OALabs | IDA Pro Malware Analysis Tips @OALABS | Uploaded 6 years ago | Updated 23 minutes ago
Open Analysis Live! A few tips and tricks to help you analyze malware with IDA Pro.
-----
OALABS DISCORD
discord.gg/6h5Bh5AMDU
OALABS PATREON
patreon.com/oalabs
OALABS TIP JAR
ko-fi.com/oalabs
OALABS GITHUB
github.com/OALabs
UNPACME - AUTOMATED MALWARE UNPACKING
unpac.me/#
-----
Automated Malware Unpacking
unpac.me
PE Mapped Virtual Address vs. Offset In Binary File: 02:55
IDA Pro Layout Tips: 05:10
Dynamically Resolving APIs: 08:10
IDA Pro Remote Debugger Setup and Use: 09:06
Walking Call Chain From Hooked API Back To Malware: 22:59
Using Memory Snapshots To Unpack Malware (Quick Unpacking): 40:07
Win32 API Calls and The Stack (How To Change Arguments On The Fly): 46:28
IDA Pro Remote Debugger (Debugging a DLL): 01:16:32
PE basics including how a PE is mapped in memory:
http://www.delphibasics.info/home/delphibasicsarticles/anin-depthlookintothewin32portableexecutablefileformat-part1
http://www.delphibasics.info/home/delphibasicsarticles/anin-depthlookintothewin32portableexecutablefileformat-part2
Link to the most excellent IDA Pro book:
nostarch.com/idapro2.htm
Microsoft calling conventions:
msdn.microsoft.com/en-us/library/k2b2ssfy.aspx
RegTestUPX1.exe (benign demo application, safe to run):
virustotal.com/en/file/31e8a11960d0492b64241354c567643f09f0e0278658d31e75d6f2362dbfae44/analysis/1486886366
final_unmapped.dll (DLL demo **WARNING REAL MALWARE ONLY RUN IN A VM)
virustotal.com/en/file/275f927f5cc809ebba57c6e766c550d2d27b1841708459a876c6f5a99201ecb6/analysis
We are always looking for feedback, what did you like, what do you want to see more of, what do you want to see us analyze next? Let us know on twitter:
twitter.com/herrcore
twitter.com/seanmw
As always check out our tools, tutorials, and more content over at http://www.openanalysis.net
#IDAPro #ReverseEngineering #MalwareAnalysis
Open Analysis Live! A few tips and tricks to help you analyze malware with IDA Pro.
-----
OALABS DISCORD
discord.gg/6h5Bh5AMDU
OALABS PATREON
patreon.com/oalabs
OALABS TIP JAR
ko-fi.com/oalabs
OALABS GITHUB
github.com/OALabs
UNPACME - AUTOMATED MALWARE UNPACKING
unpac.me/#
-----
Automated Malware Unpacking
unpac.me
PE Mapped Virtual Address vs. Offset In Binary File: 02:55
IDA Pro Layout Tips: 05:10
Dynamically Resolving APIs: 08:10
IDA Pro Remote Debugger Setup and Use: 09:06
Walking Call Chain From Hooked API Back To Malware: 22:59
Using Memory Snapshots To Unpack Malware (Quick Unpacking): 40:07
Win32 API Calls and The Stack (How To Change Arguments On The Fly): 46:28
IDA Pro Remote Debugger (Debugging a DLL): 01:16:32
PE basics including how a PE is mapped in memory:
http://www.delphibasics.info/home/delphibasicsarticles/anin-depthlookintothewin32portableexecutablefileformat-part1
http://www.delphibasics.info/home/delphibasicsarticles/anin-depthlookintothewin32portableexecutablefileformat-part2
Link to the most excellent IDA Pro book:
nostarch.com/idapro2.htm
Microsoft calling conventions:
msdn.microsoft.com/en-us/library/k2b2ssfy.aspx
RegTestUPX1.exe (benign demo application, safe to run):
virustotal.com/en/file/31e8a11960d0492b64241354c567643f09f0e0278658d31e75d6f2362dbfae44/analysis/1486886366
final_unmapped.dll (DLL demo **WARNING REAL MALWARE ONLY RUN IN A VM)
virustotal.com/en/file/275f927f5cc809ebba57c6e766c550d2d27b1841708459a876c6f5a99201ecb6/analysis
We are always looking for feedback, what did you like, what do you want to see more of, what do you want to see us analyze next? Let us know on twitter:
twitter.com/herrcore
twitter.com/seanmw
As always check out our tools, tutorials, and more content over at http://www.openanalysis.net
#IDAPro #ReverseEngineering #MalwareAnalysis