Youtube

03 – Identifying Signs of Runtime-Linking and Building Context for API Hashes

Youtube



Video Summary

Video Summary

The video discusses the unpacking and analysis of the LockBit 3 ransomware executable. The presenter explores various functions within the binary, focusing on API resolution techniques that malware might employ to obfuscate its behavior.

Key Points

  • The video begins with an introduction to unpacking the LockBit 3 executable and the importance of basic binary analysis.
  • It explains a lack of strings and imports in the malware, which is typical of packed binaries.
  • The presenter demonstrates how to synchronize between disassembly and pseudo code to grasp the functionality better.
  • Two arguments are used to resolve API calls through hashes rather than standard string imports, complicating analysis.
  • Recursive calls are examined to understand the process of resolving API functions within the malware binary.
  • Key functions like `ldrGetProcedureAddress` and `ldrLoadLibrary` from ntdll are used instead of common Windows API counterparts, demonstrating a unique approach to API resolution.
  • The video concludes with a preview of analyzing how the malware constructs checksums and walks through export tables of DLLs in memory.

Youtube Channel: Dr Josh Stroschein – The Cyber Yeti
Video Published: 2024-09-21T16:00:50+00:00

Video Description:
In part 3, we’ll take a look at how Lockbit performs runtime linking, which is amounts to how it will dynamically build it’s import table. Understanding how this is done is often the key to reversing programs, without understanding which Windows APIs it is using it is often very difficult to understand program behavior. To help add additional layers of obfuscation, Lockbit also uses precomputed values instead of strings, but with a twist. See what Lockbit is up to in this video!
,
Join this channel to get access to perks:
https://www.youtube.com/channel/UCI8zwug_Lv4_-KPT62oeDUA/join

Cybersecurity, reverse engineering, malware analysis and ethical hacking content!
🎓 Courses on Pluralsight 👉🏻 https://www.pluralsight.com/authors/josh-stroschein
🌶️ YouTube 👉🏻 Like, Comment & Subscribe!
🙏🏻 Support my work 👉🏻 https://patreon.com/JoshStroschein
🌎 Follow me 👉🏻 https://twitter.com/jstrosch, https://www.linkedin.com/in/joshstroschein/
⚙️ Tinker with me on Github 👉🏻 https://github.com/jstrosch
🤝 Join the Discord community and more 👉🏻 https://www.thecyberyeti.com

2:13 Finding evidence of runtime linking
3:59 Precomputed hashes/checksums and what they are used for
6:09 Building context around how APIs will be imported
9:45 Another layer deeper
11:18 Using recursion to dynamically resolve APIs
12:17 Stepping through the code in a debugger

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint