Summary

The video discusses the unique approach that LockBit uses for API hashing, exploring how they implement a trampoline technique to obscure API calls and make their analysis less straightforward. The presenter breaks down the specific functions involved, the arguments being manipulated, and how those contribute to the overall logic of the runtime linking process.

Key Points

• LockBit’s API hashing technique employs a constant XOR with pre-computed values to complicate API identification.
• The function sub 45 da0 plays a central role in allocating memory on a new heap.
• The import table for API calls is constructed through a series of operations involving checksums and dynamic memory allocation.
• Trampolines are created to redirect API calls, adding layers of indirection when calling functions.
• The method of resolving APIs utilizes randomization, which impedes straightforward analysis and debugging efforts.
• Tools like IDA Python plugins may help facilitate deeper analysis, particularly for functionality that resembles BlackMatter’s codebase.
• The series will continue to explore anti-analysis techniques in subsequent videos.

Youtube Video: https://www.youtube.com/watch?v=SvHqFNv-0Sc
Youtube Channel: Dr Josh Stroschein – The Cyber Yeti
Video Published: 2024-10-23T12:03:49+00:00