OALabs | Unpacking Process Injection Malware With IDA PRO (Part 1) @OALABS | Uploaded 6 years ago | Updated 2 hours ago
Open Analysis Live! This is a re-post from our old site. We walk though the steps needed to unpack process injection using IDA Pro. In this first part we identify and circumvent an anti-analysis trick and use a hook on NtWriteVirtualMemory to dump the unpacked binary.
-----
OALABS DISCORD
discord.gg/6h5Bh5AMDU
OALABS PATREON
patreon.com/oalabs
OALABS TIP JAR
ko-fi.com/oalabs
OALABS GITHUB
github.com/OALabs
UNPACME - AUTOMATED MALWARE UNPACKING
unpac.me/#
-----
Unpacking SHA256 8af6a0ad98f53063e6f730828a59621dac2aa575cd1a618723b0ad7823ef3ec4
We explain the issue preventing this from running in the sandbox and with a debugger and dive into CreateFile with dwShareMode = 0x0.
Original sample:
virustotal.com/en/file/8af6a0ad98f53063e6f730828a59621dac2aa575cd1a618723b0ad7823ef3ec4/analysis
Patched sample:
virustotal.com/en/file/59bba7a104592a31e6ccd062da8d2e1b226de19e5c4ea2d4416b328068bb7081/analysis/1486627142
Stage #1 unpacked:
virustotal.com/en/file/7d3b38d67d15e79799fe614d57520c6de81d260ce8701ca16e7d64b7c80732f4/analysis/1486627158
Stage #2 unpacked:
virustotal.com/en/file/cc59ecd59719f464a6d0e69c895c742334d40f50c41d59b5eaa51ba7c561b2b5/analysis/1486627173
Final payload:
virustotal.com/en/file/275f927f5cc809ebba57c6e766c550d2d27b1841708459a876c6f5a99201ecb6/analysis/1486627182
We are always looking for feedback, what did you like, what do you want to see more of, what do you want to see us analyze next? Let us know on twitter:
twitter.com/herrcore
twitter.com/seanmw
As always check out our tools, tutorials and more content over at http://www.openanalysis.net/.
Open Analysis Live! This is a re-post from our old site. We walk though the steps needed to unpack process injection using IDA Pro. In this first part we identify and circumvent an anti-analysis trick and use a hook on NtWriteVirtualMemory to dump the unpacked binary.
-----
OALABS DISCORD
discord.gg/6h5Bh5AMDU
OALABS PATREON
patreon.com/oalabs
OALABS TIP JAR
ko-fi.com/oalabs
OALABS GITHUB
github.com/OALabs
UNPACME - AUTOMATED MALWARE UNPACKING
unpac.me/#
-----
Unpacking SHA256 8af6a0ad98f53063e6f730828a59621dac2aa575cd1a618723b0ad7823ef3ec4
We explain the issue preventing this from running in the sandbox and with a debugger and dive into CreateFile with dwShareMode = 0x0.
Original sample:
virustotal.com/en/file/8af6a0ad98f53063e6f730828a59621dac2aa575cd1a618723b0ad7823ef3ec4/analysis
Patched sample:
virustotal.com/en/file/59bba7a104592a31e6ccd062da8d2e1b226de19e5c4ea2d4416b328068bb7081/analysis/1486627142
Stage #1 unpacked:
virustotal.com/en/file/7d3b38d67d15e79799fe614d57520c6de81d260ce8701ca16e7d64b7c80732f4/analysis/1486627158
Stage #2 unpacked:
virustotal.com/en/file/cc59ecd59719f464a6d0e69c895c742334d40f50c41d59b5eaa51ba7c561b2b5/analysis/1486627173
Final payload:
virustotal.com/en/file/275f927f5cc809ebba57c6e766c550d2d27b1841708459a876c6f5a99201ecb6/analysis/1486627182
We are always looking for feedback, what did you like, what do you want to see more of, what do you want to see us analyze next? Let us know on twitter:
twitter.com/herrcore
twitter.com/seanmw
As always check out our tools, tutorials and more content over at http://www.openanalysis.net/.
![What The Security Industry Should Know About Reverse Engineering [ Reverse Engineering AMA ]](https://i.ytimg.com/vi/SffxAVWmbk4/hqdefault.jpg "What The Security Industry Should Know About Reverse Engineering [ Reverse Engineering AMA ]
What is one thing you wish your peers in the security industry knew about reverse engineering?
Big thanks to all the reverse engineers who helped us put this together!
Rattle (Jesko)
https://twitter.com/huettenhain
https://github.com/binref/refinery
Jordan (psifertex)
https://twitter.com/psifertex
https://binary.ninja/
Karsten
https://twitter.com/struppigel
https://www.youtube.com/c/MalwareAnalysisForHedgehogs
Drakonia
https://twitter.com/dr4k0nia
https://dr4k0nia.github.io/
C3rb3ru5
https://twitter.com/c3rb3ru5d3d53c
https://c3rb3ru5d3d53c.github.io/
Josh
https://twitter.com/jershmagersh
https://pwnage.io/
Dodo
https://twitter.com/dodo_sec
https://github.com/dodo-sec
Washi
https://twitter.com/washi_dev
https://washi.dev/
OALABS PATREON
https://www.patreon.com/oalabs
OALABS DISCORD
https://discord.gg/6h5Bh5AMDU
Twitch
https://www.twitch.tv/oalabslive
OALABS GITHUB
https://github.com/OALabs
UNPACME - AUTOMATED MALWARE UNPACKING
https://www.unpac.me/#/")
![Control Flow Flattening Obfuscation Explained Practically [ Twitch Clip ]](https://i.ytimg.com/vi/SulC2l1Dvbo/hqdefault.jpg "Control Flow Flattening Obfuscation Explained Practically [ Twitch Clip ]
Twitch Clip - A practical explanation of control flow flattening obfuscation linking the concept to actual code in IDA Pro. See more on https://www.patreon.com/oalabs
OALABS DISCORD
https://discord.gg/6h5Bh5AMDU
OALABS PATREON
https://www.patreon.com/oalabs
Twitch
https://www.twitch.tv/oalabslive
OALABS GITHUB
https://github.com/OALabs
UNPACME - AUTOMATED MALWARE UNPACKING
https://www.unpac.me/#/
Research notes with Deobfuscation code for IDA Pro and Dumpulator: https://research.openanalysis.net/pandora/ransomware/malware/unpacking/dumpulator/emulation/2022/03/19/pandora_ransomware.html
Sample: 5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b")
![Direct vs. Indirect Syscalls What Is All The HYPE?! [OALABS Call-In Show]](https://i.ytimg.com/vi/W2SeruUxhDs/hqdefault.jpg "Direct vs. Indirect Syscalls What Is All The HYPE?! [OALABS Call-In Show]
Our live discord call-in show debates! Are indirect syscalls even required? What are they and how are they used?! What are EDR vendors doing to detect them and why you might care....
OALABS PATREON
https://www.patreon.com/oalabs
OALABS DISCORD
https://discord.gg/6h5Bh5AMDU
Twitch
https://www.twitch.tv/oalabslive
OALABS GITHUB
https://github.com/OALabs
UNPACME - AUTOMATED MALWARE UNPACKING
https://www.unpac.me/#/")
![Retroactive Malware Hunting [ Twitch Clip ]](https://i.ytimg.com/vi/W601GBVZeC8/hqdefault.jpg "Retroactive Malware Hunting [ Twitch Clip ]
How do you retroactively track the evolution of a malware family? What tools do you use? How do you find samples? These questions answered in this Twitch clip!
See more actual reverse engineering on... https://www.patreon.com/oalabs
OALABS PATREON
https://www.patreon.com/oalabs
OALABS DISCORD
https://discord.gg/6h5Bh5AMDU
Twitch
https://www.twitch.tv/oalabslive
OALABS GITHUB
https://github.com/OALabs
UNPACME - AUTOMATED MALWARE UNPACKING
https://www.unpac.me/#/")
![Setup IDA Pro Type Libraries For Windows Malware Analysis [ Patreon Unlocked ]](https://i.ytimg.com/vi/WW2rJK9Fhlc/hqdefault.jpg "Setup IDA Pro Type Libraries For Windows Malware Analysis [ Patreon Unlocked ]
How to setup IDA Pro type libraries for analysis of windows malware. Subscribe for more tips: https://www.patreon.com/oalabs
OALABS DISCORD
https://discord.gg/6h5Bh5AMDU
OALABS PATREON
https://www.patreon.com/oalabs
Twitch
https://www.twitch.tv/oalabslive
OALABS GITHUB
https://github.com/OALabs
UNPACME - AUTOMATED MALWARE UNPACKING
https://www.unpac.me/#/")
