Find Me If You Can! How to Locate a DLL’s Unexported Functions

Track 1 - Jungle

Thu, 30 Jun 2022 @ 10:00:00

Attackers often use code from system DLLs to load libraries or run procedures. To avoid detection, they don’t use the DLL’s exported functions but rather code that is triggered deeper down the call-stack. But unlike exported functions, internal ones are harder to find in memory, so attackers need to be creative. In this talk, we will adopt the attacker mindset and locate functions in memory using IDA(Python). We will compare different approaches and try to overcome OS compatibility challenges.