IDA Pro Malware Analysis Tips
Рет қаралды 114,289
Күн бұрынOpen Analysis Live! A few tips and tricks to help you analyze malware with IDA Pro.
-----
OALABS DISCORD
/ discord
OALABS PATREON
/ oalabs
OALABS TIP JAR
ko-fi.com/oalabs
OALABS GITHUB
github.com/OALabs
UNPACME - AUTOMATED MALWARE UNPACKING
www.unpac.me/#/
-----
Automated Malware Unpacking
www.unpac.me/
PE Mapped Virtual Address vs. Offset In Binary File: 02:55
IDA Pro Layout Tips: 05:10
Dynamically Resolving APIs: 08:10
IDA Pro Remote Debugger Setup and Use: 09:06
Walking Call Chain From Hooked API Back To Malware: 22:59
Using Memory Snapshots To Unpack Malware (Quick Unpacking): 40:07
Win32 API Calls and The Stack (How To Change Arguments On The Fly): 46:28
IDA Pro Remote Debugger (Debugging a DLL): 01:16:32
PE basics including how a PE is mapped in memory:
www.delphibasics.info/home/del...
www.delphibasics.info/home/del...
Link to the most excellent IDA Pro book:
www.nostarch.com/idapro2.htm
Microsoft calling conventions:
msdn.microsoft.com/en-us/libr...
RegTestUPX1.exe (benign demo application, safe to run):
www.virustotal.com/en/file/31...
final_unmapped.dll (DLL demo **WARNING REAL MALWARE ONLY RUN IN A VM)
www.virustotal.com/en/file/27...
We are always looking for feedback, what did you like, what do you want to see more of, what do you want to see us analyze next? Let us know on twitter:
/ herrcore
/ seanmw
As always check out our tools, tutorials, and more content over at www.openanalysis.net
#IDAPro #ReverseEngineering #MalwareAnalysis
@simpleman8556 6 жыл бұрын
Thank you man :-) Really happy that I found your channel :-)
@breadbaconcheese 5 жыл бұрын
just wanna say thanks alot for this vid. i really learnt alot from your practical tips. the ida/debugger dll base address offsetting, explanations on breakpoint at ordinal vs dll entry point, etc. legit droppin gold nugs!
@QQ-xx7mo 5 жыл бұрын
Thank you so much for everything, I'm learning a lot from your videos.
@lanr3356 4 жыл бұрын
I loved the tutorial. thank you very much for your time and effort to bring it to us.
@eamonnryan4092 6 жыл бұрын
Excellent video, thanks for making!
@simpleman8556 6 жыл бұрын
Your unpacking technique is saving me a lot of time everyday :)
@OALABS 6 жыл бұрын
That's awesome to hear! Thanks!
@muffinberg7960 3 жыл бұрын
Awsome video. Really enjoyed watching it
@binaryteam5448 6 ай бұрын
Awesome videooo loveeee it can't wait till you get into kernel so detailed I'm going to be watching your videos all day😊😊
@rayray1999100 2 жыл бұрын
I really appreciate this man!
@Marselmarsemars 4 жыл бұрын
very useful video, made a lot of bookmarks
@arunp9703 6 жыл бұрын
This is awsome man...keep posting
@user-yc2ry2uz4h 2 жыл бұрын
the best ida tutorial ever seen.Cool
@andylockhart257 6 жыл бұрын
Truly epic tutorial! Kudo's guys. This is THE best IDA/Malware tutorial I have seen on the net. You guys surpass all! btw, did you know that if you place your cursor somewhere and press F4 it will run until that point. This works in most other debuggers and removes the need to manually set and remove breakpoints :) Also in the last exercise you guys are reversing a DLL. If you simply use View->Open subviews->Functions you should be able to see 'DllEntryPoint' therefore need not calculate DLL rebasing. Good practice though :) Stellar guys....just awesome :) More tutorials! pls I have learnt so much.
@OALABS 6 жыл бұрын
Hey thanks so much! And thanks for the tips! I'm always excited to learn a new trick with IDA : )
@lougvar 2 жыл бұрын
Amazing! Thanks!
@diegocracker 3 жыл бұрын
Melhor dos treinamento, isso porque faço analise de malwares e apreendi muito com esses vídeos teóricos e práticos. Thanks.
@OALABS 3 жыл бұрын
Muito obrigado!
@rocketsurgeon7057 2 жыл бұрын
Excellent. Give us more.
@OALABS 2 жыл бұрын
Moar you shall have! Check us out on Twitch too www.twitch.tv/oalabslive
@og46829 3 жыл бұрын
You're awesome! Thank you for your time, efforts and knowledge :) Can you please make a video in which you make something like a long-term roadmap for beginners to learn malware analysis?
@OALABS 3 жыл бұрын
This is a great suggestion and it has been a long term goal of ours but it is a big project that we don't want to tackle until unpacme is fully stable and doesn't take as much of our time.
@ReubenSammut 6 жыл бұрын
First of all great tutorial. Just getting into Malware analysis (currently reading Practical Malware Analysis) and your tutorials are some of the best I've seen so far. Just a question regarding setting breakpoints after taking memory snapshots (I'm not sure it really makes sense). If ASLR is turned off, shouldn't the base of the exe + stack, heap and libraries be mapped to the same locations in memory, hence allowing you to keep the breakpoints from one run to the other after unpacking?
@OALABS 6 жыл бұрын
Thank you, and good point! So you may notice that that PE and DLLs do reload in the same location which makes thing easier but I often switch debugging environments so it's a habit to not rely on this. Also, just to clarify the memory snapshot only decorates your IDB it does not reflect the actual debug environment (ie. if you take a snapshot with one debug host and switch to another IDA won't arrange the debug environment to match the snapshot) it is not like a VM snapshot. So if you place breakpoints in the snapshot you cannot rely on them being placed accurately at debug time, I know that was not your question I just wanted to clarify for anyone who may be confused.
@StefanRothenbuehler 4 жыл бұрын
Great tutorial. I have a similar setup for remote debugging. Is there a particular reason why you don't just leave the path for the remote program to debug as it is? They lay in the same folder on the same shared folder (same drive letter mapped Z:) on both VMs. This is how I do it. I just thought there might be a reason other than to explain the concept why you don't just leave the path as it is. Keep up your great work! Really enjoy it.
@OALABS 4 жыл бұрын
That would probably be easier haha! I don't really have a good explanation, except this is just the way I started doing it. I'll try your method though, seems like it would save some potential confusion. Thanks for the tip : )
@EnduranceT 6 жыл бұрын
This is awesome. Thanks so much! Please cover some more unpacking techniques for advanced packers; not a lot of good content in English on this and the tuts4you stuff is old and often unreliable. Thanks again!!!! Awesome video!!!! Subscribed/Liked!
@OALABS 6 жыл бұрын
Thanks so much! We can definitely put out some more unpacking focused videos. I also highly recommend the unpacking tutorials from MalwareAnalysisForHedgehogs kzfaq.info/get/bejne/bqepgJWd1OCXcYk.html and the unpacking video series from Hasherezade kzfaq.info/get/bejne/jK1_mr1ip764gnk.html. I learned a ton from both of them : )
@LolloLong 4 жыл бұрын
Great tutorial
@OALABS 4 жыл бұрын
Thanks : )
@Jakob6174 4 жыл бұрын
What was the plugin you have installed that caused the crash? I have the same problem. Also this is a fantastic tutorial, I really needed something like this to supplement while reading the IDA Pro book, so thanks a bunch.
@nullnull6032 3 жыл бұрын
That is useful, here is a sub :D
@joppezorro4360 2 жыл бұрын
Very good tutorial. Interesting observation though. In my setup I run two virtual win10 64bit. then the API call (openKeyexW) goes to kernelbase and not advapi32. IDA says advapi32 but if you follow the execution you will see that it goes to kernelbase.
@mozark1043 5 жыл бұрын
Hey, great tutorial packed with info. Recommend breaking up the sections in the future for quick access (or have quick nav buttons at the start). Any chance you could cover a "get IDA pro setup with IDA python on Windows" tutorial? The IDA python book assumes it's already installed and online resources are scarce. EDIT: Nevermind, apparantly the free version doesn't support IDAPython
@OALABS 5 жыл бұрын
Hey glad you enjoyed the tutorial! If you expand the description below the video you will see the quick links you are looking for : )
@alyagomaa5101 4 жыл бұрын
thank you
@jackz4665 4 жыл бұрын
Wow man you explain things so easily, you kinda spend some time talking about something you are focusing which is not really relevant, like but this is the best way to explain something, you could've turned this video into 45 minutes instead of 1:30 but without your deep explanations on how you think about things wouldve been really hard to grasp, thank you
@malware_reverse 5 жыл бұрын
Great Video guys. I really learned a lot from it, especially debugging DLL. One question, could you guy do a demo video for debugging DLL contains Sericemain function which is running as a service. It is hard to me to find a effective way to debug using IDA. Thank you so much!
@OALABS 5 жыл бұрын
Hey that's a great idea! I'll add it to the list. If you know of any malware that installs itself as service can you send it out way? Thanks!
@malware_reverse 5 жыл бұрын
@@OALABS Thank you!. I tried to learn how to debug DLL servicemain. Found one:www.virustotal.com/#/file/1b3c22ad57d48674e3cad45794daa6e08edad45ad7a1d1c2ac871e1ff2043a88/details
@Leonardo47565 Жыл бұрын
Hello, thanks for the awesome video. I'm having some trouble with the step taken around 34:00 where you see ntdll.dll exports, my IDA (which is free version) says "module 'ntdll.dll' has no names" (and also I can see only ntdll32.dll and ntdll.dll, but NOT C:\Windows\System32 tdll.dll
@nikhilt3755 5 жыл бұрын
18:45 are you referring to stack buffer overflow?where we can use pop pop ... return inorder to execute shellcode
@OALABS 5 жыл бұрын
No I'm referring to a control flow obfuscation technique where the address of a hidden function is pushed onto the stack and then ret is called to redirect program flow to that function. This is a common technique used in packers which makes static analysis difficult and can also be tricky when debugging.
@nikhilt3755 5 жыл бұрын
@@OALABS nice and tq
@satya_dau 5 жыл бұрын
Hi, Nice tutorial. But I am facing an issue here. I was following some tutorials on IDA and couldn't figure it out why my IDA doesn't recognize any local variables when I launch any executable. Can anyone help me here?
@redpillcommando 4 жыл бұрын
Thank you for this tutorial. Once I have finished watching it and working through the examples, I will return to my lab and plan for tomorrow night, when I will try to take over the WORLD! To save it from the REAL super villains. :-)
@papusa9878 3 жыл бұрын
Nice
@akiraperera9574 Жыл бұрын
Hi, in the structures part of IDA, is there a way to display all values of one value in a list? Thanks.
@OALABS Жыл бұрын
I don't know what you are asking, but you have asked it twice on two different videos so A+ for motivation! Join our discord and maybe we can figure it out together?
@LaurentLaborde 3 жыл бұрын
Ctrl-G in the instruction trace window is black magic
@LaurentLaborde 3 жыл бұрын
i congratulate myself for this comment because i already forgot what it's doing :D
@LaurentLaborde 3 жыл бұрын
twice now :D i keep watching this video every few month and i still learn from it :)
@alyagomaa5101 4 жыл бұрын
do you have any ida how to get IDA's decompiler to show arr[i] instead of *( i + arr)?
@OALABS 4 жыл бұрын
Yes you will have to define the var "arr" as a struct. We cover this in detail in our reversing C++ tutorial kzfaq.info/get/bejne/pZN2eap60dXcpnk.html
@willsmith798 3 жыл бұрын
Hello I am not able to locate the file at the link you listed. Is there any new updated version of the link?
@syedalizainnaqvi9450 3 жыл бұрын
Hi. Can you make course or videos on understanding assembly for malware analysis. This is where I am stuck.
@pentesterdgb6858 6 жыл бұрын
What version of IDA Pro is this? I am not seeing any option for remote debugging in the UI for the 5.0 freeware version.
@OALABS 6 жыл бұрын
Unfortunately I don't think the the free version of IDA comes with the remote debugger, but I think it has a local debugger that you can use. With the freeware version there is no problem using the local debugger on the same VM as IDA since there is no license that could be stolen by the malware.
@JohnSmith-mf3dq 2 жыл бұрын
Thanks buddy for the video You ever used capa explorer with IDA pro?
@OALABS 2 жыл бұрын
Yeh, just released a video on it: kzfaq.info/get/bejne/psxydJmqmbywp4E.html
@markmanning2921 2 ай бұрын
You spend a great edeal of time explaining what you are not going to be explaining instead of explaining all thye things you ARE going to be explaining.
@OALABS 2 ай бұрын
This would have been very helpful advice 6 years ago!
@chaitanyabhojane498 Жыл бұрын
where is the demo files guys i cant find? I want to go through by practising on my side too!
@tugelek9678 2 жыл бұрын
dzieki dziala
@000maestro000 6 жыл бұрын
This is such a great tutorial, I wonder if you can share some knowledge about IDA scripting, I am recently getting into it but finding it kinda cryptic.
@OALABS 6 жыл бұрын
Hi Dan, we can definitely cover some IDA scripting in our upcoming videos ... in the mean time I highly recommend the The Beginner's Guide to IDAPython from Alex Hanel, it's amazing and has tons of great examples leanpub.com/IDAPython-Book
@LaurentLaborde 3 жыл бұрын
i watch this one one on a regular basis.
@iwanpon_pon3062 2 жыл бұрын
how to edit the file so if there is a hidden command
@vladimirchudyk995 3 жыл бұрын
In 4:50 you say if the virtual offset would happen to be the real physical offset of the binary then the binary would be very "large". What do you mean exactly? Do you mean the binary would occupy a lot of real physical memory space?
@OALABS 3 жыл бұрын
Oh haha yeh it would be a huge file if those were the offsets. When the binary is loaded in memory it is loaded with a base address 0x400000 for exes and 0x10000000 for DLLs. So if this was a file on disk the size would be + 0x400000 bytes.
@vladimirchudyk995 3 жыл бұрын
@@OALABS Thanks for the response! I watched the whole video and really enjoyed it. The only downside to it was when you preferred not to explain further concepts as that would have made the video at least 4 hours long ;)
@AbacateSexy 4 жыл бұрын
just found out about your channel. You are great! Are you still active though? been 2 months since you posted a video :c
@OALABS 4 жыл бұрын
Yes! We are still here : ) We have a few tutorials we are working on but we have just been very busy releasing features for www.unpac.me/
@AbacateSexy 4 жыл бұрын
@@OALABS Awsome! Very interesting project! I saw you did a video on the IcedId malware, but before I watch malware analysis videos, I always try to do it myself first and see how I did, and I'm having a bit of difficulty figuring out/unpacking the sample! Haha. But keep up the good work! You are helping lots of people out there!
@sportshome6504 2 жыл бұрын
where can I get the sample of the malware?
@OALABS 2 жыл бұрын
You can download them from malshare here: malshare.com/sample.php?action=detail&hash=7f0fdddf5905886532c8a652abed1b6c malshare.com/sample.php?action=detail&hash=90aff54cf69ad647eec925f361a34798
@sportshome6504 2 жыл бұрын
@@OALABS Thank You Sire
@shinvipo 2 жыл бұрын
Are you using Mac OS?
@OALABS 2 жыл бұрын
Yes MacOS as my host with a Windows VM.
@albaniaiptv8335 4 жыл бұрын
When i want to mod syntax for arm ,pop up this warning Sorry, this processor module doesn't support the assembler.
@jaydev8148 6 жыл бұрын
bro, from where can I download the demo app
@OALABS 6 жыл бұрын
Oh sorry about that. You can create a free account on malshare and download it there malshare.com/sample.php?action=detail&hash=90aff54cf69ad647eec925f361a34798
@dirtbikersteve 6 жыл бұрын
please use sites like mega.co.nz that don't require registration
@DL-bp7jp 5 жыл бұрын
hi i am trying to download the sample files (i'm quite new to IDA...) and end up downloading a file called: 90aff54cf69ad647eec925f361a34798 where can i find the real sample files?
@OALABS 5 жыл бұрын
You can create a free account on malshare and download the sample from there: malshare.com/sample.php?action=detail&hash=90aff54cf69ad647eec925f361a34798
@DL-bp7jp 5 жыл бұрын
om i got the files - loaded them to ida pro 7 . when i check the imports tab it is empty for the exe sample. any idea why?
@redpillcommando 4 жыл бұрын
@@OALABS I too am having a bit of trouble finding the exe file. All I got is a .rsrc folder and three other files. I come from a UNIX background, never did a lot of work with Windows. What am I missing?
@DL-bp7jp 5 жыл бұрын
Hi, Can you share a new download link to tutorial files?
@OALABS 5 жыл бұрын
You can download them from malshare here: malshare.com/sample.php?action=detail&hash=7f0fdddf5905886532c8a652abed1b6c malshare.com/sample.php?action=detail&hash=90aff54cf69ad647eec925f361a34798
@zeuscybersec659 3 жыл бұрын
Amazing Content!! I have a youtube channel too and i will be Starting Reverse Engineering after i finish Black Hat Python which i am currently reading. Will appreciate if you can tell me some good resources to get started in Reverse engineering and malware Analysis.How is the book secrets of reverse engineering? Also i would be privileged to have you on my channel for a cybertalk someday❤️
@utayasurian419 4 жыл бұрын
How to hide a flag in a malware like most CTFs?
@helbegh3370 5 жыл бұрын
\Sessions\1\BaseNamedObjects\39226fe8-e227-494b-a788-8a992c14d8fe
@Mezzosd 5 жыл бұрын
how to download ida pro?
@OALABS 5 жыл бұрын
You can download the freeware version here www.hex-rays.com/products/ida/support/download_freeware.shtml. Or if you want to purchase it and use the full feature set we have displayed here you can use this www.hex-rays.com/products/ida/order.shtml
@nz9273 4 жыл бұрын
Hi, I am having problem to download the tutorial files from the link that you provided in the description as I couldn't find the download button. I would like to recreate your steps so that I could understand as I have unit that is related to this. Thanks.
@redzaizudin6231 4 жыл бұрын
kzfaq.info?q=https%3A%2F%2Fmalshare.com%2Fsample.php%3Faction%3Ddetail%26hash%3D7f0fdddf5905886532c8a652abed1b6c&redir_token=UFvNV5lcUSQmZ1Oum6sHkuh64il8MTU3MDg2NTAxMEAxNTcwNzc4NjEw&stzid=UgwJLRnd_L9K1VpxNGl4AaABAg.8sOD2g3ryJg8sQGZeZhwLx&event=comments kzfaq.info?q=https%3A%2F%2Fmalshare.com%2Fsample.php%3Faction%3Ddetail%26hash%3D90aff54cf69ad647eec925f361a34798&redir_token=UFvNV5lcUSQmZ1Oum6sHkuh64il8MTU3MDg2NTAxMEAxNTcwNzc4NjEw&stzid=UgwJLRnd_L9K1VpxNGl4AaABAg.8sOD2g3ryJg8sQGZeZhwLx&event=comments
@hS-fx7hr 6 жыл бұрын
hi a great tutorial thank you . make the voice louder
@OALABS 6 жыл бұрын
Thanks! About the audio our editing skills are slowly improving... audio should be mostly fixed on our newer videos : )
@RileyPorter 5 жыл бұрын
OALabs. Don't rename the function pointers.... Use the renimp.idc that comes with IDA Pro. It will AUTO populate the IDB with the parameter names as well.
@OALABS 5 жыл бұрын
Nice tip! Thanks!
@saultube44 2 жыл бұрын
Note: ever 0x100000=1 MB
@georgesanderson918 2 жыл бұрын
33:02
@bilgenebrudisbudak5288 3 жыл бұрын
dude what is that
@metaorior 3 жыл бұрын
dude i got win32.pioneer i can't get rid of this shit
@OALABS 2 жыл бұрын
Best free source for malware removal help: www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-help/
HIMAWARIちゃんねる
Рет қаралды 20 МЛН
OALabs
Рет қаралды 13 М.
stacksmashing
Рет қаралды 1,3 МЛН
Dr Josh Stroschein - The Cyber Yeti
Рет қаралды 8 М.