Finding Functions from Export Directory and Using Seeds for API Checksums - Part 6

Overview

Explore runtime-linking techniques used by Lockbit ransomware in this 16-minute video tutorial. Dive into how the malware leverages the EXPORT_DIRECTORY structure to locate APIs and utilizes DLL name seeds for computing checksum values to identify necessary functions. Learn about the process of extracting API names, navigating the export directory structure, and debugging to observe API names in action. Discover the significance of precomputed value matches and gain insights into efficient methods for API identification. Enhance your understanding of malware analysis and reverse engineering techniques through this in-depth examination of Lockbit's sophisticated runtime-linking mechanisms.

Syllabus

Seed from DLL name
Computing checksum from API name
Getting the API name
Using the export directory structure
Starting in the export directory
Debugging to see API names
When a precomputed value matches
Easy button to find APIs

Taught by

Dr Josh Stroschein

Reviews

Start your review of Finding Functions from Export Directory and Using Seeds for API Checksums - Part 6

Taught by

Lockbit's DLL Name Seeding Technique for API Hashing - Part 5

Identifying Signs of Runtime-Linking and Building Context for API Hashes in Lockbit Malware - Part 3

Creating Trampolines and Re-Obfuscating Function Pointers in Runtime Linking - Part 7

7 Best Reverse Engineering Courses for 2024

Never Stop Learning.