Video Summary
The video discusses the process of resolving function pointers from a DLL by walking the export table and computing checksums for the function names. It highlights the key steps involved in analyzing this process using decompilation techniques and dynamic analysis.
Key Points
- The process starts by computing a checksum for the DLL name using the PE structure.
- Function pointers are resolved by traversing the export table of the DLL.
- The computed checksum is utilized to validate function names against a desired checksum.
- The pseudo code representation aids in understanding the byte-level operations and transformations.
- The video emphasizes the importance of confirming findings through both static and dynamic analyses in debugging.
- Understanding how API names are matched and how function pointers get resolved is critical for reverse engineering.
- There is mention of setting breakpoints during debugging to ensure accurate tracking of function calls and returned pointers.
- The video sets the stage for further exploration of additional functions and their interactions with the memory heap.
Youtube Channel: Dr Josh Stroschein – The Cyber Yeti
Video Published: 2024-10-01T18:00:10+00:00
Video Description:
Part 6 continues to explore runtime-linking by seeing how Lockbit not only uses the EXPORT_DIRECTORY structure to find APIs, but also how it uses the DLL name seed to compute the checksum values to identify necessary APIs.
Join this channel to get access to perks:
https://www.youtube.com/channel/UCI8zwug_Lv4_-KPT62oeDUA/join
,
Cybersecurity, reverse engineering, malware analysis and ethical hacking content!
π Courses on Pluralsight ππ» https://www.pluralsight.com/authors/josh-stroschein
πΆοΈ YouTube ππ» Like, Comment & Subscribe!
ππ» Support my work ππ» https://patreon.com/JoshStroschein
π Follow me ππ» https://twitter.com/jstrosch, https://www.linkedin.com/in/joshstroschein/
βοΈ Tinker with me on Github ππ» https://github.com/jstrosch
π€ Join the Discord community and more ππ» https://www.thecyberyeti.com
0:38 Seed from DLL name
1:20 Computing checksum from API name
4:00 Getting the API name
4:36 Using the export directory structure
5:40 Starting in the export directory
8:00 Debugging to see API names
10:09 When a precomputed value matches
12:00 Easy button to find APIs