Completed
The Problem: getting information from binaries Each sample contains some total set of information. Our goal is to extract as much of it as possible
Class Central Classrooms beta
YouTube videos curated by Class Central.
Classroom Contents
Binee - Complete Emulation of Advanced Malware
Automatically move to the next video in the Classroom when playback concludes
- 1 Intro
- 2 The Problem: getting information from binaries Each sample contains some total set of information. Our goal is to extract as much of it as possible
- 3 Our Goal: Reduce cost of information extraction
- 4 The How: Emulation
- 5 Existing PE Emulators
- 6 Requirements: What are we adding/extending from current work?
- 7 Build hook table by linking DLLs outside emulator
- 8 Overcoming Microsoft's ApiSet abstraction layer Parse Api SetSchema.dil (multiple versions) and load proper real dll.
- 9 What is the minimum that the malware needs in order to continue proper execution?
- 10 Requirements for hooking
- 11 Two types of hooks in Binee
- 12 Example: Entry point execution
- 13 Userland structures, TIB/PEB/kshareduser
- 14 Starting with the Mock File System
- 15 Creating Files in the Mock File Subsystem
- 16 Mock Registry Subsystem
- 17 Configuration files defines OS environment quickly
- 18 Mocked Threading Round robin scheduler approximately simulates a multi-thread environment.
- 19 Increasing fidelity with proper Di Main execution
- 20 ROP Gadgets - an easy shortcut to loading DLLS
- 21 How can I get started?
- 22 Implement a missing hook: an example
- 23 Implement a missing hook: function documentation SearchPathA function
- 24 Implement a missing hook: create a full hook
- 25 Implement a missing hook: rinse, repeat
