Видео

@@doelhasan7310 In this video, we were using 10.2.3

@@user-rn5su2ti9iThe initial learning curve is tough, but I promise it’s not insurmountable :-) It just takes practice and willingness to keep trying and seeking answers, even if you get stuck.

@@x1101126 Yeah if I had the time to (among everything else I’m trying to learn enough to be an amateur at 😆) I certainly would: It was really interesting going through the Win32 docs for this and my other RCT video and looking back on how much has changed (or not changed, more often and surprisingly). Thanks for watching!

@@LinuxIsBetter43 If you haven’t checked out the repo as it is today, you may find it better organized than this original video :-) But yeah, your comments are totally fair: I was much more focused on function than fashion for this one, particularly as a side project. That said, I appreciate the feedback!

@@JamesRav516 Thanks so much and so glad you’re enjoying! And the only limitations on your Shared Folder size should be 1) how much storage you have allocated for your VM in total and 2) how much storage you have on your host machine. I’m wondering if that’s not telling you how much storage is used on your VM in total out of how much is available? Otherwise, it doesn’t make much sense for your folders to be limited. I’d check how much storage you have allocated vs how much is used for the VM as a whole, and see if the numbers add up to what you see there.

@@MeanMisterMustard Thank you so much and so glad you think so! Hope to have some new stuff soon 😊

Thank you so much for the kind words, and for the thoughtful feedback! You are correct, and I've updated the diagram and the pinned comment to clarify this - I didn't make a distinction in the video because you almost always see rep as a prefix to string instructions that do manipulate EDI/ESI, but you are right that it is more proper to say that rep on its own only manipulates ECX - and I'd rather be right than "technically right" when it comes to a beginner's tutorial 🙂. Thank you so much for taking the time to watch and also for the good catch here! P.S. Hope you're enjoying Practical Malware Analysis!

​@@jeFF0Falltrades Thanks a lot for the quick reply! Yes, you are right, it is implicit that that those instructions work together to execute those operations but for a total beginner, it could be very ambiguous and confusing. I really appreciate you taking to time to consider my comment and updating the diagram. P.S. I havent started Practical Malware Analysis yet, I am currently reading Practical Reverse Engineering alongside your material and it has been a fascinating journey. I am really falling in love with RE! I truly hope you keep releasing more stuff, its really a precious help to consolidate all of these technical concepts.

@@EuZeNinguem Ah sorry I misread your comment and saw PMA instead of PRE - also a great book haha! And again thanks so much for your kind words; Comments like these are very motivating to keep creating 😄 Happy learning!

@@moshedo7975 If you still need the example let me know but any HTTPS traffic should do! Glad to hear you’re progressing!!!

@@moshedo7975 Do you mean is it possible to see network traffic using just Burp?

@@jeFF0Falltrades im asking in case that I followed your configuration in this vid is there a chance to see actual decrypted HTTPS traffic in burp?

@@moshedo7975 If you follow the configuration in the video, then you will be able to see HTTPS traffic in Burp, yes! You would see the same traffic - and more than HTTPS - logged in INetSim as that’s our primary network logging on the Remnux box. You could intercept traffic in Burp as well, but you would have to configure multiple proxies and also keep INetSim or some other service running to forward the requests to. EDIT: The traffic would be in Burp under Proxy->HTTP History by the way

@@jeFF0Falltrades So I messed up somehow because I don't see that

@@moshedo7975 Okay, we can troubleshoot: Are you able to do a simple ping from your Windows VM to your Remnux VM? If so, can you pull a web page on the Windows VM while INetSim runs on your Remnux VM?

@@matts7327 Yes! You can find it on my GitHub under “RAT King Parser” - linked on my channel page or just search that name :-) Thanks so much for your kind words!

@@ghaBBster Absolutely! No need to use this particular sandbox for the challenge! If you do need help troubleshooting with anything Remnux related, feel free to leave a comment or Issue to talk further about it :-)

@@jeFF0Falltrades thanks for reply, Finally i figured out how to install and prepare REMnux, Right now i got some challenge with establishing the connection between REMnux network and victim's Windows machine, I configured the REMnux (burpsuite and inetsim) and Windows network settings, but don't get a connection on 10.10.10.3:8080 on Windows machine btw i use VMWare pro 17 on Windows 10 and maybe that virtualization tool is what makes the deal between yours and mine implementation Whatever comes to mind to make clear on this situation - i would be glad to see your reply thanks for your time!

@@jeFF0Falltrades finally i figured out REMnux installation and further configuration, thanks for detailed sections of setting up the REMnux machine Right now I have challenge with establishing the connection between REMnux (burpsuite) and Windows victims's machine, don't get any reply on 10.10.10.3:8080 i rewatched and rechecked all sections in tutorial (before this section about connection) but have the same issue Btw i use VMware pro 17 on Windows 10 machine, maybe this difference makes the deal, but i doubt it, So, if you have any ideas - please let me know And congratulations on being a dad and 11k subs, i really enjoy watching your content!

@@ghaBBster Thank you so much for the kind words, and congrats on the progress!!! Regarding the connectivity: Are you able to do a simple ping from the windows to the remnux machine? Or pull a regular page by opening the browser and going to any site (while inetsim is running)? If so, we can move on to Burp troubleshooting; if not it may be a broader networking issue between your VMs. Let me know and we can work through it.

@@_________________404 Would likely be easier to make a GUI for the Python script, package it into a static executable, and then just make the user point to their instance of RCT to do the patching appropriately; You might be able to package them both together in one EXE, but it would get messy with addressing and modifying the original executable.

@@LinuxIsBetter43 Yeah that’s fair enough! In this case, since I wasn’t running from main() (and I also wasn’t too concerned with the result) I just chose 0, but best practice would probably be to raise an exception and /or return a clearly defined value to express something went wrong.

@@jeFF0Falltrades Good point. Raising exception and then handling it. Also, if we're talking, I thought it would be good to add a little explanation on bit shifting and multiplication by power of 2. You don't mention it, but I think this could be a good little addition.

@@ihacksi Hint: Don’t just look for static imports - look for things loaded dynamically. One of the tools in this video might provide a shortcut 😉 Great work! Get your name on that wall! Come on back if you get stuck, but I think you’ll get it.

@@jeFF0Falltrades Question 2-3 still remains, went and tried all the dlls imported in runtime but no luck. Is the crackme doing something different in your environment? I tried with network/no network and procmon output only reveals two file activities you asked in the later questions.

@@ihacksi I will say this: The crackme executable does NOT adhere to the typical DLL loading you see in C/C++ binaries...so if you are looking at typical calls to APIs that you're used to seeing when looking for loaded DLLs, you probably won't turn up much in this particular case. But there is a DLL there. Perhaps something else could help in finding it.

@@jeFF0Falltrades Thanks, I found the dll using the tool mentioned on video. So procmon only lists the known dlls called from the disk/system then? In memory executions are stealthy.

@@ihacksi I believe it’s because procmon monitors for the same few calls to known system DLLs (LoadLibrary, GetProcAddress, etc.) to monitor for DLL activity, whereas this binary uses a different implementation to load the DLL into memory, so it flies under the radar of many tools. Great work! I see your name on the wall now!!!

@@danielabay01 So glad you are enjoying them! Thanks so much for the kind words and for being here!

@@M3STERL3G3ND So glad you think so ❤️ Really appreciate you watching, and the kind words

@@RichardBejtlich Thank you so much for the kind words and so glad you enjoyed!

@@RichardBejtlich HOLD ON!

@@RichardBejtlich I just realized: Are you Corelight’s Richard Bejtlich?! EDIT: I’m now 99% certain you are! I just wanted to let you know that I appreciate your work, especially as believe it or not, I am a successor to your work on the CIRT at GE Aero 😂 I was going crazy wondering why your name sounded so familiar and that’s why!

@@LinuxIsBetter43 For the #US stream length? I believe it’s bytes - a string of <128 bytes results in 1 length byte, otherwise it gets 2. Let me know if you were referring to something else - thanks for watching and congrats on chugging right along!

@@jeFF0Falltrades You are correct. I just confused myself. Strings are measured in bytes, but in his comment there was binary in parenthesis, so it got in my head =)

@@jeFF0Falltrades I do have a question though. Later on you go to say that if 80 flag is set, then the actual length will be the following byte. What happens if the string is even longer than 255 bytes? Do we get another 80 flag and another length bit?

@@LinuxIsBetter43 No worries - I wouldn’t have been surprised in the least if I had misspoken because…well just keep watching my videos and you’ll see that it’s not uncommon 😂

@@jeFF0Falltrades No worries. BTW, RE my question above, AI says that it would be preceded by the 80 flag, and then the next 4 bytes are the length of the string (I asked about 300 byte of string for example), so it said there would be something like 80 2C 01 00 00. Idk maybe incorrect, here we see only 1 byte after 80, but maybe it's not writing them for optimisation purposes.

@@dynaspinner64 So glad you’ve enjoyed it! I hope it’s eased your entry into the domain and I hope you continue to learn! Thanks for watching 🙏

Yeah I've racked my brain with this every time I see an AsyncRAT sample. I've looked at the source code itself, debugged, and run it by others, and still don't have a great explanation. Even the LLMs I've put the code through always say: "This line seems like a mistake" X-D You're right in that memoryStream will vary with the input, so some values are 64 bytes, others 128, and still others 736 bytes, for example. So array3 still gets allocated to different sizes depending on the length of input - not any hardcoded value - and that size is always a bit more than needed for the actual decrypted data. I'm of the mind that either: 1) They intentionally did this to leave a buffer at the end of array3 (though it doesn't make sense because at most array3.Length bytes will be read every time) 2) It's a mistake 3) I'm missing something crucial here haha

@@jeFF0Falltrades Sounds good. To me it looks like they were a bit lazy, so they took a relatively big buffer to prevent memory leaking=). I want to thank you for the great content as well!

@@LinuxIsBetter43 Yep, you are probably onto something 😂 And thanks so much for your kind words and engagement! So glad you enjoyed!

Thank you! So glad you enjoyed!

@@dewmi4403 So glad you enjoyed! RCT never dies

Tq jeff❣️

You are absolutely correct - thanks for reporting this! It was a validation typo. Good news is 1) It's fixed now and 2) This must mean you are among the first to get the crackme completed!

There it is! Congratulations and well done!!!

@@jeFF0Falltrades thank you! It was really fun solving the challenges!

@@lukefidalgo8154 Glad to hear it! I'm always nervous leading up to a release b/c I have a lot of fun making them and testing them out, and there's always the "Ah damn, is this going to be something that's just fun for *me*?" X-D So glad you enjoyed!

@@wittingsun7856 Great suggestion! I wanted to start with the basics, but I think a follow-up video with more advanced techniques is called for, too. I’ll add that to the list :-)

@@jeFF0Falltrades I'm happy to hear this, it definitely can't miss 😎

@@xiaonguyen6693 Great question! Some families might have “stoplists” of processes they might monitor for and stop working if they detect them running written into the malware program, as an anti-sandbox measure. But it’s very easy to bypass this as the analyst: In fact, there’s a blog post on Medium by Mohammed Dief that’s a good example of this where he just changes a few attributes of the procmon executable to bypass a video game (of all things) program that checks for procmon as an anti-debug measure. So what I would say is: If it looks like a piece of malware is not running fully or you’re not getting results you expect, either throw it in a debugger like we do with Royal ransomware here to find out more OR, more simply, just experiment with your monitoring tools to see if closing one of them changes the behavior of the malware. That’s the benefit of using a hands-on lab, vs. a fully automated one. Thanks and good thinking!

@@Jarvx Stahppppp 🥰 Seriously thanks for watching and being here 🙏

@@micha7863 Thanks so much and thanks for being here 🙏

Yeah I think we’ll be due for another game-based video soon as many people (myself included) have so much fun with those, and they are great for learning the basics while keeping things fun. Thanks for the suggestion!

@@CrusaderMen Thank *you*! I hope you enjoy this one too

@@0ri0nexe Man you made my day hahaha. I’m in the middle of finishing up editing Part 2 (which I can say DEFINITIVELY will be out tomorrow AM, Eastern Time), and I really needed this motivation. Thanks for being a great hype man and I am glad you find the tools useful! I’m so happy to finally share my lab setup as it’s been good to me all these years.

​@@jeFF0Falltrades Two videos in a row, what a time to be alive.

@@0ri0nexe 🤣

YES!!! I'm so happy for you because that book is a treat. And you'll find my set up is very akin to the one in the book, so I hope this complements it well :-). Also, if you're interested, No Starch Press just this month came out with another book called "Evasive Malware" that I call out in this video. I haven't read through all of it yet, but what I have read has been really good! Thanks for watching and I hope you enjoy both this and PMA!

The alien book is top tier :)

Thanks so much on both accounts, and thanks for being here!

@@micha7863 thanks for attesting to the unattended installation stuff as well - as you’ll see (if you haven’t already) it DOES cause issues for me as well 🥴

@@jeFF0Falltradesoh ok, i was commenting while watching, thanks again!

I figured haha. Didn't mean to spoil it for you, but yeah, had quite a few "live" troubleshooting instances with VirtualBox/Windows

@@b213videoz Nej det vill du inte 😉😂 There are much better Swedish teachers, I’ll just stick to my machine languages thanks 😆 Thanks for watching as always!

Thanks again for this (and I mean sincerely - I appreciate candid feedback and I get scared when I only hear praise or general feedback) and your other comments. I'll also add these clarifications to the pinned comment in hopes that will help others who may have been confused by these segments: 25:08: Apologies for not calling it out; You're right in that it's important for beginners to understand the "why", and I think I was focused on switching to demo'ing it in the debugger and glossed over the extra instruction: This kind of "duplicative instruction" can happen due to compiler optimizations - Different compilers can hold themselves to different "guarantees" and rules around how they compile code, and I think in this instance, we humans can see that the extra instruction is not needed, but the compiler decided for some reason to include it. Why? It's very difficult to say without knowing a LOT about how the compiler is written to work. It could be accounting for optimizations in speed, or scheduling of instructions, or because it uses some standard pattern of instructions for this type of loop, and applies those rules regardless. 25:45: Apologies again as I was not as focused on the decompilation view vs the disassembly view in this segment. To answer your questions: The 0x34 is added to ESP because that happens to be where this array was placed on the stack by the compiler: 0x34 == 52 in decimal, which divided by 4 bytes is 13, so you can think of it as there are 13 other 4-byte segments between ESP and the array, which are other values on the stack. But put more plainly, the array starts at 0x34 past ESP, so we must add 0x34 PLUS our index*4 bytes (because every int is 4 bytes) to access each element of the array. Now (2) and (3) of your question are interesting: The additional "+ 3" of the decompilation you see there does not appear in other decompilers I used, and it's likely just a case of the decompiler "hallucinating" - meaning that it tried to decompile this segment, but realized the way it decompiled the address to the array was out of alignment, and so it compensated by just tacking on a "+ 3" to make the math work. Sounds silly, but this is why decompilers are not perfect. To see this practically, you can check the values in the debugger: The decompiler says that auStack_4f should be at EBP-0x4f But in the debugger, if EBP is at address 0x9FFB98, EBP-0x4f would be at 0x9FFB49, which is right after the first byte of a DWORD, so the decompiler adds 3 more bytes to align the array to the start of the next DWORD (4-byte) address. In reality, the array starts at EBP-0x44 in the debugger. That value makes more sense because according to our disassembly and decompiler math: auStack_4f + 3 should equal ESP+0x34 auStack_4f+3 should actually be auStack_44 because when we make that change, the math works: ESP == EBP-0x78 auStack_44 == ESP+0x34 == EBP-0x44== EBP-0x78+34 == EBP-0x44 == EBP-0x44 So why did the decompiler misinterpret the disassembly? Again, could be a number of reasons based on the decompiler logic/optimizations. I know that was a long answer to a short question, but please let me know if that helps, and I will add this to the correction pinned comment as well - Thank you again for calling out some great clarifying points!