Malware Evasion Techniques: API Unhooking
Тәжірибелік нұсқаулар және стиль
Description: In this video, we explore a malware evasion technique - API unhooking.
Timestamps:
00:00 - Intro
00:37 - Inline hooking explained
02:04 - Introducing frida-trace
04:12 - Static analysis of Gazprom ransomware
06:18 - Patching Gazprom sample
07:37 - Hooking Gazprom with frida-trace
09:50 - Identifying API unhooking code using x64dbg
12:14 - Reviewing API unhooking code using Ghidra
19:39 - Debugging API unhooking code using x64dbg
Have malware analysis questions or topics you'd like me to cover? Leave a comment and let me know!
SANS Malware Analysis Courses I Author and Teach:
sans.org/for610 (co-author with Lenny Zeltser)
sans.org/for710
Sample: github.com/as0ni/youtube-file...
Password: infected
Unzipped SHA-256: 32ec301f02dfa21932679726f07e30f9c807391aaf1044278c0e0b2c0dc8ebdf
Description: Gazprom Ransomware Sample
Tools
Frida: frida.re/
PEStudio: www.winitor.com/download
Process Hacker: processhacker.sourceforge.io/...
x64dbg: x64dbg.com/
Ghidra: ghidra-sre.org/
Find Anuj Soni on X: x.com/asoni
Connect on LinkedIn: / sonianuj
Пікірлер: 29
This is an amazing video! Your content is phenomenal and I hope your channel grows! You deserve lots of recognition for your work and I will say I believe 2k subs is a crime for the amazing videos you are putting out. Keep up the good work and I look forward to watching more of your videos!
@sonianuj
6 ай бұрын
Wow thank you so much! That is so kind of you to say. Another video coming soon!
@DeNikow
6 ай бұрын
@@sonianuj This has to be one of the best videos on KZread about API unhooking. Great content. Very clear voice, well explained. Didn't understand everything (you lost me about 70% through), but that's because I don't have enough knowledge about reverse engineering. I'm just a simple system engineer.
🎉 The most thorough step by step explanation of windows API Ghidra and debug use. I like your style. Excited for more videos and thanks for spending all this time helping others in the community. Salute!
@sonianuj
7 ай бұрын
Thank you so much!
Hi, great content.... only one small suggestion if I may: if you want to get more views you must change the channel name by adding something related to malware reverse engineering. I know you from sans because I'm interested in 610. Great content & looking forward for next ones!
Amazing content, thank you!
@sonianuj
7 ай бұрын
Thanks for watching!
A big fan of your detailed-explain approach... 😊 looking forward to a video explaining "how to identify API hashing technique"
@sonianuj
7 ай бұрын
Thank you!
Amazing ❤❤
@sonianuj
4 ай бұрын
Thanks 😄
Interesting anuj hope to see more future videos
@sonianuj
5 ай бұрын
Will do, thanks for watching!
@mojack624
5 ай бұрын
your concepts explanation are straight forward and the videos are concise and very educative@@sonianuj
Very nice. Well worth staying in the office for :)
@sonianuj
7 ай бұрын
Wow that’s great to hear! Thank you for watching.
hi Anuj, I have been learning a lot with your videos but I have a question; I find very interesting what you described at 06:55 in the video and I want to ask what is the difference between attaching the executable after putting this infinite loop and just putting a breakpoint at the entry point of it without attaching it? Both the breakpoint and the infinite loop won't let it execute further right? Always nice to learn new things.
@sonianuj
4 ай бұрын
Hi there! Thanks for watching. So, if my goal was simply to debug find.exe, I could absolutely set a breakpoint at the entry point of find.exe like you suggested. However, at this point in my analysis (06:55), I wanted to debug a version of find.exe that had been hooked by frida-trace. This means I first need to launch find.exe via frida-trace and *then* debug it - my solution was to insert the infinite loop so that I could attach to the running (but hooked) find.exe before it terminates. I hope that makes sense!
@Teo97b
4 ай бұрын
I see, thank you
Very Amazing Video, needed this as i may start my career in malware reversing in a company soon (you're videos helped me get this job btw), thanks a ton
@sonianuj
7 ай бұрын
Wow, thank you so much for sharing this. Your comment inspires me to continue putting in the work to create these videos.
Might just be me, but the description (In this video, we analyze the FBI's Qakbot takedown code using malware analysis techniques) is for another video of yours I believe - kzread.info/dash/bejne/jHiM09Sfd5rOh8Y.html Thanks for the great content!😃
@sonianuj
7 ай бұрын
Whoops, thanks for noticing that! Just fixed it.
Hi, could you mention any ideas how to detect unhooking techniques? Provided that you already unhooked ntreadfile function (or use it's syscall), you can load any unhooked native api function from disk to avoid EDR/XDR detection. Being deaf to api monitoring, static rules seem to be applied. Any thought how to approach the topic and detect the manipulation statically? Love your meterials❤
@sonianuj
7 ай бұрын
Great question. Capa or YARA rules could help with this. YARA is often discussed, capa less so. Maybe I'll make a video on using capa rules to detect this sort of thing. Thanks for the idea!
@ukaszgeras6600
7 ай бұрын
@@sonianuj I was thinking about looking for binary string reaching the pointer to PEB from TIB. It may be a preety constant thing.
what build of windows are you using?
@sonianuj
6 ай бұрын
Hi there. I'm using a Win10 enterprise build where I've installed all my tools (all free). Hope that helps!