WinDbg Basics for Malware Analysis
Рет қаралды 58,844
Күн бұрынIn this tutorial we cover the basics of debugging malware with WinDbg. Expand for more...
-----
OALABS DISCORD
/ discord
OALABS PATREON
/ oalabs
OALABS TIP JAR
ko-fi.com/oalabs
OALABS GITHUB
github.com/OALabs
UNPACME - AUTOMATED MALWARE UNPACKING
www.unpac.me/#/
-----
Automated Malware Unpacking
www.unpac.me/
Tutorial Bookmarks:
3:12 WinDbg workspace layout
13:00 downloading and importing symbols
17:10 basic commands
25:40 unpacking live malware with WinDbg
WinDbg Cheat Sheet and Tutorial Notes:
oalabs.openanalysis.net/2019/...
Huge thank you to Josh... follow him on Twitter for lots of great Reverse Engineering content!
/ jershmagersh
TLD Malware:
SHA256: 1be4cbc9f9b6eea7804e08df92cff7453aa72f0bb862b0fb8f118c5e3ffdaad6
www.malware-traffic-analysis....
Josh’s talk on TLD Malware:
• Mo` Monero Mo` Problem...
Feedback, questions, and suggestions are always welcome : )
Sergei / herrcore
Sean / seanmw
As always check out our tools, tutorials, and more content over at www.openanalysis.net
#WinDbg #ReverseEngineering #Tutorial
@mmelt 5 жыл бұрын
This is a brilliant resource - quite amazing how far debugging has come since my W32Disasm days
@manuelberrueta 5 жыл бұрын
Hey guys, great helpful video. I am definitely interested in seeing more!
@SourceCodeDeleted 5 жыл бұрын
Yes more on this please! Kernel debugging would be awesome!
@Kaplan0644 5 жыл бұрын
This was a great tutorial. I really liked how you give little explanations for some concepts, it is really beginner-friendly and easy to follow. I would definitely like to see more about windbg. Thank you for the videos.
@OALABS 5 жыл бұрын
Thanks for the feedback! I wasn't sure if those cuts were going to be annoying or informative... sounds like the latter though so I'll keep doing them : )
@breadbaconcheese 5 жыл бұрын
i agree, the little explanations are one of the key reason why i love oalabs
@nasmRE 5 жыл бұрын
The new version of Windbg is so nice, I don't no if you saw her.. Good video !!
@eliwhalen604 5 жыл бұрын
Awesome! Gonna go through this right now 👍
@marcus.edmondson 5 жыл бұрын
Awesome video as usual!
@Ivo-- 5 жыл бұрын
Great overview, thanks!
@KANJICODER 2 жыл бұрын
I used this tutorial back in 2020 to create a library that can get "LoadLibrary" and "GetProcAddress" without including . Not to write viruses, just to be able to write OpenGL code without having all the bloat that comes with . Reviewing this again so I can work on a header-only C file that you can run to start writing shader code. No dependencies. Just a single file. Try to make OpenGL as easy to get started with in C as it is with WebGL.
@breadbaconcheese 5 жыл бұрын
yesssssssssssssssssssss!!!!!!!! been waiting for more oalabs!
@retrojames4226 3 ай бұрын
The new WinDbg allows you to do kernel mode debugging from the host :)
@prashantuniyal2635 2 жыл бұрын
Was so helpful. Thanks a ton! 🙌🙌
@yangyu1250 5 жыл бұрын
looking forward to kernel debugging!
@dmytrieck5022 5 жыл бұрын
Thumbs up to bringing back Josh!
@prdpkv 3 жыл бұрын
Good tutorial. Please upload more such vides.
@madghostek3026 5 жыл бұрын
I recently found out about this channel and I immiediately fell in love, something I've been looking for since long time.Also, it would be awesome to have simmilar tutorial on x64dbg, I've been using it for some time but it still feels I'm missing something (unless there's a nice tutorial already)
@OALABS 5 жыл бұрын
Hey thanks very much! We have been thinking about doing something similar for x64dbg, stay tuned : )
@moshealon9334 5 жыл бұрын
Perfect!! ,Thank you very mach ! Your channel is the best for learning reverse engineering!!
@OALABS 5 жыл бұрын
Hey thank you very much, glad you are enjoying these : ))
@cherifaly6757 5 жыл бұрын
Well done guys!! 🤓
@dmytrieck5022 5 жыл бұрын
When providing a range to the .writemem function all values are inclusive. MSDN uses as an example that writing the range 1000 - 1007 is 8 bytes long. So for this video, the range should have been 30000 - 35999 which will return the desired size of 6000. Keep up the great videos!
@joshreynolds9325 5 жыл бұрын
That makes sense, thanks Dmytri!
@nicoladellino8124 5 жыл бұрын
Very very nice video, TNX.
@servomekanism8505 3 жыл бұрын
@19:00-19:02 the return address of VirtualAlloc is most likely at 7504590e and not the one being highlighted (it belongs to KERNELBASE!ResetWriteWatch). You could put an annotation there to help future viewers:) Thank you very much for your work, great video!
@0x4ndr3 3 жыл бұрын
True that. Another way to do it is to simply set a bp at VirtualAlloc and then running "pt" command which jumps right into the ret.
@soniatix 2 жыл бұрын
Perfect ! Thanks !
@Cyberconman 5 жыл бұрын
Yay!!! Kernel debugging
@OthmanAlikhan 2 жыл бұрын
Thanks for the video =)
@ahmedrazzak5141 5 жыл бұрын
Love your work i wish i have found your videos earlier keep up the good work
@kevk9581 5 жыл бұрын
Thanks for a great video. Love you babe
@RickHenderson 16 күн бұрын
I worked with an "experienced" coder who worked on Windows 95 and they've been calling it WindBag for years... because it's name is windbg - windbag. Pretty simple really.
@OALABS 15 күн бұрын
None of this is true
@SourceCodeDeleted 5 жыл бұрын
16:55 that sound. I thought something closed or broke...
@reggiewong8889 4 жыл бұрын
Is it possible to bp a 64-bit API from a 32-bit process? a heaven's gate thing. i was able to create a trace script using z command while monitoring the change in cs register but it takes forever.
@gregg718 2 жыл бұрын
Can you use WinDbg for other software programs other then Windows applications?
@PumpiPie 5 жыл бұрын
Can you make a video on bypassing anti debug? :D
@OALABS 5 жыл бұрын
We have already covered a generic process for identifying and bypassing anti-analysis techniques in an older video kzfaq.info/get/bejne/jdJ1a8STyJ66XWg.html but if there are some specific tricks you want to see just let us know! Maybe we could do a tutorial on setting up some plugins to do this automatically?
@malware_reverse 5 жыл бұрын
Well done guys. Also can you guys do a .NET malware analysis? Thanks!
@inspiredbymichansenpai2393 5 жыл бұрын
Is .NET malwares that harmful? never have experienced with it.
@OALABS 5 жыл бұрын
Hey thanks for the suggestion. The reason we haven't covered .NET stuff is because there are already so many excellent .NET malware analysis tutorials over on the MalwareAnalysisForHedgehogs channel. We do get a lot of requests for this though so maybe we will do something in the future. Until then I recommend checking out these: kzfaq.info/get/bejne/hZmDYLBj06evnXk.html kzfaq.info/get/bejne/b5h3d7qiqLGVooU.html kzfaq.info/get/bejne/ZqqGZMWZ09SzqYE.html kzfaq.info/get/bejne/Z7h-lr2hp7K-eKc.html
@malware_reverse 5 жыл бұрын
I saw some of them @@inspiredbymichansenpai2393
@malware_reverse 5 жыл бұрын
Thank you for the recommendation! Really helpful. @@OALABS
@efraimg8543 4 жыл бұрын
Should I learn assembly before watching this video?
@HardyJap 4 жыл бұрын
In the instruction *eb $peb+0x2 0x0*, why isn’t BeingDebugged byte at $peb+0x1? Since $peb itself ie. $peb+0x0 will be the first byte of the structure?
@HardyJap 4 жыл бұрын
Okay that’s an array of two bytes. My bad.
@kyceshihabi18 3 жыл бұрын
How do I exit WinDbg? Every time I open a game, it says to exit it. Someone please help
@zeuscybersec659 3 жыл бұрын
Your videos are amazing sir. I will be starting the book- Secrets of Reverse Engineering soon after finishing black hat python book.I'll really appreciate if we can do a cybertalk on my channel and you can share your side of knowledge🙂any way i can get in touch with you?
@OALABS 3 жыл бұрын
Thanks, would be happy to chat. Contact info is in the description of each video, and on our website openanalysis.net
@zeuscybersec659 3 жыл бұрын
@@OALABS🙂 thanks for the quick response sir.I unfortunately dont have a twitter account....Can we get in touch through Discord/Instagram/linkedin?
@bobshields6829 2 жыл бұрын
Windebug? I thought it was affectionately pronounced Windbag?
@OALABS 2 жыл бұрын
Lol, an Ionescu student I see : )
@greob 5 жыл бұрын
And here I am, in front of my gdb prompt...
@Ivo-- 5 жыл бұрын
I like GEF to make gdb a bit more user-friendly github.com/hugsy/gef
@newgothwhosdis 5 жыл бұрын
Hi, I'm a liveoverflow subscriber and I wanted to give your channel some constructive criticism: upgrade your mic. This is the 1 thing that immediately pushed me away from your channel. Then I would suggest maybe zoom the part you are talking about (ie at 12:47) more often because the mouse pointer is tiny otherwise and makes following harder. Lastly the cam is appreciated but not necessary (IMO). Regardless you are one helpful source of info for the Reverse Engineers community.
OALabs
Рет қаралды 13 М.
Diana Belitskay
Рет қаралды 20 МЛН
corehard
Рет қаралды 2,9 М.
stacksmashing
Рет қаралды 1,3 МЛН