We take a look into the malware Gatak which uses WriteProcessMemory and CreateRemoteThread to inject code into rundll32.exe. Many thanks to @_jsoo_ for providing the sample! Follow me on Twitter: https://twitter.com/struppigel Gatak VirusBtn article: https://www.virusbulletin.com/virusbulletin/2016/04/how-it-works-steganography-hides-malware-image-files/ Sample HA: https://www.hybrid-analysis.com/sample/638554093bfbd55f65b42eb86a9d11ecf53b678cb4e9e5ec058c0e4712189f0e?environmentId=100 Sample Any Run: https://app.any.run/tasks/80896885-8b9b-4f0f-93c1-dabc5f39577c API Monitor: http://www.rohitab.com/apimonitor Process Explorer: https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx x64dbg: http://x64dbg.com/ HxD: https://mh-nexus.de/en/hxd/
We analyse a hook injection PoC by Robert Kuster and partially fix it for Windows 7. Follow me on Twitter: @struppigel Article and PoC: https://www.codeproject
Here I demonstrate to you three (and a half!) ways to unpack malware. Malware is often packed for the purpose of AntiVirus and Analysis evasion, therefore it is
We write and compile our own minimal sample with a debugger check using FASM and experiment with the sample in OllyDbg. My twitter profile: https://twitter.com
Follow me on Soundcloud: https://soundcloud.com/remigallego Hacknet is a modern, super immersive terminal-driven hacking game with a fully internally-consisten
Visit https://bugcrowd.com/jackktutorials to get started in your security research career! Remember to Like, Comment and Subscribe if you enjoyed the video! A
Demo of Spectre Attack on Ubuntu, and then a Practical Malware Analysis workshop, from a WASTC conference at Cisco on Jan 4, 2018 http://www.wastc.org/events/w
I describe three ways to find or get fresh malware samples if you have no access to Virustotal or other paid accounts. As a bonus we deobfuscate a small powersh
Windows API Exploitation for Red Blue Teams: http://www.pentesteracademy.com/course?id=31
Short video demoing a sweet library called EasyHook which can be used to hook API calls on Windows. The library is fully maintained and works with x64 as well,
Fireeye made a white paper on cmd.exe command obfuscation (DOSfuscation). We deobfuscate a malware sample that uses techniques described in their paper. Dosfus
Using various Super Mario World glitches, I injected the code for Flappy Bird (code written by p4plus2). This is the first time a human has ever completed this
We write our first real exploit to get root access. Solving stack5 from exploit-exercises.com with a simple Buffer Overflow and shellcode. Run into some proble
Open Analysis Live! This is a re-post from our old site. We walk though the steps needed to unpack process injection using IDA Pro. In this first part we identi
Scott uses Process Monitor and Process Explorer to debug an interesting interaction between Google Chrome and GitHub for Windows
SANS course FOR610: Reverse-Engineering Malware has undergone a major revamp in 2017. The refreshed materials introduce new malware analysis tools, fresh sample
A quick showcase of unpacking a Locky ransomware sample. Sidenote: My fear of accidental execution is that it will encrypt the OllyDbg files which I still need
As a continuation of the “Introduction to Memory Forensics” video, we will use Volatility to analyze a Windows memory image that contains malware. We’ll first s
The injection points are based on the execution flow of the executable. Dynamic shellcode injection mean that the start of the injected code does NOT occur in l
Basic Static Malware Analysis with PEview = http://wjradburn.com/software/ CFF Explorer = http://www.ntcore.com/exsuite.php PEinsider = http://cerbero.io/peins
In this Tutorial, I have created a process in Windows. I have used following API's. 1. CreateProcess -- create the process. 2. GetProcessID - Printing the proce