Youtube

05 – How Lockbit Uses the DLL Name as a Seed for API Hashing

Youtube



Video Summary

Short Summary

The video discusses the process of analyzing a Dynamic Link Library (DLL) to parse its export table, which is essential to resolving functionalities within the DLL. It delves into the architecture of PE (Portable Executable) files, exploring memory offsets, and the structure of the image export directory.

Key Points

  • The base of the DLL is accessed and stored in the EBX register.
  • The image DOS header and offset values are critical for navigating PE file structure.
  • The video explains how to identify the image export directory and its significance in DLL analysis.
  • Addresses of functions, names, and name ordinals are important components of the export directory structure.
  • Malware often utilizes API resolution based on name rather than ordinal values.
  • Memory values including the DLL base name and checksums are essential for analyzing function calls.
  • The checksum for DLL names is computed through a comparison process which normalizes the case of characters.
  • The exploration of these techniques sets the stage for deeper analysis in subsequent videos.

Youtube Channel: Dr Josh Stroschein – The Cyber Yeti
Video Published: 2024-09-26T18:00:01+00:00

Video Description:
In part 05, we continue to our deep dive into Lockbit’s runtime-linking. In this video, you’ll see how Lockbit uses the DLL name to create a seed. This seed is used in the actual computation of the API name, which is a twist on a standard malware technique. You’ll see how this technique is used and I’ll discuss the broader impact it has on your reversing efforts.
,
Join this channel to get access to perks:
https://www.youtube.com/channel/UCI8zwug_Lv4_-KPT62oeDUA/join

Cybersecurity, reverse engineering, malware analysis and ethical hacking content!
🎓 Courses on Pluralsight 👉🏻 https://www.pluralsight.com/authors/josh-stroschein
🌶️ YouTube 👉🏻 Like, Comment & Subscribe!
🙏🏻 Support my work 👉🏻 https://patreon.com/JoshStroschein
🌎 Follow me 👉🏻 https://twitter.com/jstrosch, https://www.linkedin.com/in/joshstroschein/
⚙️ Tinker with me on Github 👉🏻 https://github.com/jstrosch
🤝 Join the Discord community and more 👉🏻 https://www.thecyberyeti.com

0:30 Finding the image_base
1:25 Parsing the image dos header
3:36 DATA Directories
5:30 The IMAGE_EXPORT_DIRECTORY
6:40 AddressOf*
8:21 Checksum from a DLL name – where the seeds come from
9:15 Brief note on the UNICODE structure