Скачать с ютуб 03 - Identifying Signs of Runtime-Linking and Building Context for API Hashes в хорошем качестве

03 - Identifying Signs of Runtime-Linking and Building Context for API Hashes

In part 3, we'll take a look at how Lockbit performs runtime linking, which is amounts to how it will dynamically build it's import table. Understanding how this is done is often the key to reversing programs, without understanding which Windows APIs it is using it is often very difficult to understand program behavior. To help add additional layers of obfuscation, Lockbit also uses precomputed values instead of strings, but with a twist. See what Lockbit is up to in this video! Join this channel to get access to perks:    / @jstrosch   Cybersecurity, reverse engineering, malware analysis and ethical hacking content! 🎓 Courses on Pluralsight 👉🏻 https://www.pluralsight.com/authors/j... 🌶️ YouTube 👉🏻 Like, Comment & Subscribe! 🙏🏻 Support my work 👉🏻   / joshstroschein   🌎 Follow me 👉🏻   / jstrosch  ,   / joshstroschein   ⚙️ Tinker with me on Github 👉🏻 https://github.com/jstrosch 🤝 Join the Discord community and more 👉🏻 https://www.thecyberyeti.com 2:13 Finding evidence of runtime linking 3:59 Precomputed hashes/checksums and what they are used for 6:09 Building context around how APIs will be imported 9:45 Another layer deeper 11:18 Using recursion to dynamically resolve APIs 12:17 Stepping through the code in a debugger