Skip to content

Commit dacf3f3

Browse files
connarconnar
committed
finished unpacking post
1 parent ff8f52c commit dacf3f3

21 files changed

+308
-1
lines changed

content/posts/apihashing.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -214,7 +214,7 @@ FARPROC GetProcAddressH(HMODULE hModule, DWORD dwApiNameHash) {
214214
```
215215
This code, besides the hashing part, mostly does checks on the PE fields to make sure everything is correct before continuing. This is usually what malwares do to make sure they will definitely run on the victim's machine and would ideally not want to risk running on some error on runtime.
216216

217-
We can break down the checks and make a short introductory on loading a PE file on memory, but a more [in depth post]("https://connar.github.io/posts/insideapefile.md") will be posted in the future regarding this.
217+
We can break down the checks and make a short introductory on loading a PE file on memory, but a more [in depth post]("https://connar.github.io/posts/insideapefile/") will be posted in the future regarding this.
218218

219219
**To begin with**, we make sure that neither the handle to the DLL's address nor the Hash of the target function that are passed as parameters are null:
220220
```c

content/posts/unpackinglocky.md

Lines changed: 307 additions & 0 deletions
Large diffs are not rendered by default.

static/posts/unpackinglocky/Scylla_steps.gif

2.17 MB
Loading

static/posts/unpackinglocky/WriteFileBP.gif

2.2 MB
Loading

static/posts/unpackinglocky/alternative_way.gif

2.9 MB
Loading

static/posts/unpackinglocky/exploringVAllocCall.gif

2.39 MB
Loading

static/posts/unpackinglocky/exploringVAllocCall1.gif

2.27 MB
Loading

static/posts/unpackinglocky/findingTheExe4.png

92.6 KB
Loading

static/posts/unpackinglocky/ida_upx1.png

83.2 KB
Loading

static/posts/unpackinglocky/script_unpacked.png

88.5 KB
Loading

0 commit comments

Comments
 (0)