WinDbg: Ep.3 – Debugging Malware

Question

The briefing says:[...]bp kernel32!LoadLibraryA ".printf \"Loading Library: %ma\",poi(esp+0x4);.echo};g"bp kernel32!GetProcAddress ".printf \"	 Looking up function: %ma\",poi(esp+0x8);.echo;g"bp advapi32!CreateServiceW ".printf \"Creating Service: \";.echo;.printf \"	Service Name: %mu\",poi(esp+0x4);.echo;.printf \"	Display Name: %mu\",poi(esp+0x8);.echo;g"[...]Yet, none of these work. The OS was updated, the instructions not.Fix:bp KernelBase!LoadLibraryA&nbsp;bp KernelBase!GetProcAddressbp sechost!CreateServiceW

andradacraciun · Accepted Answer

Hey netcat thanks for your feedback on the lab! We have not updated the OS, the content was reflective of the sort of APIs you should be looking for. It wasn’t hugely clear to look for related symbols of those APIs.
The fix you proposed absolutely works! We have also updated the content to show how you can still use kernel32 and advapi32.
Thanks again for the feedback, we appreciate it!

Forum Discussion

WinDbg: Ep.3 – Debugging Malware

Related Content

WinDbg: Ep.4 – Debugging a Windows Crash

WinDbg: Ep.5 – Kernel Internals

What are some good labs for learning the basics of malware analysis?

WinDbg: Ep.2 – Walking Windows Structures

Malware Analysis: Tracking a LOLBins Campaign – Examination

Recent Discussions

Threat Research: Dependency Confusion Q8

WinDbg: Ep.2 – Walking Windows Structures

Kubernetes: Secrets

IAM: Demonstrate Your Skills - Developer access (2/3)

Introduction to encryption help