Watch a 30-minute technical video exploring advanced runtime linking techniques, focusing on trampoline creation and function pointer manipulation in malware analysis. Learn how trampolines are constructed, function pointers are resolved and re-obfuscated, and examine heap memory debugging using the 0xABABABAB pattern. Follow along through key topics including import table locations, precomputed values, DLL loading, memory allocation, random number generation, and trampoline code implementation. Gain practical insights into reverse engineering and malware analysis through detailed explanations and a concrete example function call demonstration.
Creating Trampolines and Re-Obfuscating Function Pointers in Runtime Linking - Part 7
Dr Josh Stroschein via YouTube
Overview
Syllabus
Starting with the function that creates the trampolines
Location of the new import table
Concerning precomputed values
Typing arguments
Loading the required DLLs
Debugging
Preparing to store function pointers
Getting the desired function pointer
Allocating new memory
Checking memory for padding bytes 0xABABABAB
Basis for the trampoline
Generating random numbers
Adding code to the trampoline
Example function call
Wrapping up and recap
Taught by
Dr Josh Stroschein
