IDA Pro Malware Analysis Tips

Описание

Open Analysis Live! A few tips and tricks to help you analyze malware with IDA Pro.

-----
OALABS DISCORD
https://discord.gg/6h5Bh5AMDU

OALABS PATREON
https://www.patreon.com/oalabs

OALABS TIP JAR
https://ko-fi.com/oalabs

OALABS GITHUB
https://github.com/OALabs

UNPACME - AUTOMATED MALWARE UNPACKING
https://www.unpac.me/#/

-----

Automated Malware Unpacking
https://www.unpac.me/

PE Mapped Virtual Address vs. Offset In Binary File: 02:55
IDA Pro Layout Tips: 05:10
Dynamically Resolving APIs: 08:10
IDA Pro Remote Debugger Setup and Use: 09:06
Walking Call Chain From Hooked API Back To Malware: 22:59
Using Memory Snapshots To Unpack Malware (Quick Unpacking): 40:07
Win32 API Calls and The Stack (How To Change Arguments On The Fly): 46:28
IDA Pro Remote Debugger (Debugging a DLL): 01:16:32


PE basics including how a PE is mapped in memory:
http://www.delphibasics.info/home/delphibasicsarticles/anin-depthlookintothewin32portableexecutablefileformat-part1

http://www.delphibasics.info/home/delphibasicsarticles/anin-depthlookintothewin32portableexecutablefileformat-part2

Link to the most excellent IDA Pro book:
https://www.nostarch.com/idapro2.htm

Microsoft calling conventions:
https://msdn.microsoft.com/en-us/library/k2b2ssfy.aspx

RegTestUPX1.exe (benign demo application, safe to run):
https://www.virustotal.com/en/file/31e8a11960d0492b64241354c567643f09f0e0278658d31e75d6f2362dbfae44/analysis/1486886366/

final_unmapped.dll (DLL demo **WARNING REAL MALWARE ONLY RUN IN A VM)
https://www.virustotal.com/en/file/275f927f5cc809ebba57c6e766c550d2d27b1841708459a876c6f5a99201ecb6/analysis/

We are always looking for feedback, what did you like, what do you want to see more of, what do you want to see us analyze next? Let us know on twitter:
https://twitter.com/herrcore
https://twitter.com/seanmw

As always check out our tools, tutorials, and more content over at http://www.openanalysis.net

#IDAPro #ReverseEngineering #MalwareAnalysis