Skip to main content
Reverse Engineering

All Questions

Ask Question
Tagged with
9 questions
Newest Active Bountied Unanswered
1 vote
2 answers
231 views

Lifting exported function instructions in PE files

I am trying to automate analysis of instructions within exported functions for a .DLL and need to be able to lift the first few instructions for the entry point of each exported function statically ...
oso's user avatar
oso
  • 11
2 votes
1 answer
614 views

How to restore IAT?

I have the start address and the end address of the IAT now im trying to restore the table/folder of it. the start address is: E7C000 thx for helping
Yoni's user avatar
Yoni
  • 21
0 votes
1 answer
94 views

what does BYTES_REVERSED_HI and BYTES_REVERSED_LO in an PE signify

How can these pe attributes be used to identify malware. I was going though a paper link at page 10 he mentioned. "BYTES_REVERSED_HI and BYTES_REVERSED_LO both make ideal candidates as a primary ...
Ajay Kumar K K's user avatar
Ajay Kumar K K
  • 103
1 vote
1 answer
4k views

Resolving DLL function names using ordinals

I am trying to figure out how to get the imports of a PE using the PEfile python project (https://github.com/erocarrera/pefile) One thing special about that library is the ordlookup folder. It looks ...
muchwow's user avatar
muchwow
  • 153
4 votes
1 answer
325 views

Wierd names in import table

I'm trying to do a static analysis of a PE file to see what it does. While doing so, I stumbled upon some really wierd function names in my objdump DLL Name: msvcrt.dll vma: Hint/Ord Member-Name ...
muchwow's user avatar
muchwow
  • 153
3 votes
1 answer
2k views

Is the magic number important

While checking the PE header of DLLs and EXE(s) by PEviewer, I found something called "magic number". After googling "magic number". I found that it is used to determine the file type. My question ...
Ahmed's user avatar
Ahmed
  • 135
2 votes
3 answers
6k views

How to figure out which imported function(s) in a virus determine its behaviour?

I want to know how to find the functions which is interesting in malware tools. For example, I have a sample of unknown virus (this sample is lab01-01.exe in the book practical malware analysis lab1-...
Ahmed's user avatar
Ahmed
  • 135
5 votes
2 answers
5k views

Extracting files from google chrome offline installer

I'm trying to extract the files from the Google Chrome offline installer as a reverse engineering exercise So I tried extracting the data inside the installer PE. I tried pestudio which showed me two ...
user avatar
user2183
9 votes
1 answer
578 views

Loading Windows executable - unexpected data appended at beginning sections after loading in memory

Few days after asking the question I realised I misinterpreted my original findings. It seems .rdata section on file is copied directly to memory, but then first 36 bytes are overwritten by loader ...
ruby_object's user avatar
ruby_object
  • 293