The AddressOfEntryPoint and Tips for Finding Main

Поділитися
Вставка
  • Опубліковано 17 вер 2024
  • The PE file format defines the entry point for execution through the AddressOfEntryPoint field. However, it's not as straight-forward as it may seem. In this video, we'll explore what this field is, where to find it and it's relationship with the main function.
    Join this channel to get access to perks:
    / @jstrosch
    Cybersecurity, reverse engineering, malware analysis and ethical hacking content!
    🎓 Courses on Pluralsight 👉🏻 www.pluralsigh...
    🌶️ UA-cam 👉🏻 Like, Comment & Subscribe!
    🙏🏻 Support my work 👉🏻 / joshstroschein
    🌎 Follow me 👉🏻 / jstrosch , / joshstroschein
    ⚙️ Tinker with me on Github 👉🏻 github.com/jst...
    🤝 Join the Discord community and more 👉🏻 www.thecyberye...
    0:38 Sample Binaries
    1:14 Compiling
    1:39 Finding AddressOfEntryPoint in 010 Editor
    3:20 32-Bit PE file layout
    3:46 Tips for Finding Main
    5:15 Arguments for main in x64 binary
    11:03 Start in a packed binary (Lockbit 3.0)
  • Наука та технологія

КОМЕНТАРІ • 6

  • @Drew-bugfireio
    @Drew-bugfireio 14 днів тому +1

    It's always nice to see other approaches to finding main to add to the toolbox, thanks!

    • @jstrosch
      @jstrosch  12 днів тому

      Glad it was helpful :) It's served me well over the years, although I'm sure there are other ways to find main!

  • @Victimsingh
    @Victimsingh 7 днів тому +1

    sir, can you please clarify my doubt :
    The address at 04:15 like for ex, 0000000140001000 is Relative Virtual Address which is calculated by (base address + offset). If i am correct, now, when i debug this same binary or any binary using ida debugger. it shows a totally random address like 0x000000007f2342a9. so what is this ? is it also an virtual address or it's an physical address which is translated by mmu from virtual address. Please see this !

    • @jstrosch
      @jstrosch  3 дні тому

      Hi! When I compiled that program, it was given a default image base of 140000000. You can view this info in the PE file format under IMAGE_OPTIONAL_HEADER. If the binary opts into ASLR, then the operating system will likely give it a different, random address. When debugging, you can view what the base address is for your EXE - in IDA i believe that is the modules window while debugging. It is still a virtual address, it's just randomized. ASLR is designed to help mitigate exploitations and helps not only EXEs, but DLLs be at unpredictable addresses. Hope this answers your question!

    • @Victimsingh
      @Victimsingh 3 дні тому +1

      @@jstrosch yes i thought so it would have been ASLR as i did my fair share of binary exploitation. Thankyou sir !

    • @jstrosch
      @jstrosch  3 дні тому

      @@Victimsingh Great - then you are no doubt familiar :)

Наступне
Автоматичне відтворення
How I Execute Malicious Services12:42How I Execute Malicious Services
How I Execute Malicious ServicesAnuj Soni
Переглядів 3,3 тис.
How I installed the HARDEST operating system34:40How I installed the HARDEST operating system
How I installed the HARDEST operating systemBog
Переглядів 368 тис.
Tool Spotlight: Performing Rapid Triage Analysis using ANY.RUN!23:01Tool Spotlight: Performing Rapid Triage Analysis using ANY.RUN!
Tool Spotlight: Performing Rapid Triage Analysis using ANY.RUN!Dr Josh Stroschein - The Cyber Yeti
Переглядів 52
Russian soldier catches Ukraine FPV drone with his bare hands and runs with it00:37Russian soldier catches Ukraine FPV drone with his bare hands and runs with it
Russian soldier catches Ukraine FPV drone with his bare hands and runs with itMail News
Переглядів 9 млн
Папич - миллионы на стримах, донаты от Меллстроя и альтушки2:09:29Папич — миллионы на стримах, донаты от Меллстроя и альтушки
Папич - миллионы на стримах, донаты от Меллстроя и альтушкиВПИСКА
Переглядів 3,1 млн
The Joker wanted to stand at the front, but unexpectedly was beaten up by Officer Rabbit00:12The Joker wanted to stand at the front, but unexpectedly was beaten up by Officer Rabbit
The Joker wanted to stand at the front, but unexpectedly was beaten up by Officer RabbitFunny superhero siblings
Переглядів 36 млн
Apple Event - September 91:38:50Apple Event - September 9
Apple Event - September 9Apple
Переглядів 26 млн
What are TLS Callbacks and How to Find Them!17:26What are TLS Callbacks and How to Find Them!
What are TLS Callbacks and How to Find Them!Dr Josh Stroschein - The Cyber Yeti
Переглядів 1,1 тис.
Hide your files like a hacker (5 Ways)19:17Hide your files like a hacker (5 Ways)
Hide your files like a hacker (5 Ways)NetworkChuck
Переглядів 78 тис.
AI can't cross this line and we don't know why.24:07AI can't cross this line and we don't know why.
AI can't cross this line and we don't know why.Welch Labs
Переглядів 545 тис.
Investigating Sections in PE Files and Why They Are Important for Reverse Engineering17:11Investigating Sections in PE Files and Why They Are Important for Reverse Engineering
Investigating Sections in PE Files and Why They Are Important for Reverse EngineeringDr Josh Stroschein - The Cyber Yeti
Переглядів 1,1 тис.
🔴 Practical Steps to False Positive Reduction and Benign File Analysis with Karsten Hahn54:50🔴 Practical Steps to False Positive Reduction and Benign File Analysis with Karsten Hahn
🔴 Practical Steps to False Positive Reduction and Benign File Analysis with Karsten HahnDr Josh Stroschein - The Cyber Yeti
Переглядів 596
Hacking Windows TrustedInstaller (GOD MODE)31:07Hacking Windows TrustedInstaller (GOD MODE)
Hacking Windows TrustedInstaller (GOD MODE)John Hammond
Переглядів 627 тис.
No, Einstein Didn’t Solve the Biggest Problem in Physics8:04No, Einstein Didn’t Solve the Biggest Problem in Physics
No, Einstein Didn’t Solve the Biggest Problem in PhysicsSabine Hossenfelder
Переглядів 66 тис.
Setting up a production ready VPS is a lot easier than I thought.29:50Setting up a production ready VPS is a lot easier than I thought.
Setting up a production ready VPS is a lot easier than I thought.Dreams of Code
Переглядів 112 тис.
Strange File in Downloads Folder? Gootloader Malware Analysis30:20Strange File in Downloads Folder? Gootloader Malware Analysis
Strange File in Downloads Folder? Gootloader Malware AnalysisJohn Hammond
Переглядів 785 тис.
Почему нужно включать режим самолета 😰00:39Почему нужно включать режим самолета 😰
Почему нужно включать режим самолета 😰EpicShortsRussia
Переглядів 450 тис.
Which phone do you have?00:33Which phone do you have?
Which phone do you have?Adhemz
Переглядів 4,8 млн
What’s the best iPhone or Android?00:48What’s the best iPhone or Android?
What’s the best iPhone or Android?Batyr White
Переглядів 6 млн
Почему хакеры выбирают линукс??00:43Почему хакеры выбирают линукс??
Почему хакеры выбирают линукс??Honey Montana
Переглядів 540 тис.
#НДА ep.1 / АПГРЕЙД ПК ЗА 10К - БЮДЖЕТНО ПРОКАЧИВАЕМ КОМП ПОДПИСЧИКА ДЛЯ ИГР ЗА 10.000р11:50#НДА ep.1 / АПГРЕЙД ПК ЗА 10К - БЮДЖЕТНО ПРОКАЧИВАЕМ КОМП ПОДПИСЧИКА ДЛЯ ИГР ЗА 10.000р
#НДА ep.1 / АПГРЕЙД ПК ЗА 10К - БЮДЖЕТНО ПРОКАЧИВАЕМ КОМП ПОДПИСЧИКА ДЛЯ ИГР ЗА 10.000рspline
Переглядів 175 тис.
CRAZY KEYBOARD CHALLENGE 😮How fast could you type?00:41CRAZY KEYBOARD CHALLENGE 😮How fast could you type?
CRAZY KEYBOARD CHALLENGE 😮How fast could you type?Hipyo Tech
Переглядів 21 млн
#major #airdrop #telegram #web3 #listing #crypto00:38#major #airdrop #telegram #web3 #listing #crypto
#major #airdrop #telegram #web3 #listing #cryptoMajor Community
Переглядів 2,5 млн
Что же лучше 16 айфон или бюджетний андроид?00:35Что же лучше 16 айфон или бюджетний андроид?
Что же лучше 16 айфон или бюджетний андроид?Apros I
Переглядів 117 тис.