Unpacking Process Injection Malware With IDA PRO (Part 1)

Показать описание

Open Analysis Live! This is a re-post from our old site. We walk though the steps needed to unpack process injection using IDA Pro. In this first part we identify and circumvent an anti-analysis trick and use a hook on NtWriteVirtualMemory to dump the unpacked binary.

-----
OALABS DISCORD

OALABS PATREON

OALABS TIP JAR

OALABS GITHUB

UNPACME - AUTOMATED MALWARE UNPACKING

-----

Unpacking SHA256 8af6a0ad98f53063e6f730828a59621dac2aa575cd1a618723b0ad7823ef3ec4

We explain the issue preventing this from running in the sandbox and with a debugger and dive into CreateFile with dwShareMode = 0x0.

Original sample:

Patched sample:

Stage #1 unpacked:

Stage #2 unpacked:

Final payload:

We are always looking for feedback, what did you like, what do you want to see more of, what do you want to see us analyze next? Let us know on twitter:

Рекомендации по теме

Комментарии

I have been watching you for a couple years now and i always come back to watch these videos for my sanity.
And I love how the subtitles always say "DXE" when he says "EXE"

rayray

Really great and clear explanations, even for someone like me who just knows the basics of malware analysis. These videos are so helpful, specially the tricks like the “anti-reverse” technique explanation and how you actually approach new malware. Thanks!

cazurro

I feel like I won the twitter library by clicking the link to this video. Seriously you hit the exact right spot in your speed/explanation... Not too fast that I get lost and not too slow that I get bored. Thank you for going to the trouble of making the video!

Matt-irky

Starting to get more into your videos as I come closer to finishing the labs in the book Practical Malware Analysis. These videos are awesome and you're really good at explaining things while keeping at a good pace too. Thanks for uploading these :) Keep it up.

LunaOoze

Thanks for the video. Just a tip, the file offset is in the bottom of the ida disassembly frame. No need to search for the byte sequence.

drgowen

I love your videos. This is great. I already read about injection in this new book I bought a while ago Mastering Malware Analysis by Alexey Kleymenov. Your videos still help me the most thank you so much for the hint to this video

_why_

I asked, you provided... Awesome I am so excited to view this! Thank you!!

EnduranceT

Awesome work! thanks for the contribution!

lucca

Just a question regarding the part about CreateProcess at around 19:00, though I'm not really sure if it is even a valid question as I'm quite new to this stuff. If the malware were to call the Nt layer CreateProcessInternalW ( if that's what it's called at that layer ) function as opposed to the one that you set your breakpoint on, would it just run and avoid the breakpoint you set?

eliwhalen

Your videos are incredibly helpful.
Has anyone ever told you that you look, sound, talk, and even have the same way of adjusting your glasses like anthony fantano? :p

Anyway, thanks for your work!

dadventures

Do you turn off all windows service on start up? why my windows VM seems have a lot of processes. Thank you for the video. great job 🥰

evanjoshua

Very good video.
Can I give you sample for you analysis with IDAPro or OllyDbg?
I'm so confused with malware that used "Antidebug_AntiVM" technique, coz can not running in my Cuckoo Sandbox system. So I want bypass that technique.
Sorry for my stupid ask.

TheBekabe

Your videos are really helpfull. Can you share the samples on malshare, so that people who doesn't have VT account can also try???

rookier

Where did you learn this? Have you got some resources?

vorsprungdurchtechnik

How i can start playing with binary stuff ?!😭
What's the best book or tutorial to get starting in the binary exploitations as all

ahmedqud

Can someone please guide me I did bachelor's in computer science and then just completed postgrad in Cyber Security recently I am very confused as to what skills are required for which job and which field should I pursue as a career also where to apply for jobs ?? Please help

TheNippysidhu

Great informations on this tutorials but you just talk much. Signal:10 noise: 90. Please stop "uhm-ing" on and on and on

dsldsl

Unpacking Process Injection Malware With IDA PRO (Part 1)

Unpacking Process Injection Malware With IDA PRO (Part 1)

Reverse Engineering Quick Tip - Unpacking Process Injection With a Single Breakpoint

Unpacking Process Injection Malware With IDA PRO (Part 2)

Unpacking Process Injection Malware with x64dbg

Unpacking Process Injection Malware With IDA PRO - Part 2

Unpacking Process Injection Malware With IDA PRO - Part 1

Unpacking Process Injection Malware With IDA PRO Part 2

Malware Analysis - ROKRAT Unpacking from Injected Shellcode

Unpacking Redaman Malware & Basics of Self-Injection Packers - ft. OALabs

Unpacking Malware Using Only One Break point | x64dbg | Shell code injection | Self Injection

#8 How to Manually Unpack Malware

Malware Theory - Process Injection

Malware Analysis - Unpacking RunPE Loyeetro Trojan

Unpacking Gootkit Malware With IDA Pro and X64dbg - Subscriber Request

[49] Malware Lab - Unpacking PE Injection

[47] Malware Lab - Unpacking Process Hollowing

Unpacking Themida 2.x 64bit … Without Actually Unpacking - REDUX!

[48] Malware Lab - Shellcode Injection Unpacking and Extraction

UnpacMe Automated Malware Unpacking - How We Built It and Why

Three and a half ways to unpack malware using Ollydbg

How to Unpack FlawedAmmyy - Malware Unpacking Tutorial

Unpacking and Extracting TrickBot Malware Configuration With x64dbg and Python

Unpacking Malware Like A Pro - Workshop / Felipe Duarte

Malware Analysis - Fileless GooLoad static analysis and unpacking