Completed
Overcoming Microsoft's ApiSet abstraction layer Parse Api SetSchema.dil (multiple versions) and load proper real dll.
Class Central Classrooms beta
YouTube videos curated by Class Central.
Classroom Contents
Binee - Complete Emulation of Advanced Malware
Automatically move to the next video in the Classroom when playback concludes
- 1 Intro
- 2 The Problem: getting information from binaries Each sample contains some total set of information. Our goal is to extract as much of it as possible
- 3 Our Goal: Reduce cost of information extraction
- 4 The How: Emulation
- 5 Existing PE Emulators
- 6 Requirements: What are we adding/extending from current work?
- 7 Build hook table by linking DLLs outside emulator
- 8 Overcoming Microsoft's ApiSet abstraction layer Parse Api SetSchema.dil (multiple versions) and load proper real dll.
- 9 What is the minimum that the malware needs in order to continue proper execution?
- 10 Requirements for hooking
- 11 Two types of hooks in Binee
- 12 Example: Entry point execution
- 13 Userland structures, TIB/PEB/kshareduser
- 14 Starting with the Mock File System
- 15 Creating Files in the Mock File Subsystem
- 16 Mock Registry Subsystem
- 17 Configuration files defines OS environment quickly
- 18 Mocked Threading Round robin scheduler approximately simulates a multi-thread environment.
- 19 Increasing fidelity with proper Di Main execution
- 20 ROP Gadgets - an easy shortcut to loading DLLS
- 21 How can I get started?
- 22 Implement a missing hook: an example
- 23 Implement a missing hook: function documentation SearchPathA function
- 24 Implement a missing hook: create a full hook
- 25 Implement a missing hook: rinse, repeat