Tracing C function fopen [Part1] - IDA Free User-Mode Walk-Through tracing to NTApi
Tracing C function fopen [Part2] - Windbg Kernel Debugging - Walk-Through User-Mode to Kernel Executive Subsytem
Abusing External Resource References MSOffice [part1] - TEMPLATE_INJECTION
Abusing External Resource References MSOffice [part2] - OLEOBJECT_INJECTION
[1] Lokibot analyzing - defeating GuLoader with Windbg (Kernel debugging) and Live C2
[2] Lokibot analyzing - spoofing GULoader and LokiBot C2 [part1] - Own implementation in Python
[2] Lokibot analyzing - spoofing GULoader and LokiBot C2 [part2] - INetSim + BurpSuite
[3] Lokibot analyzing - Reversing, API Hashing, decoding
What is COM and its Functionality, COM in Registry (Tools - COM viewers), COM Client-Server (Using Powershell/.NET COM Client), Reversing COM instances and methods in IDA (Structures, Types, ComIDA plugin), Interesting way of using COM Method in LokiBot malware sample
Some notes, tips and tricks when you are dealing with reversing Malware sample which using statically imported OpenSource library
This video covers guide during reversing and making PoC decryptor in Python. In the last part of the video I will be covering another Trick how you can dynamically invoke only the decryption routine of this Ransomware directly from Powershell and get all files decrypted.
Managed code vs UnManaged code. Difficulties during reversing and debugging.
One nice example is Powershell ItSefl.
Video covers Deobfuscation of latest SmartAssembly 8+ (commercial obfuscator for .NET) using SAE (Simple-Assembly-Explorer)
and Recreating original module using DnSpy. [Samples Download]
Sample, my prepared annotated IDA IDB, Bochs image: [Download-Pass:infected]
Video about .NET reversing of P/Invoke, D/Invoke and Dynamic P/Invoke implementation which serve for calling unmanaged code from managed. Covering tool Get-PDInvokeImports [Get-PDInvokeImports]
Deep dive into reverse engineering APT29 C2-Client Dropbox Loader.
For more information - check the description below the video.
[Advanced DnSpy tricks in .NET reversing 2 - PS debugging, Watch vs Locals, Code Optimization, more..]
Debugging Powershell process when debugging Powershell scripts - catch module loading (dnSpy)
DnSpy multi-process debugging
Dealing with code optimization during .NET debugging (when and why you can NOT see Locals and put a breakpoints)
Watch vs. Locals Windows in dnSpy - benefit from both (see fields, invoke expressions etc.)
My first tips and tricks released under CPR @CPResearch - showing practical usage of IDA-Appcall, Dumpulator and pure Unicorn Engine.
Getting the best and full of annotated code snippets.
Big thanks to my team members @BenHerzog11235 and @a14xt who helped to make this cool.