Скачать с ютуб Ghidra: Shadow Hammer (Stage 1: Setup.exe) complete static Analysis в хорошем качестве

Ghidra: Shadow Hammer (Stage 1: Setup.exe) complete static Analysis

This is a complete static analysis of the Shadow Hammer Stage 1 Setup.exe. The Ghidra project is available either as a shared project in the rManganese repository on the ghidra-server.org Ghidra server (see    • Ghidra: Server / Shared Projects (using gh...   on how to use this repository) or as a download from https [://] anonfile [.] com [/] 57Uan9ifne [/] ShadowHammer_2019_04_24_gar (WARNING: This is real malware!). Materials used in the video: Scripts: https://github.com/0x6d696368/ghidra_... Data Type Archives: https://github.com/0x6d696368/ghidra-... Terminus website: http://terminus.rewolf.pl/terminus/ There is now a simple stack string reassembly script: https://github.com/0x6d696368/ghidra_... Video Contents: 00:00 - Intro 00:30 - Importing and fixing PE header (to workaround Ghidra bug) 01:40 - Quick dynamic analysis 02:16 - START of static analysis 08:21 - Finding injected shellcode (called from _crtExitProcess) 09:38 - START of analyzing shellcode 12:20 - Decoder function (to decode resource) 16:15 - START analysis of code decoded from resource 16:50 - Resolving kernel32.dll via TIB traversal 22:09 - getAddrByHash (import hiding code) 25:43 - Brute forcing function import hashes 29:37 - import resolution function (calling getAddrByHash over 5 libraries) 33:58 - START analyzing payload (target selector and C2) 35:18 - getAdapterAddresses + MD5 + comparing to target list 37:00 - Code that is executed when not a target 38:28 - C2 (code that is executed when in target list) 39:48 - END of analysis; talking about Ghidra 40:59 - END of video ERRATA: At 14min07sec - 0x10 is 16byte not 32 ... but it didn't make a difference, so the error went unnoticed. Edit (20200216): Someone informed me that I probably made that mistake because the code allocated 32 bytes, but then only decoded 16 bytes.