Tk_CreateImageType
Tk_CreateImageType
export, we need to get to that location in our favourite debugging tool. This is a little more challenging to do with a DLL as we can't directly call the export using x64dbg, but fortunately it's still easy enough to achieve with the following steps:rundll32.exe
in x64dbgrundll32.exe
in x64dbg (File -> Open -> C:\Windows\System32\rundll32.exe
) and then also configure x64dbg to automatically pause on every DLL entry point (Options -> Preferences -> DLL Entry):rundll32.exe
so that when it's launched it will execute our DLL at the Tk_CreateImageType
export. To do this go to File -> Change Command Line:teardrop.dll
in x64dbg and specifically we are at the first TLS Callback of the DLL. Thread Local Storage (TLS) callbacks execute before the main entry point of PE files and have both legitimate and non-legitimate use-cases. Some malware samples have been known to leverage TLS Callbacks as a way to check if the process is being analysed before the main execution of the sample is reached:DLLMain
of teardrop.dll
:Tk_CreateImageType
export. To do this we can go to the Symbols
tab, select teardrop.dll
in the left pane and then right click on the correct export in the right pane and select Toggle Breakpoint
:Tk_CreateImageType
export:bp <API>
in the command window towards the bottom of the x64dbg window:VirtualAlloc
being called:VirtualAlloc
shows us that the return value of a successful call is the "base address of the allocated region of pages". By clicking Debug -> Return to User Code
after the breakpoint on VirtualAlloc
we can allow the API call to complete and the base address of the new memory region should be now be stored in the RAX register. We can follow this memory region by right clicking on the RAX register and selecting "Follow in Dump":VirtualAlloc
calls, we can follow the same process as above and track the regions in the different dump tabs.VirtualProtect
breakpoints, we can spot the start of a PE file in one of the memory regions: