Josh StroscheinFeb 105 minLocating DLL Name from the Process Environment Block (PEB)I often encounter software, especially when performing malware analysis, that dynamically constructs it’s own import table. This can be...
Josh StroscheinFeb 101 minExploring the Process Environment Block (PEB) with WinDbgThe source code for this example can be found here. The assembly is: mov ebx, fs:[ 0x30 ] ; // get a pointer to the PEB mov ebx, [ ebx +...
Josh StroscheinJan 6, 20211 minCreating an IDA Python Plugin for Static XOR String DeobfuscationIn this video, we’ll explore a recent XLS document that drops and executes a DLL using RUNDLL32. The DLL is small and only used to...
Josh StroscheinMar 16, 20182 minDebugging a 32 or 64-bit DLL with WinDbgDebugging a DLL is not quite as straight forward as an executable, since you have to use rundll32 to load it and invoke DllMain. This is...