03 - Identifying Signs of Runtime-Linking and Building Context for API Hashes
In part 3, we'll take a look at how Lockbit performs runtime linking, which is amounts to how it will dynamically build it's import table. Understanding how this is done is often the key to reversing programs, without understanding which Windows APIs it is using it is often very difficult to understand program behavior. To help add additional layers of obfuscation, Lockbit also uses precomputed values instead of strings, but with a twist. See what Lockbit is up to in this video!
Join this channel to get access to perks:
/ @jstrosch
Cybersecurity, reverse engineering, malware analysis and ethical hacking content!
🎓 Courses on Pluralsight 👉🏻 https://www.pluralsight.com/authors/j...
🌶️ YouTube 👉🏻 Like, Comment & Subscribe!
🙏🏻 Support my work 👉🏻 / joshstroschein
🌎 Follow me 👉🏻 / jstrosch , / joshstroschein
⚙️ Tinker with me on Github 👉🏻 https://github.com/jstrosch
🤝 Join the Discord community and more 👉🏻 https://www.thecyberyeti.com
2:13 Finding evidence of runtime linking
3:59 Precomputed hashes/checksums and what they are used for
6:09 Building context around how APIs will be imported
9:45 Another layer deeper
11:18 Using recursion to dynamically resolve APIs
12:17 Stepping through the code in a debugger
Watch video 03 - Identifying Signs of Runtime-Linking and Building Context for API Hashes online without registration, duration hours minute second in high quality. This video was added by user Dr Josh Stroschein - The Cyber Yeti 21 September 2024, don't forget to share it with your friends and acquaintances, it has been viewed on our site 65 once and liked it 3 people.