Youtube

06 – Finding Functions from the Export Directory and Using Seeds to Compute Checksums

Youtube



Video Summary

Video Summary

The video discusses the process of resolving function pointers from a DLL by walking the export table and computing checksums for the function names. It highlights the key steps involved in analyzing this process using decompilation techniques and dynamic analysis.

Key Points

  • The process starts by computing a checksum for the DLL name using the PE structure.
  • Function pointers are resolved by traversing the export table of the DLL.
  • The computed checksum is utilized to validate function names against a desired checksum.
  • The pseudo code representation aids in understanding the byte-level operations and transformations.
  • The video emphasizes the importance of confirming findings through both static and dynamic analyses in debugging.
  • Understanding how API names are matched and how function pointers get resolved is critical for reverse engineering.
  • There is mention of setting breakpoints during debugging to ensure accurate tracking of function calls and returned pointers.
  • The video sets the stage for further exploration of additional functions and their interactions with the memory heap.

Youtube Channel: Dr Josh Stroschein – The Cyber Yeti
Video Published: 2024-10-01T18:00:10+00:00

Video Description:
Part 6 continues to explore runtime-linking by seeing how Lockbit not only uses the EXPORT_DIRECTORY structure to find APIs, but also how it uses the DLL name seed to compute the checksum values to identify necessary APIs.

Join this channel to get access to perks:
https://www.youtube.com/channel/UCI8zwug_Lv4_-KPT62oeDUA/join
,
Cybersecurity, reverse engineering, malware analysis and ethical hacking content!
πŸŽ“ Courses on Pluralsight πŸ‘‰πŸ» https://www.pluralsight.com/authors/josh-stroschein
🌢️ YouTube πŸ‘‰πŸ» Like, Comment & Subscribe!
πŸ™πŸ» Support my work πŸ‘‰πŸ» https://patreon.com/JoshStroschein
🌎 Follow me πŸ‘‰πŸ» https://twitter.com/jstrosch, https://www.linkedin.com/in/joshstroschein/
βš™οΈ Tinker with me on Github πŸ‘‰πŸ» https://github.com/jstrosch
🀝 Join the Discord community and more πŸ‘‰πŸ» https://www.thecyberyeti.com

0:38 Seed from DLL name
1:20 Computing checksum from API name
4:00 Getting the API name
4:36 Using the export directory structure
5:40 Starting in the export directory
8:00 Debugging to see API names
10:09 When a precomputed value matches
12:00 Easy button to find APIs

No tags for this post.