How I Debug DLL Malware (Emotet)

Поделиться
HTML-код
  • Опубликовано: 2 ноя 2024

Комментарии • 61

  • @therelatableladka
    @therelatableladka 8 месяцев назад +6

    Please don't stop uploading, the quality and video knowledge is very good. I even recommended this to my friends.

    • @sonianuj
      @sonianuj  8 месяцев назад +2

      Really appreciate you recommending my content to others! More to come.

  • @mw_lewlew
    @mw_lewlew Год назад +3

    I usually find malware vids very boring and hard to follow but the way you explain and present everything is perfect

    • @sonianuj
      @sonianuj  Год назад +2

      Thank you for that feedback. Comments like this push me to release more videos.

  • @noobsplain
    @noobsplain 11 месяцев назад +3

    I'm with the other guy who said the video length/format is great. Sometimes I just want a concise rundown as a refresher or to get new ideas from instead of a movie-length video- although there is a place for deep dives like that. Thanks!

    • @sonianuj
      @sonianuj  11 месяцев назад

      Thanks for watching!

  • @cyrussecurity
    @cyrussecurity Год назад +4

    This was fantastic. Big fan of these videos and the length/format. Would love a video on obtaining bad samples, and actually the process of gathering new malicious files that still need to be analyzed.

  • @jacktaubl48
    @jacktaubl48 Год назад +1

    This is the best explanation I have seen for a topic that stumps alot of junior reversers. Great video.

  • @0xgodson119
    @0xgodson119 3 месяца назад

    I usually don't comment on a video unless I need to, but you did great work in this video, and it is very valuable. Please make more videos!

    • @sonianuj
      @sonianuj  2 месяца назад

      Thanks so much, that means a lot!

  • @anantP-ip8op
    @anantP-ip8op Год назад +2

    Thanks a lot for making free videos for the community. Technical details are really helpful. You are doing awesome!

    • @sonianuj
      @sonianuj  Год назад

      Thank you for the encouragement!

  • @wes7919
    @wes7919 Год назад +1

    Great work Anuj! Subbed can't wait for more videos.

  • @Hrorrik
    @Hrorrik Год назад

    Wow! Super cool to have such a robust break-down in terms of the how and why. I'm not going to lie, I didn't follow it all, but you did a great job of making all of these pieces of tech I haven't been able to touch yet seem exciting and more approachable (which is pretty cool since I'm just a help-desk tech 😅). Looking forward to see how your channel blows up over the next year or so!

    • @sonianuj
      @sonianuj  Год назад +1

      Thanks for taking the time to comment, glad to hear you’re enjoying the uploads!

  • @blueteams5495
    @blueteams5495 Год назад +2

    Love to see frequent upload of videos. Thanks for sharing another valuable technique. Could please have a video on analyzing sys files in your futures. Thanks in advance!

    • @sonianuj
      @sonianuj  Год назад +1

      That’s a great idea, thank you!

    • @blueteams5495
      @blueteams5495 Год назад

      @@sonianuj Thanks for your comment. Will be waiting for it eagerly😀😁

  • @THEdarkkman
    @THEdarkkman 4 месяца назад

    I started learning not long ago, but your explanation is so good I was able to keep track and understand of what you were doing.

    • @sonianuj
      @sonianuj  2 месяца назад

      Wonderful to hear, thank you!

  • @vinyldown8490
    @vinyldown8490 2 месяца назад

    PLEASE DO MORE! THIS WAS SO GOOD

    • @sonianuj
      @sonianuj  Месяц назад

      Working on it :-)

  • @cpatocybersecurity
    @cpatocybersecurity Год назад +1

    Great production value and cool demo

    • @sonianuj
      @sonianuj  Год назад

      Thanks for watching!

  • @RickHenderson
    @RickHenderson 4 месяца назад

    This was great. Excellent info.

    • @sonianuj
      @sonianuj  4 месяца назад

      Glad you enjoyed it!

  • @dattatreysharma7161
    @dattatreysharma7161 Год назад

    Such a cool Explanation... Thanks Anuj !

  • @TheRealBards
    @TheRealBards Год назад +2

    Great video, thank you for sharing.

    • @sonianuj
      @sonianuj  Год назад

      Thanks for watching!

  • @threathunter369
    @threathunter369 Год назад +3

    Nice presentation, Do more Debugging on Malwares , Thank You

    • @sonianuj
      @sonianuj  Год назад +1

      Will do! Thanks for watching.

  • @MsDuketown
    @MsDuketown Год назад +1

    Cool Channel, and nice vid about ms.dll's.
    For me, splitting Excel formats based on date really helped, since Excel is industry default since forever. I also use it to find maximums, like IE11.0.04 for last IE 32-bit. These VM's need maintenance you know..
    This is handy when digging deeper, specifically if VBA (XLL-add-ins, odbc, ado, activex) or Powershell is involved.. Programatically, 64-bit time_t and 32-bit tm_year are important in calcs.
    btw.. "Behaviourial analysis" is too functional for a technical task.
    To kickstart dynamic analysing the public blobs, with
    Microsoft Primitive Provider
    using
    * SHA256, HASH, AES
    and
    * ObjectLength
    * KeyDataBlob
    * clean up the output, ie. with ssconvert (gnumeric)

  • @antonborkov8517
    @antonborkov8517 Год назад +1

    Awesome
    Thanks!

  • @johnvardy9559
    @johnvardy9559 Месяц назад

    Great work

    • @sonianuj
      @sonianuj  Месяц назад

      Thank you so much 😀

  • @kiaraki7186
    @kiaraki7186 6 месяцев назад

    thank you , this was helpful

    • @sonianuj
      @sonianuj  6 месяцев назад

      Glad it helped!

  • @Istoriaby
    @Istoriaby 8 месяцев назад

    very underated channel! hope you get the attention you deserve this is high quality content

    • @sonianuj
      @sonianuj  8 месяцев назад +1

      Thank you so much!

  • @boggavarapuramsaransaisrin9316
    @boggavarapuramsaransaisrin9316 Год назад +3

    Hi Anuj, great presentation. How we can handle DLL which is packed and no information is available on internet.

    • @sonianuj
      @sonianuj  Год назад +4

      This will depend on how it’s packed, but setting a breakpoint on VirtualAlloc often leads to progress. If you have an example in mind, I’m happy to take a look and discuss in a video!

  • @charsetUTF-8
    @charsetUTF-8 7 месяцев назад

    thanks for helpful!!!

    • @sonianuj
      @sonianuj  7 месяцев назад

      Happy to help!

  • @abhisheksaigiridhari5166
    @abhisheksaigiridhari5166 11 месяцев назад

    Hey there. Great Insights man, thankyou for this video. I had a question though, What to do if there are 0 export functions present in the dll file. How to analyse it then? Like the score on VT shows that its malicious but then without running it how can u determine. I'm asking specifically for Dynamic Analysis not the Reverse Engineering part

    • @sonianuj
      @sonianuj  10 месяцев назад

      Even with no exports, code at the entry point of a DLL will still be executed - so I would start debugging there. Hope that helps!

  • @wise_one45
    @wise_one45 Год назад +1

    I am assuming while looking at the code in a dissassembler you either stumble across the MZ header? I guess you are trying to keep the videos short and sweet but it would have been nice to see your approach of discovering that. The whole time in the video i was asking. How did he find that?😅

    • @sonianuj
      @sonianuj  Год назад +2

      Hi, sorry for the delay in responding. Great point, I could have done a better job of explaining this observation. The fastest way to identify the function that checks for an MZ header is Mandiant's capa tool (github.com/mandiant/capa). If you aren't familiar with this tool, check out my latest video on the FBI's Qakbot takedown (ruclips.net/video/ZDXqrfG7hWc/видео.htmlsi=rCXhCYFbGlRJeuHD) - I cover it there. Thanks for watching!

  • @pixelcatcher123
    @pixelcatcher123 7 месяцев назад +1

    is it possible, to inspect a dll when and where exactly its injected and what functions it has or will hooked? im n absoult beginner so i not rly understand assembly, i guess if u understand it everything might be opensource ?

    • @sonianuj
      @sonianuj  7 месяцев назад +2

      Hi there, thanks for stopping by! Yes you can debug a DLL to examine when and how it injects or hooks code. Check out my API unhooking video for some information on that last one. And disassembling a program definitely give you insight into how it works. A good decompiler can approximate source code, but this can be challenging, especially if there is obfuscation involved.

    • @pixelcatcher123
      @pixelcatcher123 7 месяцев назад +1

      @@sonianujGratefully thanks, Content like this are very important. I will for sure dive in this topics. Take Care !

  • @prashilmoon1083
    @prashilmoon1083 Год назад

    It was great video.. Can you please debug dumped file as well? I tried to debug this payload but not getting much observations..

    • @sonianuj
      @sonianuj  Год назад +1

      Hi there, thanks for watching. Perhaps I’ll debug the second stage in a later video thanks.

  • @Laylaa320
    @Laylaa320 7 месяцев назад

    Can dll malware infect your computer even, if you are not clicking to .exe? Without dll being imported to .exe just export itself like could dll without execution .exe only download dll file do rat, redline stealer, rootkits or other malwares? Someone experienced this?

    • @Laylaa320
      @Laylaa320 7 месяцев назад

      Is there to unpack rar/zip file with pw in ida pro/ghidra directly?

  • @abhisheksaigiridhari5166
    @abhisheksaigiridhari5166 11 месяцев назад

    Hey there. Great Insights man, thankyou for this video. I had a question though, What to do if there are 0 export functions present in the dll file. How to analyse it then? Like the score on VT shows that its malicious but then without running it how can u determine. I'm asking specifically for Dynamic Analysis not the Reverse Engineering part

    • @sonianuj
      @sonianuj  8 месяцев назад

      Hi there, my apologies for the delay in responding. If there are zero export functions, I would expect the malicious code to be launched from DllMain. Behaviorally you should be able to launch it with rundll32 without specifying an entry point.