Debugging a DLL is not quite as straight forward as an executable, since you have to use rundll32 to load it and invoke DllMain. This is a brief posting discussing how to load a 64-bit DLL and break on DllMain, the sample I am using is Dridex and can be found on VirusTotal.
Read moreNews
Reading List
Here is a list of several texts that I have found to be indispensable. Software Security The Art of Software Security Assessment (2 Volumes) Mark Dowd, John McDonald, Justin Schuh 978-0-321-44442-4
Read moreLocating DLL Name from the Process Environment Block (PEB)
I often encounter software, especially when performing malware analysis, that dynamically constructs it’s own import table. This can be done for a variety of reasons and in a variety of ways. In this article, we’ll explore one method I recently encountered. I typically become suspicious of this activity when I see the following assembly instructions: mov ebx, fs:[ 0x30 ] mov ebx, [ ebx + 0xC ] mov ebx, [ ebx + 0x14] mov esi, [ ebx + 0x28 ]
Read moreExploring the Process Environment Block (PEB) with WinDbg
The source code for this example can be found here. The assembly is: mov ebx, fs:[ 0x30 ] ; // get a pointer to the PEB mov ebx, [ ebx + 0x0C ] ; // get PEB->Ldr mov ebx, [ ebx + 0x1C ] ;// PEB->Ldr.InInitializationOrderModuleList mov ebx, [ ebx + 0x08 ] ; // get the entries base address
Read more02 – Joining A CTF
Once you have created an account, you may either decide to join a public or private competition. If you cannot find the competition you joined, try checking both the Live & Inactive competition tabs within the left sidemenu. Joining a public competition On the home page, click the side menu tab on the left Find a Public Competition. From here you may view a list of public competitions currently active on the site. Joining a private competition While on the home page, ensure that either Live Competitions or Inactive Competitions is selected within the left sidemenu. Click on the green…
Read more