Finding Functions from Export Directory and Using Seeds for API Checksums - Part 6
Offered By: Dr Josh Stroschein via YouTube
Course Description
Overview
Explore runtime-linking techniques used by Lockbit ransomware in this 16-minute video tutorial. Dive into how the malware leverages the EXPORT_DIRECTORY structure to locate APIs and utilizes DLL name seeds for computing checksum values to identify necessary functions. Learn about the process of extracting API names, navigating the export directory structure, and debugging to observe API names in action. Discover the significance of precomputed value matches and gain insights into efficient methods for API identification. Enhance your understanding of malware analysis and reverse engineering techniques through this in-depth examination of Lockbit's sophisticated runtime-linking mechanisms.
Syllabus
Seed from DLL name
Computing checksum from API name
Getting the API name
Using the export directory structure
Starting in the export directory
Debugging to see API names
When a precomputed value matches
Easy button to find APIs
Taught by
Dr Josh Stroschein
Related Courses
The RedTeam Blueprint - A Unique Guide To Ethical HackingUdemy Indicators of Compromise - From Malware Analysis to Eradication
44CON Information Security Conference via YouTube Counterfeiting the Pipes with FakeNet 2.0 - Part 2
Black Hat via YouTube Advanced Process Injection Techniques
NorthSec via YouTube Hypervisors in Your Toolbox - Monitoring and Controlling System Events with HyperPlatform
nullcon via YouTube