Protect your business with Huntress: https://ntck.co/huntress
A chill, ask me anything, with some coffee.
*Sponsored by Huntress
Category: Youtube
04 – Walking the PEB, Enhancing IDA’s Output w/ Structures, and Unlocking the Key to Runtime-Linking
In part 04, we’ll take a close look at how Lockbit, and many other malware families, locate and use the PEB to identify in-memory DLLs. This allows for the malware to find libraries and functions it needs during runtime, while also avoiding using the pre-declared import table. This makes it more challenging for basic analysis and reverse engineering, as we have to initially investigate how these functions are being resolved. You’ll also begin to see some additional twists that Lockbit adds to this process by using seeds…
Join this channel to get access to perks:
https://www.youtube.com/channel/UCI8zwug_Lv4_-KPT62oeDUA/join
Cybersecurity, reverse engineering, malware analysis and ethical hacking content!
π Courses on Pluralsight ππ» https://www.pluralsight.com/authors/josh-stroschein
πΆοΈ YouTube ππ» Like, Comment & Subscribe!
ππ» Support my work ππ» https://patreon.com/JoshStroschein
π Follow me ππ» https://twitter.com/jstrosch, https://www.linkedin.com/in/joshstroschein/
βοΈ Tinker with me on Github ππ» https://github.com/jstrosch
π€ Join the Discord community and more ππ» https://www.thecyberyeti.com
0:16 Finding the PEB reference
2:35 Accessing PEB structure members
4:17 Viewing relevant structures in WinDbg
12:00 Adding structures in IDA
Hacking the Nintendo Switch with a paperclip
#nintendo #gaming #playstation #hack #nintendoswitch
Listen to the full episode π Darknet Diaries Ep. 136 Team Xecuter
β¬οΈ OPEN FOR LINKS TO ARTICLES TO LEARN MORE β¬οΈ
@endingwithali β
Twitch: https://twitch.tv/endingwithali
Twitter: https://twitter.com/endingwithali
YouTube: https://youtube.com/@endingwithali
Everywhere else: https://links.ali.dev
Want to work with Ali? [email protected]
[β] Join the Patreonβ https://patreon.com/threatwire
0:00 0 – Intro
0:11 1 – YubiKey Vulnerability Finally Found
03:26 2 – X/Twitter Banned in Brazil
05:12 3 – Internet Archive Cannot Lend Books
06:45 4 – Outro
LINKS
π Story 1: YubiKey Vulnerability Finally Found
https://ninjalab.io/eucleak/
https://findbiometrics.com/yubikeys-can-be-hacked-but-it-costs-about-11k/
https://www.yubico.com/support/security-advisories/ysa-2024-03/
https://arstechnica.com/information-technology/2021/01/hackers-can-clone-google-titan-2fa-keys-using-a-side-channel-in-nxp-chips/
https://arstechnica.com/security/2024/09/yubikeys-are-vulnerable-to-cloning-attacks-thanks-to-newly-discovered-side-channel/?utm_source=dlvr.it&utm_medium=linkedin
π Story 2: X/Twitter Banned in Brazil
https://techcrunch.com/2024/08/30/top-court-orders-ban-on-elon-musks-x-in-brazil/
https://apnews.com/article/brazil-musk-x-platform-moraes-shutdown-6942614705a4e85064f1d98628b49295
https://www.nytimes.com/2024/09/08/world/americas/brazil-x-ban-business-community.html
https://platformer.news/x-ban-brazil-musk-moraes/
https://abcnews.go.com/International/wireStory/musks-banned-brazil-users-carve-new-digital-homes-113422110
π Story 3: Internet Archive Cannot Lend Books
https://documentcloud.org/documents/25091194-internet-archive-appeal?responsive=1&title=1
https://www.theverge.com/2024/9/4/24235958/internet-archive-loses-appeal-ebook-lending
https://blog.archive.org/national-emergency-library/
—–β—–β—–β—–β—–β—–β—–β—–β—–β—–β
Our Site β https://www.hak5.org
Shop β http://hakshop.myshopify.com/
Community β https://www.hak5.org/community
Subscribe β https://www.youtube.com/user/Hak5Darren?sub_confirmation=1
Support β https://www.patreon.com/threatwire
Contact Us β http://www.twitter.com/hak5
____________________________________________
Founded in 2005, Hak5’s mission is to advance the InfoSec industry. We do this through our award winning educational podcasts, leading pentest gear, and inclusive community β where all hackers belong.
A guide on how to do fuzzing with AFL++ in an attempt to rediscover the libwebp vulnerability CVE-2023-4863 that was used to hack iPhones.
Want to learn hacking? Signup to https://hextree.io (ad)
Buy my shitty font: https://shop.liveoverflow.com/ (ad)
Watch webp Part 1: https://www.youtube.com/watch?v=lAyhKaclsPM
Sudo Vulnerability Series: https://www.youtube.com/playlist?list=PLhixgUqwRTjy0gMuT4C3bmjeZjuNQyqdx
Docker Video: https://www.youtube.com/watch?v=-YnMr1lj4Z8
OSS-Fuzz: https://github.com/google/oss-fuzz
OSS-Fuzz libwebp coverage: https://storage.googleapis.com/oss-fuzz-coverage/libwebp/reports/20230901/linux/src/libwebp/src/utils/report.html
AFLplusplus: https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md
vanhauser’s blog: https://www.srlabs.de/blog-post/advanced-fuzzing-unmasks-elusive-vulnerabilities
vanhauser/thc on twitter: https://twitter.com/hackerschoice
AFLpluslus Persistent Mode: https://github.com/AFLplusplus/AFLplusplus/blob/0c054f520eda67b7bb15f95ca58c028e9b68131f/instrumentation/README.persistent_mode.md
Grab the code: https://github.com/LiveOverflow/webp-CVE-2023-4863
=[ β€οΈ Support ]=
Find out how you can support LiveOverflow: https://liveoverflow.com/support/
=[ π Social ]=
β 2nd Channel: https://www.youtube.com/LiveUnderflow
β Twitter: https://twitter.com/LiveOverflow/
β Streaming: https://twitch.tvLiveOverflow/
β TikTok: https://www.tiktok.com/@liveoverflow_
β Instagram: https://instagram.com/LiveOverflow/
β Blog: https://liveoverflow.com/
β Subreddit: https://www.reddit.com/r/LiveOverflow/
β Facebook: https://www.facebook.com/LiveOverflow/
Chapters:
00:00 – Intro
00:36 – How to Learn About Fuzzing?
02:36 – Setting Up Fuzzing With AFL++
04:53 – My Docker Workflow for Fuzzing
06:35 – AFL++ Different Coverage Strategies
09:50 – Start the libwebp Fuzzing Campaign
11:58 – Adjusting the Fuzzer
13:45 – Why Don’t We Find a Crash?
15:49 – Fuzzing with AFL++ Persistent Mode
19:47 – Persistent Mode Fuzzing Results
20:46 – Finding the Vulnerability in 8s
With Large Language Models becoming used across all areas of computing, security researcher Dr Tim Muller explores how they can be used for all kinds of unintended purposes.
https://www.facebook.com/computerphile
https://twitter.com/computer_phile
This video was filmed and edited by Sean Riley.
Computer Science at the University of Nottingham: https://bit.ly/nottscomputer
Computerphile is a sister project to Brady Haran’s Numberphile. More at https://www.bradyharanblog.com
Thank you to Jane Street for their support of this channel. Learn more: https://www.janestreet.com
// Membership //
Want to learn all about cyber-security and become an ethical hacker? Join this channel now to gain access into exclusive ethical hacking videos by clicking this link: https://www.youtube.com/channel/UC1szFCBUWXY3ESff8dJjjzw/join
// Courses //
Full Ethical Hacking Course: https://www.udemy.com/course/full-web-ethical-hacking-course/
Full Web Ethical Hacking Course: https://www.udemy.com/course/full-web-ethical-hacking-course/
Full Mobile Hacking Course: https://www.udemy.com/course/full-mobile-hacking-course/
// Books //
Kali Linux Hacking: https://amzn.to/3IUXaJv
Linux Basics for Hackers: https://amzn.to/3EzRPV6
The Ultimate Kali Linux Book: https://amzn.to/3m7cutD
// Social Links //
Website: https://www.loiliangyang.com
Facebook: https://www.facebook.com/Loiliangyang/
Instagram: https://www.instagram.com/loiliangyang/
LinkedIn: https://www.linkedin.com/in/loiliangyang/
// Disclaimer //
Hacking without permission is illegal. This channel is strictly educational for learning about cyber-security in the areas of ethical hacking and penetration testing so that we can protect ourselves against the real hackers.
Explore the podcast β https://ibm.biz/BdaFzL
Virtual agents have been part of our lives for a long time, but can they replace humans as they become faster and more accurate with generative AI? Listen to host Albert Lawrence discuss the evolution of AI agents with Susan Emerson, Vice President of Product, AI and Data at Salesforce and Nick Renotte, Chief AI Engineer at IBM Client Engineering.
The State of Salesforce 2024β25 β https://ibm.biz/BdaFzQ
Your guide to AI for customer service β https://ibm.biz/BdaFz3
IBM Salesforce services β https://ibm.biz/BdaFzT
Get weekly AI, cloud, security and sustainability industry news, events and insights β https://ibm.biz/BdaFzw
// Membership //
Want to learn all about cyber-security and become an ethical hacker? Join this channel now to gain access into exclusive ethical hacking videos by clicking this link: https://www.youtube.com/channel/UC1szFCBUWXY3ESff8dJjjzw/join
// Courses //
Full Ethical Hacking Course: https://www.udemy.com/course/full-web-ethical-hacking-course/
Full Web Ethical Hacking Course: https://www.udemy.com/course/full-web-ethical-hacking-course/
Full Mobile Hacking Course: https://www.udemy.com/course/full-mobile-hacking-course/
// Books //
Kali Linux Hacking: https://amzn.to/3IUXaJv
Linux Basics for Hackers: https://amzn.to/3EzRPV6
The Ultimate Kali Linux Book: https://amzn.to/3m7cutD
// Social Links //
Website: https://www.loiliangyang.com
Facebook: https://www.facebook.com/Loiliangyang/
Instagram: https://www.instagram.com/loiliangyang/
LinkedIn: https://www.linkedin.com/in/loiliangyang/
// Disclaimer //
Hacking without permission is illegal. This channel is strictly educational for learning about cyber-security in the areas of ethical hacking and penetration testing so that we can protect ourselves against the real hackers.
Download the guide to learn more about what Granite is βhttps://ibm.biz/BdK7wZ
Learn more about AI solutions β https://ibm.biz/BdK7wY
Martin Keen discusses the importance of selecting the right large language model (LLM) for enterprise use, highlighting three key metrics: performance, cost-effectiveness, and trustworthiness. He explores the IBM Granite Foundation models, which are designed to meet these requirements, offering transparency, scalability, and efficiency.
AI news moves fast. Sign up for a monthly newsletter for AI updates from IBM β https://ibm.biz/BdK7w2
This series is designed to get you hands-on reversing some of the anti-analysis techniques found in Lockbit 3.0, also known as Lockbit Black. This series will be broken down into several videos to help make the content easier to follow. Part 01 will start with creating binaries using the leaked LB builder. The resulting binaries it produces are the ransomware that would be used to attack organizations and gain victims. You can use the builder to generate your own binaries if you choose to follow along.
Join this channel to get access to perks:
https://www.youtube.com/channel/UCI8zwug_Lv4_-KPT62oeDUA/join
π¨ WARNING! If you follow along by creating your own binaries, ensure you have a safe analysis environment. The builder produces the real Lockbit ransomware and can cause irreversible damage to your systems! π¨
You can find the builder on Github: hxxps://github[.]com/arosenmund/defcon32_dissecting_defeating_ransomwares_evasion
Cybersecurity, reverse engineering, malware analysis and ethical hacking content!
π Courses on Pluralsight ππ» https://www.pluralsight.com/authors/josh-stroschein
πΆοΈ YouTube ππ» Like, Comment & Subscribe!
ππ» Support my work ππ» https://patreon.com/JoshStroschein
π Follow me ππ» https://twitter.com/jstrosch, https://www.linkedin.com/in/joshstroschein/
βοΈ Tinker with me on Github ππ» https://github.com/jstrosch
π€ Join the Discord community and more ππ» https://www.thecyberyeti.com
1:20 Getting the Files on Github
1:58 Builder structure
2:35 A note about the build.bat file
3:49 Building the ransomware binaries
4:15 First anti-analysis trick, a password
5:30 Some serious safety reminders!
6:30 Using IDA’s cloud decompiler
To really see the stack come alive, it’s best viewed in a debugger during program execution. In this video, we’ll do just that. Using a simple program and IDA’s built-in debugger, we’ll trace several function calls to view how the stack is used. We’ll also pay special attention to calling conventions and stack frames to see what happens to those frames as other functions are called and when functions “unwind”.
Join this channel to get access to perks:
https://www.youtube.com/channel/UCI8zwug_Lv4_-KPT62oeDUA/join
Cybersecurity, reverse engineering, malware analysis and ethical hacking content!
π Courses on Pluralsight ππ» https://www.pluralsight.com/authors/josh-stroschein
πΆοΈ YouTube ππ» Like, Comment & Subscribe!
ππ» Support my work ππ» https://patreon.com/JoshStroschein
π Follow me ππ» https://twitter.com/jstrosch, https://www.linkedin.com/in/joshstroschein/
βοΈ Tinker with me on Github ππ» https://github.com/jstrosch
π€ Join the Discord community and more ππ» https://www.thecyberyeti.com
2:56 Starting a debug session
3:37 Pushing Arguments onto the Stack
5:53 Calling another function
7:30 The epilogue
Gathering important indicators of compromise from unknown files is a crucial first step when responding to an incident or performing malware analysis. ANY.RUN is one of my go to tools to help with this task. ANY.RUN provdies quick and safe initial assessment. This cloud-based sandbox environment allows me to detonate the file in a controlled setting, observing its behavior from a browser. ANY.RUN’s rapid triage analysis provides valuable insights like network activity, suspicious file creations, and API calls. This initial intel helps me prioritize potential threats and determine if a deeper, more time-consuming analysis is necessary.
Sign up for ANY.RUN to use interactive malware analysis:
https://app.any.run/?utm_source=youtube&utm_medium=video&utm_campaign=thr-cyber-yeti&utm_content=register&utm_term=180924#register
Integrate ANY.RUN solutions into your company:
https://any.run/demo/?utm_source=youtube&utm_medium=video&utm_campaign=thr-cyber-yeti&utm_content=demo&utm_term=180924
Join this channel to get access to perks:
https://www.youtube.com/channel/UCI8zwug_Lv4_-KPT62oeDUA/join
Cybersecurity, reverse engineering, malware analysis and ethical hacking content!
π Courses on Pluralsight ππ» https://www.pluralsight.com/authors/josh-stroschein
πΆοΈ YouTube ππ» Like, Comment & Subscribe!
ππ» Support my work ππ» https://patreon.com/JoshStroschein
π Follow me ππ» https://twitter.com/jstrosch, https://www.linkedin.com/in/joshstroschein/
βοΈ Tinker with me on Github ππ» https://github.com/jstrosch
π€ Join the Discord community and more ππ» https://www.thecyberyeti.com
1:46 Today’s sample
3:08 Public reports and tags
3:52 Submitting for public analysis
5:08 Running analysis
6:04 Extending analysis run-time
6:36 Interactive desktop session
7:23 Threats tab – aka Suricata alerts
9:01 Investigating HTTP request/response content
11:45 What we’ve found so far
12:20 Viewing DNS queries
13:45 Leveraging tags to speed up analysis
15:58 Process details
16:08 Config extraction – XOR encrypted URLs
16:55 Summarizing IOCs
17:52 Process graph
18:25 Enhancing understanding with previous reporting
Part 02 picks up by spending a little time performing basic triage analysis on the resulting ransomware binaries that we produced from the builder in part 01. I rarely skip this step as it often yields important insights into what you may be considering reversing. In this video, we’ll use Detect-It-Easy to look at PE file characteristics and use entropy to identify signs of packing. We’ll then compare the obfuscated and unobfuscated binaries together and even go through dumping the obfuscated version using x64dbg and scylla.
Join this channel to get access to perks:
https://www.youtube.com/channel/UCI8zwug_Lv4_-KPT62oeDUA/join
π¨ WARNING! If you follow along by creating your own binaries, ensure you have a safe analysis environment. The builder produces the real Lockbit ransomware and can cause irreversible damage to your systems! π¨
Cybersecurity, reverse engineering, malware analysis and ethical hacking content!
π Courses on Pluralsight ππ» https://www.pluralsight.com/authors/josh-stroschein
πΆοΈ YouTube ππ» Like, Comment & Subscribe!
ππ» Support my work ππ» https://patreon.com/JoshStroschein
π Follow me ππ» https://twitter.com/jstrosch, https://www.linkedin.com/in/joshstroschein/
βοΈ Tinker with me on Github ππ» https://github.com/jstrosch
π€ Join the Discord community and more ππ» https://www.thecyberyeti.com
1:01 What do the strings tell us?
3:40 Viewing strings in the obfuscated version
4:13 Using DIE to view imports
7:13 Analyzing the obfuscated version
9:35 Comparing versions with IDA Pro
14:35 Unpacking the obfuscated version with x64dbg
In part 3, we’ll take a look at how Lockbit performs runtime linking, which is amounts to how it will dynamically build it’s import table. Understanding how this is done is often the key to reversing programs, without understanding which Windows APIs it is using it is often very difficult to understand program behavior. To help add additional layers of obfuscation, Lockbit also uses precomputed values instead of strings, but with a twist. See what Lockbit is up to in this video!
Join this channel to get access to perks:
https://www.youtube.com/channel/UCI8zwug_Lv4_-KPT62oeDUA/join
Cybersecurity, reverse engineering, malware analysis and ethical hacking content!
π Courses on Pluralsight ππ» https://www.pluralsight.com/authors/josh-stroschein
πΆοΈ YouTube ππ» Like, Comment & Subscribe!
ππ» Support my work ππ» https://patreon.com/JoshStroschein
π Follow me ππ» https://twitter.com/jstrosch, https://www.linkedin.com/in/joshstroschein/
βοΈ Tinker with me on Github ππ» https://github.com/jstrosch
π€ Join the Discord community and more ππ» https://www.thecyberyeti.com
2:13 Finding evidence of runtime linking
3:59 Precomputed hashes/checksums and what they are used for
6:09 Building context around how APIs will be imported
9:45 Another layer deeper
11:18 Using recursion to dynamically resolve APIs
12:17 Stepping through the code in a debugger