I often encounter software, especially when performing malware analysis, that dynamically constructs it’s own import table. This can be done for a variety of reasons and in a variety of ways. In this article, we’ll explore one method I recently encountered. I typically become suspicious of this activity when I see the following assembly instructions: mov ebx, fs:[ 0x30 ] mov ebx, [ ebx + 0xC ] mov ebx, [ ebx + 0x14] mov esi, [ ebx + 0x28 ]
Read moreNews
Exploring the Process Environment Block (PEB) with WinDbg
The source code for this example can be found here. The assembly is: mov ebx, fs:[ 0x30 ] ; // get a pointer to the PEB mov ebx, [ ebx + 0x0C ] ; // get PEB->Ldr mov ebx, [ ebx + 0x1C ] ;// PEB->Ldr.InInitializationOrderModuleList mov ebx, [ ebx + 0x08 ] ; // get the entries base address
Read more02 – Joining A CTF
Once you have created an account, you may either decide to join a public or private competition. If you cannot find the competition you joined, try checking both the Live & Inactive competition tabs within the left sidemenu. Joining a public competition On the home page, click the side menu tab on the left Find a Public Competition. From here you may view a list of public competitions currently active on the site. Joining a private competition While on the home page, ensure that either Live Competitions or Inactive Competitions is selected within the left sidemenu. Click on the green…
Read more03 – Creating a CTF Competition
01 – Registering Your Account
The first step in getting started with the platform is to create an account, which you can do here: http://ctf.0xevilc0de.com/register You won’t need to provide much information, but be certain to use an email address you have access to in the event that you need to reset your password. The name you provide will be displayed in the scoreboard during a competition. Once your account is created you will be able to login to the system. Keep in mind that you are now a regular user and only have access to publicly accessible CTFs and private CTFs that you have…
Read more