03 - Identifying Signs of Runtime-Linking and Building Context for API Hashes
In part 3, we'll take a look at how Lockbit performs runtime linking, which is amounts to how it will dynamically build it's import table. Understanding how this is done is often the key to reversing programs, without understanding which Windows APIs it is using it is often very difficult to understand program behavior. To help add additional layers of obfuscation, Lockbit also uses precomputed values instead of strings, but with a twist. See what Lockbit is up to in this video!
Join this channel to get access to perks:
/ @jstrosch
Cybersecurity, reverse engineering, malware analysis and ethical hacking content!
🎓 Courses on Pluralsight 👉🏻 https://www.pluralsight.com/authors/j...
🌶️ YouTube 👉🏻 Like, Comment & Subscribe!
🙏🏻 Support my work 👉🏻 / joshstroschein
🌎 Follow me 👉🏻 / jstrosch , / joshstroschein
⚙️ Tinker with me on Github 👉🏻 https://github.com/jstrosch
🤝 Join the Discord community and more 👉🏻 https://www.thecyberyeti.com
2:13 Finding evidence of runtime linking
3:59 Precomputed hashes/checksums and what they are used for
6:09 Building context around how APIs will be imported
9:45 Another layer deeper
11:18 Using recursion to dynamically resolve APIs
12:17 Stepping through the code in a debugger
Смотрите видео 03 - Identifying Signs of Runtime-Linking and Building Context for API Hashes онлайн без регистрации, длительностью часов минут секунд в хорошем качестве. Это видео добавил пользователь Dr Josh Stroschein - The Cyber Yeti 21 Сентябрь 2024, не забудьте поделиться им ссылкой с друзьями и знакомыми, на нашем сайте его посмотрели 65 раз и оно понравилось 3 людям.