WEBVTT

00:00.830 --> 00:01.300
Hello.

00:01.310 --> 00:02.190
Welcome back.

00:02.210 --> 00:08.660
Now I've already restored the virtual machine to undo any changes made by the malware.

00:08.660 --> 00:14.480
And now I'm going to use Xdebug to unpack malware.

00:15.620 --> 00:20.670
So open Xdebug and click on options and then click on preferences.

00:20.690 --> 00:23.570
Uncheck System Breakpoint and callbacks.

00:23.570 --> 00:31.580
And click save and then open the ANC tile from the malware core sample folder on the desktop.

00:34.730 --> 00:39.620
Click on all files here and click on install and open it.

00:41.420 --> 00:43.190
Now you'll add a breakpoint.

00:43.400 --> 00:47.150
We are going to set two breakpoints like we did earlier.

00:47.450 --> 00:49.580
Breakpoint on Virtual lock.

00:52.470 --> 00:56.490
Hit enter and then breakpoint on Virtualprotect.

00:59.190 --> 01:00.060
Hit Enter.

01:01.470 --> 01:05.280
Click on the breakpoint tab to confirm you have both over there.

01:05.520 --> 01:08.140
And now we can run to the first breakpoint.

01:08.160 --> 01:10.650
Click on F9 or this button here.

01:11.430 --> 01:13.530
And now you have the first breakpoint.

01:14.130 --> 01:18.690
So we step over it by pressing F8 or you can click this button here.

01:19.870 --> 01:20.650
To step over.

01:24.570 --> 01:32.340
So if we jump to virtual product and now it's pushing the parameters to the stack and getting it ready

01:32.340 --> 01:34.920
to run virtual product, which is down here.

01:35.400 --> 01:38.310
So continue this tab will let it push its parameters.

01:38.310 --> 01:43.410
There are five parameters this virtual product has got at the back.

01:43.830 --> 01:47.280
This particular virtual product has got five parameters.

01:47.610 --> 01:55.020
So these are the five parameters here for virtual product with the extension, the five parameters.

01:55.050 --> 01:58.320
The second parameter is the one we are interested in.

01:58.500 --> 02:06.120
It is trying to change the protection for permission bits for this address.

02:06.420 --> 02:12.450
So if you scroll down and read, you can see here the description for the second parameter IP address,

02:12.870 --> 02:18.720
a pointer to the base address of the region of pages whose access protection attributes are to be changed.

02:18.960 --> 02:21.180
So it's the second parameter.

02:21.630 --> 02:24.250
So the second parameter is this one.

02:25.270 --> 02:28.360
Over here, you can see this is the first parameter.

02:28.480 --> 02:29.950
This is the second parameter.

02:30.280 --> 02:36.610
So if we want to see this memory, you can follow it in the memory here, right click.

02:36.610 --> 02:37.540
And then.

02:38.690 --> 02:45.250
Select, follow the word and then follow the word in random.

02:45.890 --> 02:50.630
So this is the memory area it wants to change its protection to.

02:50.660 --> 02:57.710
So you can give this to see whether or not this will be the final place for its packing.

02:58.520 --> 03:04.040
So we keep tab on that list for four followed by four zeros.

03:04.730 --> 03:12.680
So now we keep on running press F9 or click on this run button to go to the next breakpoint Virtual

03:12.770 --> 03:13.130
Lock.

03:13.880 --> 03:15.320
So now we are here.

03:15.320 --> 03:18.890
We step over by clicking on this or pressing F8

03:21.710 --> 03:23.810
and now we are going to jump to Virtual Lock.

03:26.190 --> 03:30.030
And now he's going to push all the parameters for virtual alloc.

03:30.840 --> 03:38.340
Now, up to here, all these parameters has been pushed to the stack for this call to virtual ALLOC.

03:38.520 --> 03:42.990
And this particular virtual ALLOC has also got an extension.

03:43.350 --> 03:52.980
So this particular virtual also has got five parameters and this is the reference in mSDN.

03:54.300 --> 03:55.290
Five parameters.

03:55.290 --> 03:57.300
One, two, three, four, five.

03:57.510 --> 03:59.940
But we are interested in the return value.

04:00.060 --> 04:03.660
So the return value, you can scroll down and read.

04:05.190 --> 04:06.510
What does it return?

04:07.030 --> 04:08.160
Return value.

04:08.460 --> 04:14.810
If the function succeeds, the return value is the base address of the allocated region of pages.

04:14.820 --> 04:17.190
So we are interested in the return value.

04:17.790 --> 04:22.790
Now, when a function returns, it will return the result in x.

04:22.800 --> 04:29.750
So after this call, x should contain the address of the allocated region in memory.

04:29.760 --> 04:34.440
So now we step over this and watch X this step over.

04:35.040 --> 04:39.600
And then you see x now shows two followed by four zeros.

04:39.600 --> 04:43.710
So we can right click on this and follow in number two.

04:45.620 --> 04:50.150
And now we see this is the region of memory where he has allocated.

04:51.070 --> 04:55.120
So now we can continue to run and see if anything happens here.

04:55.930 --> 05:03.700
At this point in time, if we look at the breakpoint, both of the API has been hit one time each because

05:03.700 --> 05:10.760
we remember from the notes that we created during the first session under here, count.

05:10.810 --> 05:11.680
Breakpoint count.

05:11.860 --> 05:19.270
We know that it has to hit seven times virtualprotect one time before the we are ready to dump.

05:19.720 --> 05:23.950
So we can continue to run.

05:24.880 --> 05:27.760
As we run, we notice whether anything happens here.

05:28.000 --> 05:31.300
So now we click on F9 or this button.

05:31.780 --> 05:33.130
It will run to the next page.

05:33.550 --> 05:36.640
And you notice it has already unpacked some code here.

05:37.090 --> 05:41.410
You can see the next great process Getprocaddress.

05:41.560 --> 05:46.960
And then if you scroll down, you can see some other APIs get module handle.

05:48.630 --> 05:51.270
And then if you scroll further, you can see further.

05:52.860 --> 05:55.450
APIs, load library A and so on.

05:55.470 --> 05:58.840
So this is probably and that's what I lock here as well.

05:58.860 --> 06:06.900
So this is this is probably some intermediate code that will be used to unpack the ultimate exe file.

06:07.170 --> 06:08.760
So we are not at the end yet.

06:08.910 --> 06:13.650
So now we are the second which allow we continue to step over.

06:16.880 --> 06:23.570
Jump to buckle up now is pushing the next five parameters to the stack.

06:24.290 --> 06:26.780
Now the parameter has been pushed to the stack.

06:27.020 --> 06:32.900
We step away to look at the return allocation of the index.

06:33.500 --> 06:35.210
So now we step over.

06:35.390 --> 06:38.480
And so he has allocated this region of memory.

06:38.990 --> 06:42.800
So we right click on this follow in number two.

06:43.490 --> 06:44.450
Number three.

06:46.130 --> 06:48.740
So this is another memory is allocated.

06:49.610 --> 06:51.980
So now you look at Breakpoint tab.

06:54.590 --> 06:56.750
The lock has been hit twice.

06:57.230 --> 06:58.400
Still not at the end yet.

06:58.580 --> 07:01.220
So we run and notice what happens here.

07:02.120 --> 07:02.390
All right.

07:02.390 --> 07:08.630
So now we see here it has unpacked some code and this might be RC for decryption.

07:09.430 --> 07:10.100
Probably.

07:10.670 --> 07:11.510
Look at this.

07:11.840 --> 07:16.120
It is nicely aligned in rows and columns.

07:16.130 --> 07:19.640
Not sure whether C4, but it could be LC for decryption.

07:20.030 --> 07:22.580
So now we continue to.

07:23.670 --> 07:24.300
Step over.

07:29.530 --> 07:33.010
So decryption means that we are still not at the end yet.

07:33.250 --> 07:40.660
So this is also an intermediary code which has has been unpacked to help to to unpack the final.

07:41.110 --> 07:42.310
So continue.

07:43.290 --> 07:44.250
To step over.

07:46.220 --> 07:48.260
Mucho, mucho.

07:48.380 --> 07:51.770
A lot now is pushing the next five parameters to bachelor.

07:52.730 --> 07:55.940
And now we're going to step over and see the return address.

07:57.050 --> 07:57.380
All right.

07:57.380 --> 08:01.250
So now it has allocated this memory so we can follow this right click.

08:01.250 --> 08:04.280
Follow in dumb number number four.

08:06.580 --> 08:13.390
So this is the new memory allocation that is F9 and run and see what it unpacks here.

08:14.050 --> 08:19.800
Run And again, further decryption maybe not sure.

08:19.810 --> 08:22.390
So this is still not our final unpack code.

08:22.930 --> 08:25.210
So we continue to step over.

08:25.600 --> 08:31.240
So at this point in time, if you look at Breakpoint, virtual has been hit four times.

08:31.540 --> 08:39.820
So continue to step over the this virtual lock jump to virtual lock and now it's going to push the next

08:39.820 --> 08:41.680
five parameters to the stack.

08:43.720 --> 08:44.080
All right.

08:44.080 --> 08:49.600
At this point, it has pushed five parameters to the stack to call this next virtual lock.

08:49.780 --> 08:53.650
So we're now going to step over this and watch the return address.

08:53.860 --> 08:55.450
So step over and see.

08:55.450 --> 08:58.570
The return address now is three followed by four zeros.

08:58.990 --> 09:04.120
So this is right click, this follow in dum dum number five.

09:06.000 --> 09:06.360
All right.

09:06.360 --> 09:11.460
So this is a new memory address where it's going to unpack additional code.

09:11.580 --> 09:15.120
So let's run and see what happens to this region of memory.

09:16.540 --> 09:16.820
All right.

09:17.200 --> 09:18.070
Nothing happens.

09:18.100 --> 09:18.520
All right.

09:18.550 --> 09:19.360
No problem.

09:19.360 --> 09:24.280
And at this point in time, we have already hit our virtual five times.

09:24.790 --> 09:27.300
So let's step over this new virtual.

09:30.180 --> 09:37.830
Jump The Bachelor and now it's going to push the five parameters to the stack in readiness to call the

09:37.830 --> 09:39.480
virtual dialogue over here.

09:39.900 --> 09:44.370
At this point in time, the five parameters has been pushed to the stack.

09:44.370 --> 09:49.230
And if we step over this, we are going to see the return address which has been allocated.

09:50.070 --> 09:53.390
Step over and this is the return address.

09:53.400 --> 09:54.420
Same thing.

09:54.720 --> 09:56.040
So no change.

09:56.220 --> 09:58.250
So still nothing.

09:58.300 --> 10:02.610
We now need to follow because we are already following it in number five here.

10:02.790 --> 10:05.040
Three followed by four zeros.

10:05.190 --> 10:07.740
So let's just run and see what happens here.

10:10.630 --> 10:11.800
Okay, now it is running.

10:11.800 --> 10:12.310
You can see.

10:12.310 --> 10:15.130
Let it run until it hits the breakpoint.

10:15.160 --> 10:16.480
Give it a few seconds.

10:17.590 --> 10:20.590
So after a few seconds, it has hit our breakpoint again.

10:20.590 --> 10:25.210
Still, nothing has been unpacked to this region of memory and we are now at the next virtual along

10:25.390 --> 10:27.300
and click on Breakpoint.

10:27.310 --> 10:30.420
We see that now the virtual has been hit six times.

10:30.430 --> 10:36.270
Now, remember, we earlier on in the first run, we found that virtual was hit seven times.

10:36.280 --> 10:40.090
That means we have one more hit to go before we can dump memory.

10:40.930 --> 10:50.170
So let's go and follow step over this next virtual alloc and jump to virtual ALLOC.

10:51.520 --> 10:56.260
And now it's going to push the next five parameters to the stack.

10:58.780 --> 11:01.180
So it has pushed five parameters.

11:01.180 --> 11:07.460
Now it's going to call virtual Alloc again and we are going to watch the return address in X.

11:07.480 --> 11:12.920
So let's step over and now the return address is 0000.

11:12.920 --> 11:18.680
So we don't have to follow it because it's not possible to unpack something in this memory address.

11:18.860 --> 11:22.430
So we just continue to run to the next virtual lock.

11:24.080 --> 11:27.200
So we have the breakpoint run again.

11:28.800 --> 11:31.710
Now we hit the virtual lock again one more time.

11:32.220 --> 11:33.960
So let's step over.

11:35.830 --> 11:36.250
This which.

11:43.640 --> 11:44.020
Right.

11:44.030 --> 11:50.360
He's going to push the next five parameters to the stack to get ready for the virtual call.

11:50.570 --> 11:52.580
So we are now here, let's move it.

11:54.230 --> 12:01.010
And now we get the return address of one C followed by four zeros.

12:01.160 --> 12:05.420
So we can just right click this one and then.

12:06.070 --> 12:12.070
Follow in drum number one because we have run out of drums.

12:12.070 --> 12:14.140
So we go to number one now.

12:14.770 --> 12:17.020
And so number one now is here.

12:17.020 --> 12:19.480
So let's run and see what happens to this drum.

12:20.830 --> 12:24.760
Looks like it has unpacked an X file in this memory address.

12:25.270 --> 12:25.960
Look at that.

12:25.990 --> 12:27.700
One C followed by four zeros.

12:27.730 --> 12:28.060
See that?

12:28.180 --> 12:33.490
We have an NS header, and we have this string.

12:33.520 --> 12:34.120
This is.

12:34.120 --> 12:36.250
This program cannot be run in Dos mode.

12:36.640 --> 12:38.440
We have the p header.

12:39.430 --> 12:46.200
If you then if you scroll down, you can see the text section, the data section, the data section,

12:46.200 --> 12:47.340
the dialogue section.

12:47.460 --> 12:47.880
All right.

12:47.880 --> 12:50.490
So it looks like this is the.

12:53.750 --> 12:54.680
We are ready to done.

12:54.680 --> 13:01.190
So if we click on the breakpoints now, we see that we have hit Virtualalloc seven times.

13:01.190 --> 13:08.570
And then if we go to here, we can see that it is running, it is freely running and it is not hitting

13:08.570 --> 13:09.560
any more breakpoints.

13:09.560 --> 13:13.040
So now we know, we confirm that we are at our last rochela.

13:13.310 --> 13:14.930
So now we are ready to jump.

13:15.320 --> 13:20.120
So you see, this time the address is one C followed by four zeros.

13:20.300 --> 13:25.670
Each time you run the code, you may get a different address here, the different return address.

13:25.670 --> 13:28.750
So it could be different for you and so on.

13:28.760 --> 13:31.370
So one C followed by four zeros.

13:31.520 --> 13:33.950
Remember one C followed by four zeros.

13:33.950 --> 13:38.780
And in the next video we will continue dumping this and also unmap it.

13:38.810 --> 13:40.160
See you in the next video.