the specifics doesn't bring too much new information to the table, of course it's just a tutorial and great one at that. I was using myself IDA Python to find and decrypt salted strings in some sample and it was amazing so I don't look down on static analysis in any way I just avoid it since it usually takes more time (depends on the case). Looking forward for the next video ;)
I'm not so much in this reversing things, but does is important for the reverse engineer to know what asm code, is actually what data structure? I mean u look at code, and from experience and so on, u detect, oh, this is Binary Tree. What is important to look when u reversing some code?
What would be the starting point ? This is too advanced for me but i find it interesting, i can do cisco networking and python code but is there a book to start in this debugging stuff ?
"Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software" is pretty much the industry standard to get started from what I've heard. It's a pretty good read to get some of the basic concepts in your head. Other than that, honestly just jumping in and playing with IDA or a debugger for a bit to get familiar with it a little bit.
We actually get this question a lot, and if you scroll through the comments of our other videos you will see we have had a few pretty long answers over the years. I agree with what Michael said, that's a good book if you are interested. But if you are like me and you prefer to learn hands on with videos etc. I highly recommend these other channels too: Colin Hardy ua-cam.com/channels/ND1KVdVt8A580SjdaS4cZg.html Malware Analysis for Hedgehogs ua-cam.com/channels/VFXrUwuWxNlm6UNZtBLJ-A.html Hasherezade ua-cam.com/channels/NWVswPNgn5kutPNa5sprkg.html Also for written content I think the Dr. Fu blog is amazing! fumalwareanalysis.blogspot.com/p/malware-analysis-tutorials-reverse.html Good luck! And feel free to drop any questions you have in the chat here.
Oh also, all this free course work from opensecuritytraining.info/. It's a bit boring since it's just recorded college lectures but if you are looking for a very thorough free resource it can't be beat!
For those of you interested in attempting this in Ghidra, check out this excellent blog post: blag.nullteilerfrei.de/2019/11/09/api-hashing-why-and-how/
All I have to say, is a huge thank you.
Your content helped me so much, and I improved myself so much because of your tutors. Again, thank you for your content!
That's awesome to hear thanks very much : ))
probably the best video about this subject in youtube
Super late squad, but loved the video! Loved your clarity of thinking, clearly your years of expertise is showing. Just wanted to point out for anyone else following here, the 4th byte and the 22nd, 23rd and 24th bit of the hash is used to determine the DLL via the right shift of 21, the rest of the bits (1st, 2nd bytes, lower 4 bits of 3rd byte and 21st bit) is used to determine the function name via the AND of 0x1FFFFF.
Definitely please post more like this. Actual RE into the guts of malware is very helpful. Personally, I’m interested in the comms/command and control and of course any watching how you an experienced professional approach it and use the tools like IDA.
Stay tuned, I think we will cover some C2 stuff soon : )
Please continue additional videos such as this. Very helpful to see your process for analyzing samples.
I love reverse engineering and all I want to do is make a career of it. Thank you so much for creating these videos.
The actual Reverse Engineering aspect is very interesting and helpful. There are definitely somethings that you just won't get from the tips and tricks of unpacking malware. Eventually, you have to get into the weeds and I'm glad that you are willing to share you insight and knowledge. Looking forward to the IDA scripting video!!
As someone who's looking to switch from Network Security to RE and Malware Analysis, you're doing God's work man. I'm looking to do GIAC GREM certification and your tutorials are a huge confidence boost that I can actually do this! Thanks so much!
Hey that's awesome to hear. Thank you so much : )))
Quality content right here. Keep it up. Step by step videos are long, but the amount of knowledge contained on them is priceless.
you never dissapoint!
As usual! Pure quality! Helps me learn a lot! Thanks man!
Great video. The whole time I was screaming at you, 'It's ANDing 21 bits, not a word!'
🤣🤣🤣🤣
+1 . for more posts like this. its really cool to see how he thinks about and approaches the analysis.
nice intro bro..will recommend hearing it again 10/10.
Excellent material! Would make for a great tutorial series in itself. There's not enough out there that ties together the disparate skills into an actual malware RE workflow perhaps all the way to a report deliverable. Would love to see more of that. Thank you :)
Happy to see a new video. Thanks. I vote for "tutorial style" videos :)
Great video, looking forward for more like this. If I have the time, I will try to reproduce it in Ghidra.
The "0x1FFFFF is just the lower word part" threw me for a loop until you caught your mistake later on. Other than that, this was a great video.
OMG yeh sorry about that. I thought it was 4 F's not five haha. Wanted to leave that in there though so you can all have a peak behind the curtain of how these things are made : )
Love this. Thank you lots! i will go home and follow step by step. This helps anyone new to reversing understand the hows of malware, is more hands on. I hope you guys do more of reverse engineering. Maybe without IDA Pro, but using some open source tools. Anyways Thanks OALabs
: ))))
More of these types of videos! Great job
make more videos like this. It is awsome.
Your videos are awesome, thanks to you I finally got into malware reversing. Can't wait for the scripting video.
Thanks! That's awesome to hear!
Another awesome video. Looking forward to seeing the ida script for this one too.
Another excellent video. Your channel has really helped me to learn the ropes when it comes to IDA, and this video is no exception. Edit: can't wait for the scripting tutorial.
Fantastic vid, love this type of content.
Thanks man, you're truly an inspiration to me.
Awesome video!
Thank you.
That was very helpful, thanks man :)
Great video, thanks a bunch, keep up the good work!
Thx man keep it up! You got a new follower :)
Thanks : )
please make beginner series for IDA pro plz plz big fan of you
You can check out our old IDA tips video... it's from a while ago so the editing isn't quite as good but it might have some info that is useful for you ua-cam.com/video/qCQRKLaz2nQ/v-deo.html
That was really interesting not boring! Could you maybe bring up a video on defeating anti debugger tricks from Malware? Because often Malware's main target is to not even be analyzed by a live debugger.
Thanks for the feedback, we will make more like this in the future for sure. We also have an older (lower quality) vid where we talk about how to defeat some anti-analysis tricks ua-cam.com/video/WlE8abc8V-4/v-deo.html I'm not sure if that covers everything you are looking for but it's a start.
love your vids!
Can we have another Windbg tutorial? There is a dearth of Windbg tutorials though everybody in the industry uses it. Would love a follow up to the last Windbg tutorial on this channel.
Yes this is a great idea and something we have been trying to arrange with Josh for a while. We have just suffered from such a busy schedule that we haven't had a chance to arrange another collaboration. This is definitely going to happen though.
Hes alive!
Great video! Quick question, with a dynamic IAT, do you mean API functions that are called at runtime (so not static DLL imports)?
Yes exactly. The imports are resolved dynamically at runtime and called directly.
what key did you use by renaming the function? in this part 12:17
You can highlight the function and press "n" to open the name text box like you see in the video.
@@OALABS ohh
@@OALABS also one question, is theres anyway to generate all byte codes of functions?
I'm not sure what you mean, but if you have a specific example feel free to jump on our discord and ask there. Make sure you are specific though and post a link to the sample you are analyzing.
Thanks man
great video.
Hi, in the structures part of IDA, is there a way to display all values of one value in a list?
Thanks.
what about more "proper" dynamic import implementations where the import resolving is completely inlined and the function pointers are stored on the stack rather than the .data section?=)
That would be a neat tutorial, but that's pretty rare since it's a lot more work for the malware developer. This sort of block-table import resolving is pretty much the standard unless the malware dev has spent a lot of time on it. The only malware that I know of that does individual import resolving is Dridex and they have their own macros for it. If you send me some hashes of other malware that does this I could maybe make a tutorial out of it?
@@BSOD.Enjoyer 牛逼
Nice video but I was lost. What should be the prerequisite for this knowledge?
If you scroll down I thing your question is similar to @Do py's. You might be interested in some of the resources Micheal and I recommended to them.
Good tutorial ,But in practice is there any benefit in static resolving rather than dynamic (just let it run) ?
That's a great question, and it depends on what you need to do. In most of our tutorials we demonstrate how to quickly triage malware; unpack it and get it ready for reverse engineering. In this tutorial we are starting to show how you begin actually reverse engineering malware. So what's the difference? If you just need to quickly identify the malware and what it does, using the dynamic trick we showed in part 1 of this tutorial will work great and it's nice and fast. However, if you need to report on this malware you may get questions like, how do they resolve their imports, have you seen this import resolving technique used in other malware, is there anything unique we can use to identify this malware by based on the way it resolves imports, etc. These questions can't be answered without fully reversing the malware. That is the main difference between triage, and proper reverse engineering; when you are reverse engineering your are attempting to collect as much information about the binary as possible. At the time of collection you may not understand what is relevant and what is not. There is also a practical benefit to building the IDA scripts which we will demonstrate in the next tutorial. Often when you track the evolution of malware over the course of its life cycle you will have to look at many similar samples. It is much faster to do this type of "bulk" reverse engineering with static scripts rather than having to use a debugger to build the imports each time. Apologies for the long answer but I think this question is very important as it gets at the heart of difference between proper reverse engineering, and triage.
@@OALABS Thanks for the detailed response didn't even considered the signature aspect.I guess this specific example doesn't demonstrate the benefits of static analysis all too well since as you described the method is well known and reversing the specifics doesn't bring too much new information to the table, of course it's just a tutorial and great one at that.
I was using myself IDA Python to find and decrypt salted strings in some sample and it was amazing so I don't look down on static analysis in any way I just avoid it since it usually takes more time (depends on the case).
Looking forward for the next video ;)
I'm not so much in this reversing things, but does is important for the reverse engineer to know what asm code, is actually what data structure? I mean u look at code, and from experience and so on, u detect, oh, this is Binary Tree.
What is important to look when u reversing some code?
What would be the starting point ? This is too advanced for me but i find it interesting, i can do cisco networking and python code but is there a book to start in this debugging stuff ?
"Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software" is pretty much the industry standard to get started from what I've heard. It's a pretty good read to get some of the basic concepts in your head. Other than that, honestly just jumping in and playing with IDA or a debugger for a bit to get familiar with it a little bit.
We actually get this question a lot, and if you scroll through the comments of our other videos you will see we have had a few pretty long answers over the years. I agree with what Michael said, that's a good book if you are interested. But if you are like me and you prefer to learn hands on with videos etc. I highly recommend these other channels too:
Colin Hardy ua-cam.com/channels/ND1KVdVt8A580SjdaS4cZg.html
Malware Analysis for Hedgehogs ua-cam.com/channels/VFXrUwuWxNlm6UNZtBLJ-A.html
Hasherezade ua-cam.com/channels/NWVswPNgn5kutPNa5sprkg.html
Also for written content I think the Dr. Fu blog is amazing!
fumalwareanalysis.blogspot.com/p/malware-analysis-tutorials-reverse.html
Good luck! And feel free to drop any questions you have in the chat here.
Oh also, all this free course work from opensecuritytraining.info/. It's a bit boring since it's just recorded college lectures but if you are looking for a very thorough free resource it can't be beat!
thx bob
can you let us download the video for offline viewing?
did you pay for ida pro
Yes I have my own private license 💸💸💸
@OALabs In your opinion, does one need x64 Hex-Rays decompiler for a malware analysis or is it sufficient to have x86 only?
@@OALABS that's cool as fuck i just pirate it running through wine or just run ghidra
@@asafcohen3562 Bro, OALabs could just crack IDA himself in like 10 mins.
comming on UA-cam
crack IDA PRO licence using GHIDRA😆😆
😂😂😂😂
Hi can you talk with me .?
Because I need your help
Our contact information is on our website.
@@OALABS how can I open SPRX files
?
@@OALABS to open source
Man, you're a god. thanks for this class.
by the way, do you have any contact as skype? can we talk?
Our contact info is on our website : )
@@OALABS I was thinking if you can teach how to decompile a program packed with themida. I had some problems doing it
Hi brow could you please help me debug pdf sam enhanced 5,, i have been having difficulty doing it,, thx brahh,,and more power to you
Sorry we only analyze malware.
好详细,期待下一集~打算养肥了再看😁