Overview
Explore the intricacies of Lockbit's runtime-linking technique in this 14-minute video tutorial. Delve into how Lockbit utilizes the DLL name as a seed for API hashing, a unique twist on standard malware techniques. Learn to identify the image_base, parse the image DOS header, and understand DATA Directories. Examine the IMAGE_EXPORT_DIRECTORY and AddressOf* functions. Discover how the DLL name generates checksums that serve as seeds for API name computation. Gain insights into the UNICODE structure and its relevance. Enhance your reverse engineering skills and grasp the broader implications of these techniques on malware analysis efforts.
Syllabus
Finding the image_base
Parsing the image dos header
DATA Directories
The IMAGE_EXPORT_DIRECTORY
AddressOf*
Checksum from a DLL name - where the seeds come from
Brief note on the UNICODE structure
Taught by
Dr Josh Stroschein