Debugging a DLL Export With x64dbg [Patreon Unlocked]
Vložit
- čas přidán 4. 01. 2022
- In this tutorial we demonstrate how to debug a DLL export (ordinal) with x64dbg. The sample is an unpacked SquirrelWaffle payload which we debug to dynamically extract the config. Expand for more ...
-----
OALABS DISCORD
/ discord
OALABS PATREON
/ oalabs
OALABS TIP JAR
ko-fi.com/oalabs
OALABS GITHUB
github.com/OALabs
UNPACME - AUTOMATED MALWARE UNPACKING
www.unpac.me/#/
-----
Unpacked sample:
malshare.com/sample.php?actio...
Great video. Very well explained. Thank you.
Very useful and informative. Thank you
You help so much man.
This is awesome, thanks!
Amazing, Thank you !
As always, great video! Clear, well explained useful tips and tricks :) Is it also possible if you have a different ordinal address between Xdbg and IDA to rebase the program from IDA directly or am I missing something?
Yes if the DLL is loaded at a deferent address in x64dbg then your base in IDA you will need to rebase in IDA.
Thanks for the video. I have one question. My EntryPoint in x64dbg is 1001149B and PEbear lists 10E20 as my Function RVA for Export 'DllInstall'. How exactly would I add those numbers to set a BP after the call?
If the function expected parameters, would you just pass those param when you invote the DLL, as if they were for dllmain?
That is an excellent question! Yes you pass arguments to the export after the export but separated by a space rather than a comma. Example: rundll32.exe sample.dll,export arg0 arg1 arg2
@@OALABS I was thinking about this some more. The EP is not the same as DllMain, which is usually user code. DllEntryPoint is responsible for setting up and initializing the CRT, and then calling DllMain user code. Wouldn't it be safer to modify IP at the call to DllMain?
Cool...
In order to avoid calculating rva you May strip relocs from pe file for example via cff Explorer.
Will I recieve my like from author? :)
haha!
Great video for patreon, without unlocking them all is it possible to get a list of videos available to the Patreon? Thx in adv.
Patreon has this nice feature where all the content we post is publicly viewable, all you need to do is scroll down... when you scroll you can see which tutorials are still locked and which are unlocked, and you can see the title and description of everything even the ones that are locked, check it out! www.patreon.com/oalabs
Appreciated
Seems like few good videos avaliable at the 21$ month, is there a way to unlock individual vids of interest without the subscription? Sorry not super familiar how it all works
What happens if the exported symbol expects parameters or uses a different calling convention? Great video, thanks!
*EDIT* I see the parameter solution in the comments, however the conv still has me wondering
Then you are out of luck lol! This is a good article explaining what would happen... devblogs.microsoft.com/oldnewthing/20040115-00/?p=41043 Thankfully it's pretty rare for malware since the devs usually just use boilerplate default. But if this is the case you would need to setup the call yourself with a little stub program or you could just manipulate it live with a debugger.
@@OALABS thanks! :D
I dont have any exports in PE Bear
It is possibly they only have a DLLEntrypoint if it is a malware DLL. Conveniently this is actually executed by the x64dbg DLL loader so you would not have to do any adjustment just begin debugging as soon as you enter the DLL.
@@OALABS ty
Dc ?
ac?
@@OALABS Discord ?
rb.gy/5f85nv