Short Summary
The video discusses advanced techniques in API resolution, focusing on how to utilize process environment blocks (PEB) and related structures to effectively load and resolve dynamic link libraries (DLLs) in memory. It highlights the importance of navigating linked list structures, such as the load order and initialization order, to accurately retrieve necessary information about loaded DLLs for further analysis.
Key Points
- The video resumes from previous discussions about API resolution, emphasizing recursive loading of necessary APIs.
- Introduces the PEB (Process Environment Block) and its use in accessing critical offsets through arithmetic techniques to obfuscate detection.
- Describes the navigation through the PEB to access loader data and linked list structures for loaded DLLs.
- Explains the significance of maintaining structure definitions during code analysis for better clarity and accuracy.
- Highlights the differences in list navigation, such as load order, initialization order, and in-memory order, affecting how to accurately reference DLL structure data.
- Mentions debugging tools like WinDbg and the use of commands to analyze structures effectively.
- Encourages viewers to explore and analyze the code thoroughly for a better understanding of the material covered.
- Promotes refining type assignments in code analysis tools to improve results and output during analysis.
- Teases upcoming discussions about what steps to take after locating the base address of a DLL in the next video.
Youtube Channel: Dr Josh Stroschein – The Cyber Yeti
Video Published: 2024-09-24T18:00:35+00:00
Video Description:
In part 04, we’ll take a close look at how Lockbit, and many other malware families, locate and use the PEB to identify in-memory DLLs. This allows for the malware to find libraries and functions it needs during runtime, while also avoiding using the pre-declared import table. This makes it more challenging for basic analysis and reverse engineering, as we have to initially investigate how these functions are being resolved. You’ll also begin to see some additional twists that Lockbit adds to this process by using seeds…
,
Join this channel to get access to perks:
https://www.youtube.com/channel/UCI8zwug_Lv4_-KPT62oeDUA/join
Cybersecurity, reverse engineering, malware analysis and ethical hacking content!
🎓 Courses on Pluralsight 👉🏻 https://www.pluralsight.com/authors/josh-stroschein
🌶️ YouTube 👉🏻 Like, Comment & Subscribe!
🙏🏻 Support my work 👉🏻 https://patreon.com/JoshStroschein
🌎 Follow me 👉🏻 https://twitter.com/jstrosch, https://www.linkedin.com/in/joshstroschein/
⚙️ Tinker with me on Github 👉🏻 https://github.com/jstrosch
🤝 Join the Discord community and more 👉🏻 https://www.thecyberyeti.com
0:16 Finding the PEB reference
2:35 Accessing PEB structure members
4:17 Viewing relevant structures in WinDbg
12:00 Adding structures in IDA