Debugging a DLL Export With x64dbg [Patreon Unlocked]

Рет қаралды 31,226

Күн бұрын

In this tutorial we demonstrate how to debug a DLL export (ordinal) with x64dbg. The sample is an unpacked SquirrelWaffle payload which we debug to dynamically extract the config. Expand for more ...
-----
OALABS DISCORD
/ discord
OALABS PATREON
/ oalabs
OALABS TIP JAR
ko-fi.com/oalabs
OALABS GITHUB
github.com/OALabs
UNPACME - AUTOMATED MALWARE UNPACKING
www.unpac.me/#/
-----
Unpacked sample:
malshare.com/s...

Пікірлер: 31

@sushmithavetri5198 Жыл бұрын

Very useful and informative. Thank you

@rpstar2023 3 жыл бұрын

Great video. Very well explained. Thank you.

@0xbitbybit Жыл бұрын

This is awesome, thanks!

@orgozlan323 3 жыл бұрын

Amazing, Thank you !

@xN4VYS34Lx 3 жыл бұрын

You help so much man.

@infinit3i 11 күн бұрын

why does x64dbg have a time wasted debugging in the bottom right? that is wild lol

@sgaud911 5 ай бұрын

Wouldn't that be easier to go in the "symbols" tab then double click the Export we want?

@RashadIshmal 10 ай бұрын

Thanks for the video. I have one question. My EntryPoint in x64dbg is 1001149B and PEbear lists 10E20 as my Function RVA for Export 'DllInstall'. How exactly would I add those numbers to set a BP after the call?

@warsang 3 жыл бұрын

As always, great video! Clear, well explained useful tips and tricks :) Is it also possible if you have a different ordinal address between Xdbg and IDA to rebase the program from IDA directly or am I missing something?

@OALABS 3 жыл бұрын

Yes if the DLL is loaded at a deferent address in x64dbg then your base in IDA you will need to rebase in IDA.

@eusebiosksipolitos2524 Жыл бұрын

Cool...

@BGroothedde Жыл бұрын

What happens if the exported symbol expects parameters or uses a different calling convention? Great video, thanks! *EDIT* I see the parameter solution in the comments, however the conv still has me wondering

@OALABS Жыл бұрын

Then you are out of luck lol! This is a good article explaining what would happen... devblogs.microsoft.com/oldnewthing/20040115-00/?p=41043 Thankfully it's pretty rare for malware since the devs usually just use boilerplate default. But if this is the case you would need to setup the call yourself with a little stub program or you could just manipulate it live with a debugger.

@BGroothedde Жыл бұрын

@@OALABS thanks! :D

@typedeaf 3 жыл бұрын

If the function expected parameters, would you just pass those param when you invote the DLL, as if they were for dllmain?

@OALABS 3 жыл бұрын

That is an excellent question! Yes you pass arguments to the export after the export but separated by a space rather than a comma. Example: rundll32.exe sample.dll,export arg0 arg1 arg2

@typedeaf 3 жыл бұрын

@@OALABS I was thinking about this some more. The EP is not the same as DllMain, which is usually user code. DllEntryPoint is responsible for setting up and initializing the CRT, and then calling DllMain user code. Wouldn't it be safer to modify IP at the call to DllMain?

@jasonrobertcheney 2 жыл бұрын

Great video for patreon, without unlocking them all is it possible to get a list of videos available to the Patreon? Thx in adv.

@OALABS 2 жыл бұрын

Patreon has this nice feature where all the content we post is publicly viewable, all you need to do is scroll down... when you scroll you can see which tutorials are still locked and which are unlocked, and you can see the title and description of everything even the ones that are locked, check it out! www.patreon.com/oalabs

@jasonrobertcheney 2 жыл бұрын

Appreciated

@jasonrobertcheney 2 жыл бұрын

Seems like few good videos avaliable at the 21$ month, is there a way to unlock individual vids of interest without the subscription? Sorry not super familiar how it all works

@polarrbtw Жыл бұрын

I dont have any exports in PE Bear

@OALABS Жыл бұрын

It is possibly they only have a DLLEntrypoint if it is a malware DLL. Conveniently this is actually executed by the x64dbg DLL loader so you would not have to do any adjustment just begin debugging as soon as you enter the DLL.

@polarrbtw Жыл бұрын

@@OALABS ty