02 - Performing Basic Triage Analysis and Unpacking with x64dbg
HTML-код
- Опубликовано: 20 сен 2024
- Part 02 picks up by spending a little time performing basic triage analysis on the resulting ransomware binaries that we produced from the builder in part 01. I rarely skip this step as it often yields important insights into what you may be considering reversing. In this video, we'll use Detect-It-Easy to look at PE file characteristics and use entropy to identify signs of packing. We'll then compare the obfuscated and unobfuscated binaries together and even go through dumping the obfuscated version using x64dbg and scylla.
Join this channel to get access to perks:
/ @jstrosch
🚨 WARNING! If you follow along by creating your own binaries, ensure you have a safe analysis environment. The builder produces the real Lockbit ransomware and can cause irreversible damage to your systems! 🚨
Cybersecurity, reverse engineering, malware analysis and ethical hacking content!
🎓 Courses on Pluralsight 👉🏻 www.pluralsigh...
🌶️ RUclips 👉🏻 Like, Comment & Subscribe!
🙏🏻 Support my work 👉🏻 / joshstroschein
🌎 Follow me 👉🏻 / jstrosch , / joshstroschein
⚙️ Tinker with me on Github 👉🏻 github.com/jst...
🤝 Join the Discord community and more 👉🏻 www.thecyberye...
1:01 What do the strings tell us?
3:40 Viewing strings in the obfuscated version
4:13 Using DIE to view imports
7:13 Analyzing the obfuscated version
9:35 Comparing versions with IDA Pro
14:35 Unpacking the obfuscated version with x64dbg
Nice one, thanks!Don't you use ret-sync during debugging session to keep ida and x64dbg synced?I love it :-)
Woah, I haven't heard of it before... going to check it out today! Thanks for the suggestion :)