This is an amazing video! Your content is phenomenal and I hope your channel grows! You deserve lots of recognition for your work and I will say I believe 2k subs is a crime for the amazing videos you are putting out. Keep up the good work and I look forward to watching more of your videos!
@@sonianuj This has to be one of the best videos on UA-cam about API unhooking. Great content. Very clear voice, well explained. Didn't understand everything (you lost me about 70% through), but that's because I don't have enough knowledge about reverse engineering. I'm just a simple system engineer.
🎉 The most thorough step by step explanation of windows API Ghidra and debug use. I like your style. Excited for more videos and thanks for spending all this time helping others in the community. Salute!
Hi, great content.... only one small suggestion if I may: if you want to get more views you must change the channel name by adding something related to malware reverse engineering. I know you from sans because I'm interested in 610. Great content & looking forward for next ones!
Very Amazing Video, needed this as i may start my career in malware reversing in a company soon (you're videos helped me get this job btw), thanks a ton
hi Anuj, I have been learning a lot with your videos but I have a question; I find very interesting what you described at 06:55 in the video and I want to ask what is the difference between attaching the executable after putting this infinite loop and just putting a breakpoint at the entry point of it without attaching it? Both the breakpoint and the infinite loop won't let it execute further right? Always nice to learn new things.
Hi there! Thanks for watching. So, if my goal was simply to debug find.exe, I could absolutely set a breakpoint at the entry point of find.exe like you suggested. However, at this point in my analysis (06:55), I wanted to debug a version of find.exe that had been hooked by frida-trace. This means I first need to launch find.exe via frida-trace and *then* debug it - my solution was to insert the infinite loop so that I could attach to the running (but hooked) find.exe before it terminates. I hope that makes sense!
Hi, could you mention any ideas how to detect unhooking techniques? Provided that you already unhooked ntreadfile function (or use it's syscall), you can load any unhooked native api function from disk to avoid EDR/XDR detection. Being deaf to api monitoring, static rules seem to be applied. Any thought how to approach the topic and detect the manipulation statically? Love your meterials❤
Great question. Capa or YARA rules could help with this. YARA is often discussed, capa less so. Maybe I'll make a video on using capa rules to detect this sort of thing. Thanks for the idea!
Might just be me, but the description (In this video, we analyze the FBI's Qakbot takedown code using malware analysis techniques) is for another video of yours I believe - ua-cam.com/video/ZDXqrfG7hWc/v-deo.html Thanks for the great content!😃
This is an amazing video! Your content is phenomenal and I hope your channel grows! You deserve lots of recognition for your work and I will say I believe 2k subs is a crime for the amazing videos you are putting out. Keep up the good work and I look forward to watching more of your videos!
Wow thank you so much! That is so kind of you to say. Another video coming soon!
@@sonianuj This has to be one of the best videos on UA-cam about API unhooking. Great content. Very clear voice, well explained. Didn't understand everything (you lost me about 70% through), but that's because I don't have enough knowledge about reverse engineering. I'm just a simple system engineer.
🎉 The most thorough step by step explanation of windows API Ghidra and debug use. I like your style. Excited for more videos and thanks for spending all this time helping others in the community. Salute!
Thank you so much!
A big fan of your detailed-explain approach... 😊
looking forward to a video explaining "how to identify API hashing technique"
Thank you!
Hi,
great content.... only one small suggestion if I may: if you want to get more views you must change the channel name by adding something related to malware reverse engineering. I know you from sans because I'm interested in 610.
Great content & looking forward for next ones!
Interesting anuj hope to see more future videos
Will do, thanks for watching!
your concepts explanation are straight forward and the videos are concise and very educative@@sonianuj
Very Amazing Video, needed this as i may start my career in malware reversing in a company soon (you're videos helped me get this job btw), thanks a ton
Wow, thank you so much for sharing this. Your comment inspires me to continue putting in the work to create these videos.
hi Anuj,
I have been learning a lot with your videos but I have a question; I find very interesting what you described at 06:55 in the video and I want to ask what is the difference between attaching the executable after putting this infinite loop and just putting a breakpoint at the entry point of it without attaching it? Both the breakpoint and the infinite loop won't let it execute further right?
Always nice to learn new things.
Hi there! Thanks for watching. So, if my goal was simply to debug find.exe, I could absolutely set a breakpoint at the entry point of find.exe like you suggested. However, at this point in my analysis (06:55), I wanted to debug a version of find.exe that had been hooked by frida-trace. This means I first need to launch find.exe via frida-trace and *then* debug it - my solution was to insert the infinite loop so that I could attach to the running (but hooked) find.exe before it terminates. I hope that makes sense!
I see, thank you
Amazing content, thank you!
Thanks for watching!
Very nice. Well worth staying in the office for :)
Wow that’s great to hear! Thank you for watching.
Excellent 👌
Thank you! Cheers!
Amazing ❤❤
Thanks 😄
Hi, could you mention any ideas how to detect unhooking techniques? Provided that you already unhooked ntreadfile function (or use it's syscall), you can load any unhooked native api function from disk to avoid EDR/XDR detection. Being deaf to api monitoring, static rules seem to be applied. Any thought how to approach the topic and detect the manipulation statically?
Love your meterials❤
Great question. Capa or YARA rules could help with this. YARA is often discussed, capa less so. Maybe I'll make a video on using capa rules to detect this sort of thing. Thanks for the idea!
@@sonianuj I was thinking about looking for binary string reaching the pointer to PEB from TIB. It may be a preety constant thing.
Might just be me, but the description (In this video, we analyze the FBI's Qakbot takedown code using malware analysis techniques) is for another video of yours I believe - ua-cam.com/video/ZDXqrfG7hWc/v-deo.html
Thanks for the great content!😃
Whoops, thanks for noticing that! Just fixed it.
what build of windows are you using?
Hi there. I'm using a Win10 enterprise build where I've installed all my tools (all free). Hope that helps!