Discover and read the best of Twitter Threads about #processhacker
Most recents (1)
A quick demo of how to identify "real" exported functions from a #obfuscated #IcedID dll file.
I'll also briefly touch on some #Ghidra tips, and how to extract #shellcode using a debugger.
A moderate sized thread😃
[1/13]
I'll also briefly touch on some #Ghidra tips, and how to extract #shellcode using a debugger.
A moderate sized thread😃
[1/13]
[2/13] You can find the relevant files here. Special thanks to @malware_traffic.
First, download the .zip in the screenshot.👇
Then unzip and locate the "rarest.db" file in the "scabs" folder.
(Make sure to do this inside an isolated Virtual Machine)
malware-traffic-analysis.net/2022/09/23/ind…
First, download the .zip in the screenshot.👇
Then unzip and locate the "rarest.db" file in the "scabs" folder.
(Make sure to do this inside an isolated Virtual Machine)
malware-traffic-analysis.net/2022/09/23/ind…
[3/14] Drag the "rarest.db" file into Pe-Studio and navigate to the exports tab.
There are 11 exported functions here. 🧐
Most of them have junk names to throw off analysis.
One of them is "real", the rest are "decoys" which don't do anything if executed.
There are 11 exported functions here. 🧐
Most of them have junk names to throw off analysis.
One of them is "real", the rest are "decoys" which don't do anything if executed.
